Install and Configure OSSEC on Debian 7&8

Contributed by Sunday Ogwu-Chinuwa 
Updated Friday, February 5th, 2015 by James Stewart

This is a Linode Community guide. Write for us and earn $250 per published guide.


OSSEC is an open-source, host-based intrusion detection system (HIDS) that performs log analysis, integrity checking, rootkit detection, time-based alerting, and active response, making it an ideal choice for server monitoring.

When installed and configured, OSSEC will provide a real-time view of what’s taking place in your server or servers in a server/agent mode.

This guide covers how to install and configure OSSEC on a single Linode running Debian 7 in such a manner that if a file is modified, added or deleted, OSSEC will notify you by email in real-time. OSSEC can also provide notifications for other acitivies.

This guide is written for a non-root user. Commands that require elevated privileges are prefixed with sudo. If you’re not familiar with the sudo command, you can check our Users and Groups guide.

Prerequisites

  1. Complete the Getting Started guide.

  2. Follow the Securing Your Server guide. It is especially important to create and enable a firewall. On Linux, OSSEC needs an active iptables firewall for its active response feature to work.

  3. Install inotify-tools and build-essential. OSSEC needs the first for real-time alerts and alerts on file deletions, while the latter is for compiling OSSEC. You can install both packages using:

    sudo apt-get install inotify-tools build-essential

Download and Verify OSSEC

Debian 7 does not have an installation candidate for OSSEC in its repository, so it will need to be downloaded from the project’s download page.

  1. Download the latest OSSEC tarball (2.8.1 at the time of this guide’s publication):

    wget -U http://www.ossec.net/files/ossec-hids-2.8.1.tar.gz
  2. Download the checksum file:

    wget -U http://www.ossec.net/files/ossec-hids-2.8.1-checksum.txt
  3. Verify that the downloaded tarball has not been tampered with using the MD5 checksum:

    md5sum -c ossec-hids-2.8.1-checksum.txt

    The expected output is:

    ossec-hids-2.8.1.tar.gz: OK
    md5sum: WARNING: 1 line is improperly formatted
  4. Verify the SHA1 checksum:

    sha1sum -c ossec-hids-2.8.1-checksum.txt

    The expected output is:

    ossec-hids-2.8.1.tar.gz: OK
    sha1sum: WARNING: 1 line is improperly formatted

    In both outputs, ignore the WARNING line. As long as the first line reads OK, the file is good.

Install OSSEC

  1. Untar the file:

    tar xf ossec-hids-2.8.1.tar.gz
  2. Change to the newly-created directory, then run the install:

    cd ossec-hids-2.8.1
    sudo ./install.sh
  3. Select your language. If your language is the default (English - [en]), press Return; otherwise, type in the 2-letter code for your language from the list of supported languages:

    OSSEC HIDS v2.8 Installation Script - http://www.ossec.net
    
     You are about to start the installation process of the OSSEC HIDS.
    You must have a C compiler pre-installed in your system.
    If you have any questions or comments, please send an e-mail
    to dcid@ossec.net (or daniel.cid@gmail.com). - System: Linux deft 3.18.3-x86_64-linode51
    - User: root
    - Host: deft -- Press ENTER to continue or Ctrl-C to abort. --
  4. Press ENTER. You should now see:

    1- What kind of installation do you want (server, agent, local, hybrid or help)?
    
    You have these installation options: server, agent, local, or hybrid.
    
     ...
    
    1- What kind of installation do you want (server, agent, local, hybrid or help)? local
  5. Choose local, which enables OSSEC to monitor the server it has been installed on. Select the defaults for subsequent options. Note that the email you specify has to be a valid one, because all OSSEC alerts will be sent to it. If installation is successful, you should see:

    - System is Debian (Ubuntu or derivative).
    - Init script modified to start OSSEC HIDS during boot. - Configuration finished properly. - To start OSSEC HIDS:
    /var/ossec/bin/ossec-control start - To stop OSSEC HIDS:
    /var/ossec/bin/ossec-control stop - The configuration can be viewed or modified at /var/ossec/etc/ossec.conf Thanks for using the OSSEC HIDS.
    If you have any question, suggestion or if you find any bug,
    contact us at contact@ossec.net or using our public maillist at
    ossec-list@ossec.net
    ( http://www.ossec.net/main/support/ ). More information can be found at http://www.ossec.net --- Press ENTER to finish (maybe more information below). ---

    Press ENTER to finish. OSSEC is now installed, and ready to be configured.

