Links

Saturday, September 4, 2010

Howto setup OSSEC-HIDS on ubuntu

OSSEC is an Open Source Host-based Intrusion Detection System. It performs log analysis, file integrity checking, policy monitoring, rootkit detection, real-time alerting and active response.
It runs on most operating systems, including Linux, MacOS, Solaris, HP-UX, AIX and Windows
Howto setup OSSEC-HIDS on your ubuntu box
This HOWTO will walk you through the very simple installation of the OSSEC-HIDS application. Before we continue lets make sure everybody is on the same sheet of music.

1. OSSEC-HIDS is a host based intrusion detection system. It is a very flexible system that will allow you to achieve the following.
  • rootkit detection
  • file system integrity
  • log file analysis
  • time based alerting
  • active responses
Taken from the ossec-hids FAQ
"OSSEC HIDS is an Open Source Host-based Intrusion Detection System. It performs log analysis, integrity checking, rootkit detection, time-based alerting and active response"

2. This howto is based on the following assumptions
  • You are running an up to date installation of Dapper
  • You are preforming a "local" installation (i.e. a single host)
3. The majority of this HOWTO is taken directly from the Installation Manual for OSSEC-HID which is a very easy to follow Manual. If you run into trouble please look at the Manual first as it will always have the most up to date information.

Ok, Now that we are all together lets proceed. As mentioned above this HOWTO will only cover a local installation. ossec-hids has the ability to monitor multiple hosts all using the same ruleset. This is accomplished by installed the ossec-hids server on one machine and then doing an agents installation on every other machine you wish to protect. The agents communicate to the server via a secure connection. If you need this type of setup please take a look at the manual, however the installation is not very different (just different options available in your conf file is about it. The other nice thing is that the agents portion of the application will also run under a windows host. This allows those of you that have to and/or want to run a windows box to secure that as well (install the server on your /flamebait/ superior /flamebait/ Linux box and the agent on your windows box)

Now the first thing we need to do is grab the latest sources. For this HOWTO we will be installing 0.8, however feel free to get the latest copy available from their site. We also need to install some stuff so we can compile it later.
Code:
sudo apt-get install build-essentials
cd ~
mkdir src
cd src
wget http://www.ossec.net/files/ossec-hids-0.8.tar.gz
http://www.ossec.net/files/ossec-hids-0.8_checksum.txt
Before we go ahead and extract this, lets make sure we got what we think we got. Verify the checksums in the .txt file and the same that the commands below output. THIS IS IMPORTANT -- DON'T SKIP IT --
Code:
cat ossec-hids-0.8_checksum.txt
md5sum ossec-hids-0.8.tar.gz
sha1sum ossec-hids-0.8.tar.gz
Well now, after verifying you have legit files (you did do that didn't you?) lets extract this bugger
Code:
tar -zxvf ossec-hids-0.8.tar.gz
cd ossec-hids-0.8
Now the fun and easy part. We are going to run the installation script and let it do all the hard work. Note: Here I enter a su shell for the sake of simplicity. If you don't want to do this simply append "sudo" to the following commands
Code:
sudo -s
./install.sh
Go ahead and pick what language you want to read everything in and hit enter
Code:
** Para instalação em português, escolha [br].
** Fur eine deutsche Installation wohlen Sie [de].
** For installation in English, choose [en].
** Per l'installazione in Italiano, scegli [it].
** Aby instalować w języku Polskim, wybierz [pl].
** Türkçe kurulum için seçin [tr].
(en/br/de/it/pl/tr) [en]: en
Next it is going to warn us that we need a C compiler on the machine. (you did install build-essentials didn't you?) and give you some general information about your computer (kernel version, user and host). Go ahead and hit enter likes it says.
Code:
OSSEC HIDS v0.8 Installation Script - http://www.ossec.net

You are about to start the installation process of the OSSEC HIDS.
You must have a C compiler pre-installed in your system.
If you have any questions or comments, please send an e-mail
to dcid@ossec.net (or daniel.cid@gmail.com).

- System: Linux diana 2.6.15-25-k7
- User: root
- Host: diana


-- Press ENTER to continue or Ctrl-C to abort. --
Next select a local install
Code:
1- What kind of installation do you want (server, agent, local or help)? local  
Now choose were you want to install it. This HOWTO will choose the default
Code:
- Choose where to install the OSSEC HIDS [/var/ossec]:   
Now select you notification options. You can choose my answers or different ones. I would recommend setting "Y" to everything. Active responses are really nice. It will set some default configuration variables based on your answers and certian things it finds on your system.
Code:
3- Configuring the OSSEC HIDS.

