Install OSSEC (Host Based Intrusion Detection System) on CentOS, RHEL, Debian, Ubuntu

Overview

OSSEC is an Open Source Host-based Intrusion Detection System. It performs log analysis, file integrity checking, policy monitoring, rootkit detection, real-time alerting and active response. I have been using OSSEC on all my servers for about 2 years now and is highly impressed by its real time monitoring.

Install OSSEC (Host Based Intrusion Detection System) on CentOS, RHEL, Debian, Ubuntu

Download some prerequisites

On Ubuntu Debian


$ sudo su -
# apt-get update
# apt-get install build-essential

On CentOS RHEL Fedora


# yum update
# yum install gcc gcc-c++ autoconf automake

Download the latest version of ossec


# wget http://www.ossec.net/files/ossec-hids-2.7.tar.gz

Untar it and cd to the ossec directory


# tar -zxvf ossec-hids-2.7.tar.gz
# cd ossec-hids-2.7

Execute install.sh


# ./install.sh

Sample Output from my machine
** Para instalação em português, escolha [br].
** 要使用中文进行安装, 请选择 [cn].
** Fur eine deutsche Installation wohlen Sie [de].
** Για εγκατάσταση στα Ελληνικά, επιλέξτε [el].
** For installation in English, choose [en].
** Para instalar en Español , eliga [es].
** Pour une installation en français, choisissez [fr]
** Per l’installazione in Italiano, scegli [it].
** 日本語でインストールします.選択して下さい.[jp].
** Voor installatie in het Nederlands, kies [nl].
** Aby instalować w języku Polskim, wybierz [pl].
** Для инструкций по установке на русском ,введите [ru].
** Za instalaciju na srpskom, izaberi [sr].
** Türkçe kurulum için seçin [tr].
(en/br/cn/de/el/es/fr/it/jp/nl/pl/ru/sr/tr) [en]:

Press enter to select english [en] as the language

OSSEC HIDS v2.7 Installation Script – http://www.ossec.net

You are about to start the installation process of the OSSEC HIDS.
You must have a C compiler pre-installed in your system.
If you have any questions or comments, please send an e-mail
to dcid@ossec.net (or daniel.cid@gmail.com).

- System: Linux mail.linuxdrops.com 2.7.18-238.el5
– User: root
– Host: mail.linuxdrops.com
— Press ENTER to continue or Ctrl-C to abort. –

Press enter to continue the installation

Next the installation would ask you to select server, client or local installation. I would suggest you to go with client server based HIDS install. If you have just one server to monitor you can select standalone, otherwise select server and continue.

1- What kind of installation do you want (server, agent, local or help)? server

Go ahead and follow the instructions to select the installation directory and the features you wish to enable.

2- Setting up the installation environment.

- Choose where to install the OSSEC HIDS [/var/ossec]:

3- Configuring the OSSEC HIDS.

3.1- Do you want e-mail notification? (y/n) [y]: y
– What’s your e-mail address? keenakimble@linuxdrops.com
– What’s your SMTP server ip/host? 127.0.0.1

3.2- Do you want to run the integrity check daemon? (y/n) [y]: y

- Running syscheck (integrity check daemon).

3.3- Do you want to run the rootkit detection engine? (y/n) [y]: y

- Running rootcheck (rootkit detection).

3.4- Active response allows you to execute a specific
command based on the events received. For example,
you can block an IP address or disable access for
a specific user.
More information at:
http://www.ossec.net/en/manual.html#active-response

- Do you want to enable active response? (y/n) [y]: y

- Active response enabled.

- By default, we can enable the host-deny and the
firewall-drop responses. The first one will add
a host to the /etc/hosts.deny and the second one
will block the host on iptables (if linux) or on
ipfilter (if Solaris, FreeBSD or NetBSD).
– They can be used to stop SSHD brute force scans,
portscans and some other forms of attacks. You can
also add them to block on snort events, for example.

- Do you want to enable the firewall-drop response? (y/n) [y]: y

- firewall-drop enabled (local) for levels >= 6

- Default white list for the active response:
– 172.16.166.2

- Do you want to add more IPs to the white list? (y/n)? [n]: n

3.5- Do you want to enable remote syslog (port 514 udp)? (y/n) [y]: y

- Remote syslog enabled.

3.6- Setting the configuration to analyze the following logs:
— /var/log/messages
— /var/log/secure
— /var/log/maillog
— /var/log/httpd/error_log (apache log)
— /var/log/httpd/access_log (apache log)

- If you want to monitor any other file, just change
the ossec.conf and add a new localfile entry.
Any questions about the configuration can be answered
by visiting us online at http://www.ossec.net .

— Press ENTER to continue —

 

Installing Agents and Activating them

On the agent (machine you wish to monitor), download ossec and start the installation

This time select the installation type as agent


1- What kind of installation do you want (server, agent, local or help)? agent

Follow the same procedure and install the agent

Now you need to create a key on server and add it to the client so that they can talk to each other. The encrypted communication occurs over port 1514 so make sure your firewall allows it. On the ossec server execute

# /var/ossec/bin/manage_agents

****************************************
* OSSEC HIDS v2.7 Agent manager. *
* The following options are available: *
****************************************
(A)dd an agent (A).
(E)xtract key for an agent (E).
(L)ist already added agents (L).
(R)emove an agent (R).
(Q)uit.
Choose your action: A,E,L,R or Q: A

- Adding a new agent (use ‘\q’ to return to the main menu).
Please provide the following:
* A name for the new agent: mail.linuxdrops.com
* The IP Address of the new agent: 172.16.166.142
* An ID for the new agent[001]:
Agent information:
ID:001
Name:mail.linuxdrops.com
IP Address:172.16.166.142

Confirm adding it?(y/n):y

Agent added.

After adding the client ip address and name you have added an agent. Next extract the agent key and add it to the client. Remember to open port 1514 on server so that the client can start talking once the key is added. Press E to extract a key for the agent you just added.

****************************************
* OSSEC HIDS v2.7 Agent manager. *
* The following options are available: *
****************************************
(A)dd an agent (A).
(E)xtract key for an agent (E).
(L)ist already added agents (L).
(R)emove an agent (R).
(Q)uit.
Choose your action: A,E,L,R or Q: E

Available agents:
ID: 001, Name: mail.linuxdrops.com, IP: 172.16.166.142
Provide the ID of the agent to extract the key (or ‘\q’ to quit): 001

Agent key information for ’001′ is:
MDAxIG1haWwubGludXhkcm9wcy5jb20gMTcyLjE2LjE2Ni4xNDIgMzNhMDY3MGRlZWI2ZmMyNjI2NjMzOWMzYTFjMjA3ZDcyZjhkYzNkMDIyODViZjQwOTE2NmNjNWJmZDFjMTQ4NA==

Copy the agent Key and now login to the agent machine

Execute

# /var/ossec/bin/manage_agents

a. Press I to import the key : Press I
b. Paste the key:

MDAxIG1haWwubGludXhkcm9wcy5jb20gMTcyLjE2LjE2Ni4xNDIgMzNhMDY3MGRlZWI2ZmMyNjI2NjMzOWMzYTFjMjA3ZDcyZjhkYzNkMDIyODViZjQwOTE2NmNjNWJmZDFjMTQ4NA==

Restart ossec on both client and server for new configuration to take effect.


# /etc/init.d/ossec restart

Update: Want to know what am I using as a front end for ossec (screenshot) click here

ossecwui02 300x176 Install OSSEC (Host Based Intrusion Detection System) on CentOS, RHEL, Debian, Ubuntu