Configure OSSEC

OSSEC is chrooted to the /var/ossec directory, and its configuration file is ossec.conf, in the/var/ossec/etc directory. There are several modifications that you will need to make in ossec.conf, including:

  • Email Settings

  • Configure OSSEC to alert on new files

  • Directories to monitor

  • Files and directories to ignore

  • Active response block times

  • Rules for new files

Use the sudo su command to gain root access to the directory:

sudo su   
or: sudo -s

Switch to the /var/ossec/etc directory.

Customize Email Settings

Although you specified an email and OSSEC auto-discovered the SMTP server, there are a few changes that can be made to the email settings.

  1. Open ossec.conf. The email settings are at the top of the file:

    ossec.conf
    <global>
    <email_notification>yes</email_notification>
    <email_to>loginName@example.com</email_to>
    <smtp_server>mail.example.com.</smtp_server>
    <email_from>ossecm@hostname</email_from>
    </global>

    The < email_to > entry is the email specified during installation. That is the address in which OSSEC will send alerts, and can be changed at any time. The < email_from > entry is where OSSEC’s alerts will appear to be sent from. If you do not change the default, some SMTP servers will mark the email alerts as spam.

  2. Modify the < email_from > line:

    ossec.conf
    <global>
    <email_notification>yes</email_notification>
    <email_to>loginName@example.com</email_to>
    <smtp_server>mail.example.com.</smtp_server>
    <email_from>loginName@example.com</email_from>
    </global>

    The < email_to > and < email_from > values can be the same. If you are running your own mail server and it’s on the same server that OSSEC is installed, you may change the < smtp_server > value to localhost.

    After making changes to the email settings, save and close the file.

  3. Start OSSEC:

    /var/ossec/bin/ossec-control start

    If the current working directory is /var/ossec/etc, you can use:

    ../bin/ossec-control start
  4. After OSSEC has started, check your inbox for the first alert from OSSEC:

    OSSEC HIDS Notification.
    2015 Jan 30 08:22:52 Received From: deft->ossec-monitord
    Rule: 502 fired (level 3) -> "Ossec server started."
    Portion of the log(s): ossec: Ossec started. --END OF NOTIFICATION

    If the email is received, then the settings are working and subsequent alerts will also hit your inbox.

Configure OSSEC to Alert on New Files

By default OSSEC will not send out an alert when a new file is added to the system.

  1. Open ossec.conf and scroll down to the following section:

    ossec.conf
     <syscheck>
    <!-- Frequency that syscheck is executed - default to every 22 hours -->
    <frequency>79200</frequency>
  2. Modify the file:

    ossec.conf
     <syscheck>
    <!-- Frequency that syscheck is executed - default to every 22 hours -->
    <frequency>79200</frequency> <alert_new_files>yes</alert_new_files>

    Note that the < frequency > is the interval that OSSEC performs a system check. During testing, you may reduce that setting to a lower number, like 900. Afterwards, it can be changed back to the default.

Modify Directories to Monitor

  1. Open ossec.conf. Below the < frequency > setting is a list of system directories that OSSEC has been configured to monitor:

    ossec.conf
    <!-- Directories to check  (perform all possible verifications) -->
    <directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories>
    <directories check_all="yes">/bin,/sbin</directories>
  2. OSSEC can check the home directory and, if hosting a website on the server, monitor the website’s data directory. For the specified directories, OSSEC can be configured to report changes in real-time:

    ossec.conf
    <!-- Directories to check  (perform all possible verifications) -->
    <directories report_changes="yes" realtime="yes" check_all="yes">/etc,/usr/bin,/usr/sbin</directories>
    <directories report_changes="yes" realtime="yes" check_all="yes">/bin,/sbin</directories>
    <directories report_changes="yes" realtime="yes" check_all="yes">/home/username,/var/www</directories>
  3. Another directory you may want to configure OSSEC to monitor is /var/ossec, OSSEC’s installation directory. However, if monitored, OSSEC must be configured to ignore certain directories within /var/ossec, otherwise you risk running out of disk space.

