ossec安装配置

测试机 172.16.53.191 服务端(server)

测试机 172.16.53.253 客户端(agent)

【server端配置】

yum install mysql mysql-server mysql-devel httpd php php-mysql gcc gcc-c++ vim wget lrzsz ntpdate sysstat dstat unzip -y

wget https://bintray.com/artifact/download/ossec/ossec-hids/ossec-hids-2.8.3.tar.gz

tar zxvf ossec-hids-2.8.3.tar.gz

cd ossec-hids-2.8.3

cd src

make setdb

#Info: Compiled with MySQL support.出现mysql 说明ossec支持mysql数据库

cd ..

./install.sh

下面是安装过程，如果输入错误，按住Ctrl+Backspace

en #选择语言

Enter #继续

Server #安装为server

/usr/local/ossec #安装目录

3.1- Do you want e-mail notification? (y/n)[y]: y

-What's your e-mail address? Your_mail@163.com

-What's your SMTP server ip/host? 127.0.0.1

Enter # Running syscheck (integrity check daemon)

Enter # Running rootcheck (rootkit detection)

Enter #Active response enabled

Enter # firewall-drop enabled (local) for levels >= 6

Do you want to add more IPs to the whitelist? (y/n)? [n]: y #设置ip白名单

-IPs (space separated):

3.5- Do you want to enable remote syslog(port 514 udp)? (y/n) [y]:Enter

Enter #开始安装

 

安装完成的配置文件及选项：

/usr/local/ossec/bin/ossec-control start

/usr/local/ossec/bin/ossec-control stop

/usr/local/ossec/etc/ossec.conf

/usr/local/ossec/bin/manage_agents

 

# /usr/local/ossec/bin/ossec-control --help

Usage: /usr/local/ossec/bin/ossec-control{start|stop|restart|status|enable|disable}

 

# /usr/local/ossec/bin/ossec-control enable --help

Enable options: database, client-syslog,agentless, debug

Usage: /usr/local/ossec/bin/ossec-controlenable [database|client-syslog|agentless|debug]

【ossec日志入数据库】

1. 启用数据库功能 /var/ossec/bin/ossec-control enable database

2.安装数据库，创建数据库

 yum -y install mysql-server mysql mysql-devel #安装mysqlserver

mysql -u root

mysql>create database ossec;

mysql>set password for root@localhost=password ('ufenqi123');

mysql>CREATE USER 'ossecuser'@'%'IDENTIFIED BY 'ufenqi123';

mysql> grant INSERT,SELECT,UPDATE,CREATE,DELETE,EXECUTE on ossec.* to ossecuser@'%' IDENTIFIED BY 'ufenqi123';

mysql>flush privileges;

mysql>exit

进入ossec源码目录,【初始化数据库】

/root/ossec-hids-2.8.3/src/os_dbd/mysql.schema

mysql -u ossecuser -p -D ossec < /root/ossec-hids-2.8.3/src/os_dbd/mysql.schema

3.修改ossec配置文件，添加数据库支持

vim /usr/local/ossec/etc/ossec.conf 添加如下字段

<ossec_config> <database_output> <hostname>192.168.2.30</hostname> <username>ossecuser</username> <password>ossecpass</password> <database>ossec</database> <type>mysql</type> </database_output> </ossec_config>

3.2、接收远端syslog信息

<remote>

<connection>syslog</connection>

<allowed-ips>172.16.0.0/16</allowed-ips>

</remote>

配置上syslog后，本机监听了udp端口514和1514

4 配置完成后，启用数据库，并重启ossec

/usr/local/ossec/bin/ossec-control enable database

/usr/local/ossec/bin/ossec-control restart

 

【添加agent】

1.在server端执行

/usr/local/ossec/bin/manage_agents 按照提示添加客户端

添加完成后，输入E，获取agent的key，复制下来

2.在agent端执行

/usr/local/ossec/bin/manage_agents

将1中复制下来的key粘贴进去就可以添加成功了

【server中查看在线的agent列表】

/usr/local/ossec/bin/agent_control -l

[root@172-16-53-191 bin]# ./agent_control -l

OSSEC HIDS agent_control. List of available agents:

ID: 000, Name: 172-16-53-191 (server), IP: 127.0.0.1, Active/Local

ID: 002, Name: test-agent-53.253, IP: 172.16.53.253, Active

List of agentless devices:

/usr/local/ossec/bin/list_agent -a

 

【安装web界面-管理ossec】

1.配置nginx+php运行环境

2下载安装

wget http://www.ossec.net/files/ossec-wui-0.3.tar.gz

tar -zxvf ossec-wui-0.3.tar.gz mv ossec-wui-0.3 /usr/local/nginx/html ossec-wui

cd /usr/local/nginx/html/ossec-wui

./setup.sh

3.修改权限，将运行web服务的用户加入ossec用户组

vim /etc/group 修改ossec这一行为：

ossec:x:1002:apache 其中Apache是运行php的启动用户

 

将ossec的安装目录(/usr/local/ossec/)下的tmp目录权限设置为770

chmod 770 /usr/local/ossec/tmp

chown -R apache.apache /usr/local/ossec/tmp

service php-fpm restart

 

然后访问http://ossec-server-ip/ossec-wui/index.php 即可访问到ossec管理界面

 

【ossec的实际应用】

一、【ossec syscheck文件监控配置】

1.在agent端，修改/usr/local/ossec/etc/ossec.conf文件

在<syscheck>下添加如下：

<alert_new_files>yes</alert_new_files>

<directories check_all="yes" realtime="yes" report_changes="yes">/tmp/mzk</directories> 添加监控的目录

设置扫描频率

2.在server端重写rules规则，编辑/usr/local/ossec/rules/ossec_rules.xml文件，找到rule_id 554，在这个规则的下面添加如下行

 

<rule id="554" level="10" overwrite="yes">

<category>ossec</category>

<decoded_as>syscheck_new_entry</decoded_as>

<description>File added to the system. by mzk</description>

<group>syscheck,</group>

</rule>

二、【异常ip登录服务器】

在server端上编辑rules/local_rules.xml文件，添加如下行

<rule id="7778" level="7">

<if_sid>5700</if_sid>

<group>authentication_failure</group>

<srcip>!10.10.2.1</srcip>

<description>not come from 10.10.2.1</description>

</rule>

重启服务端即可

三、【暴力破解】

在server端上编辑rules/sshd_rules.xml文件，修改规则如下

<rule id="5720" level="7" frequency="3">

<if_matched_sid>5716</if_matched_sid>

<same_source_ip />

<description>3 Failed passwords within 1 minutes Multiple SSHD authentication failures.</description>

<group>authentication_failures,</group>

</rule>

四、【进程监控】

参考资料http://ossec-docs.readthedocs.io/en/latest/manual/monitoring/process-monitoring.html

<rule id="533" level="7">

<if_sid>530</if_sid>

<match>ossec: output: 'netstat -tan</match>

<check_diff />

<description>Listened ports status (netstat) changed (new port opened or closed).</description>

</rule>