3.1- Do you want e-mail notification? (y/n) [y]: y
- What's your e-mail address? youremail@yourdomain.com
- What's your SMTP server ip/host? your smtp server address (localhost)

3.2- Do you want to run the integrity check daemon? (y/n) [y]: y

- Running syscheck (integrity check daemon).

3.3- Do you want to run the rootkit detection engine? (y/n) [y]: y

- Running rootcheck (rootkit detection).

3.4- Active response allows you to execute a specific
command based on the events received. For example,
you can block an IP address or disable access for
a specific user.
More information at:
http://www.ossec.net/en/manual.html#active-response

- Do you want to enable active response? (y/n) [y]: y

- Active response enabled.

- By default, we can enable the host-deny and the
firewall-drop responses. The first one will add
a host to the /etc/hosts.deny and the second one
will block the host on iptables (if linux) or on
ipfilter (if Solaris, FreeBSD or NetBSD).
- They can be used to stop SSHD brute force scans,
portscans and some other forms of attacks. You can
also add them to block on snort events, for example.

- Do you want to enable the firewall-drop response? (y/n) [y]: y

- firewall-drop enabled (local) for levels >= 6

- Default white list for the active response:
- 192.168.2.1

- Do you want to add more IPs to the white list? (y/n)? [n]: n

3.6- Setting the configuration to analyze the following logs:
-- /var/log/messages
-- /var/log/auth.log
-- /var/log/syslog
-- /var/log/mail.info
-- /var/log/apache2/error.log (apache log)
-- /var/log/apache2/access.log (apache log)

- If you want to monitor any other file, just change
the ossec.conf and add a new localfile entry.
Any questions about the configuration can be answered
by visiting us online at http://www.ossec.net .


--- Press ENTER to continue ---
Now it will compile everything. This shouldn't take too long to complete. It only took around 1-2 minutes for my boxes. After it is completed press enter to finish.
Code:
- Unknown system. No init script added.

- Configuration finished properly.

- To start OSSEC HIDS:
/var/ossec/bin/ossec-control start

- To stop OSSEC HIDS:
/var/ossec/bin/ossec-control stop

- The configuration can be viewed or modified at /var/ossec/etc/ossec.conf


Thanks for using the OSSEC HIDS.
If you have any question, suggestion or if you find any bug,
contact us at contact@ossec.net or using our public maillist at
ossec-list@ossec.net
(http://mailman.underlinux.com.br/mailman/listinfo/ossec-list).

More information can be found at http://www.ossec.net

--- Press ENTER to finish (maybe more information bellow). ---
Now unfourtuntly it doesn't detect Ubuntu so it will not create an init script. This is simple enough to take care of. (Yes, its basic. If you want to improve it please feel free to do so) Copy and paste the following into /etc/init.d/ossec

Code:
#!/bin/sh

case "$1" in
start)
/var/ossec/bin/ossec-control start
;;
stop)
/var/ossec/bin/ossec-control stop
;;
restart)
$0 stop && sleep 3
$0 start
;;
reload)
$0 stop
$0 start
;;
*)
echo "Usage: $0 {start|stop|restart|reload}"
exit 1
esac
Now make it executable
Code:
cd /etc/init.d
chmod +x ossec
Add it to our runlevels so it starts on boot
Code:
update-rc.d ossec defaults
Now lets crank her up and make sure everything works
Code:
/etc/init.d/ossec start
If you get something like this, you should be in good shape.
Code:
Starting OSSEC HIDS v0.8 (by Daniel B. Cid)...
Started ossec-maild...
Started ossec-execd...
Started ossec-analysisd...
Started ossec-logcollector...
Started ossec-syscheckd...
Completed.
Now you can go on to customize the setup. Chances are you going to want it to ignore certian directories and create your own rules. Please check out the manual for excellent instructions on doing so.

Caveat: the check_xxx values listed in the documentation should appear as directory attributes (i.e.

Resources:
OSSEC Homepage
OSSEC-HIDS Manual

No comments:

Post a Comment

Search This Blog