Modify Files and Directories to Ignore

For a Linux system, the default list of files and directories to ignore are:

ossec.conf
 <!-- Files/directories to ignore -->
<ignore>/etc/mtab</ignore>
<ignore>/etc/mnttab</ignore>
<ignore>/etc/hosts.deny</ignore>
<ignore>/etc/mail/statistics</ignore>
<ignore>/etc/random-seed</ignore>
<ignore>/etc/adjtime</ignore>
<ignore>/etc/httpd/logs</ignore>
<ignore>/etc/utmpx</ignore>
<ignore>/etc/wtmpx</ignore>
<ignore>/etc/cups/certs</ignore>
<ignore>/etc/dumpdates</ignore>
<ignore>/etc/svc/volatile</ignore>

If OSSEC is configured to monitor /var/ossec, include the additional lines:

ossec.conf
    <ignore>/var/ossec/logs</ignore>
<ignore>/var/ossec/queue</ignore>
<ignore>/var/ossec/var</ignore>
<ignore>/var/ossec/tmp</ignore>
<ignore>/var/ossec/stats</ignore>

Modify Active Response Block Times

OSSEC uses tcpwrappers (host.deny) and iptables to ban any IP addresses that trigger an alert. By default, such IP addresses are blocked for 600 seconds, or 10 minutes. This can be changed to a longer timeframe.

To alter the timeframe of a ban, change the < timeout > setting to suit. Note that it has to be inseconds:

ossec.conf
<!-- Active Response Config -->
<active-response> <command>host-deny</command>
<location>local</location>
<level>6</level>
<timeout>600</timeout>
</active-response> <active-response> <command>firewall-drop</command>
<location>local</location>
<level>6</level>
<timeout>600</timeout>
</active-response>

After making changes, save and close the file.

Modify Rule for New Files

  1. Move to the /var/ossec/rules directory:

    cd /var/ossec/rules

    The rules are located in a series of XML files and all rule definitions are found in ossec_rules.xml, which should not be modified. All rule modifications must be made in local_rules.xml.

  2. The rule that fires on new files is rule number 554. The chunk of code that defines that rule inossec_rules.xml is:

    ossec_rules.xml
     <rule id="554" level="0">
    <category>ossec</category>
    <decoded_as>syscheck_new_entry</decoded_as>
    <description>File added to the system.</description>
    <group>syscheck,</group>
    </rule>
  3. Since OSSEC does not alert on rules that are level 0, that rule has to be modified inlocal_rules.xml so that OSSEC can fire when a new file is added to the system. The rule modification should be located between the < group > ... < /group > tags:

    local_rules.xml
    <rule id="554" level="7" overwrite="yes">
    <category>ossec</category>
    <decoded_as>syscheck_new_entry</decoded_as>
    <description>File added to the system.</description>
    <group>syscheck,</group>
    </rule> </group> <!-- SYSLOG,LOCAL --> <!-- EOF -->
  4. Save and close the file.

Restarting OSSEC

After any modification is made to OSSEC, it has to be restarted:

/var/ossec/bin/ossec-control restart

If it restarts with no errors, it will output the following:

Killing ossec-monitord ..
Killing ossec-logcollector ..
Killing ossec-syscheckd ..
Killing ossec-analysisd ..
Killing ossec-maild ..
Killing ossec-execd ..
OSSEC HIDS v2.8 Stopped
Starting OSSEC HIDS v2.8 (by Trend Micro Inc.)...
Started ossec-maild...
Started ossec-execd...
Started ossec-analysisd...
Started ossec-logcollector...
Started ossec-syscheckd...
Started ossec-monitord...
Completed.

Otherwise, you will receive a configuration error:

Starting OSSEC HIDS v2.8 (by Trend Micro Inc.)...
ossec-analysisd: Configuration error. Exiting.

If this happens, check OSSEC’s error log. It is advised to check the error log even if OSSEC restarts successfully, because may contain other errors that don’t prevent OSSEC from restarting, but may need your attention. The error log file is ossec.log under the /var/ossec/logs directory.

What to Expect

After making any final modifications and restarting OSSEC, you should receive another alert saying that OSSEC has started. If any rule is triggered after that, you will also receive similar alerts in your inbox:

OSSEC HIDS Notification.
2015 Jan 30 09:57:06 Received From: deft->syscheck
Rule: 550 fired (level 7) -> "Integrity checksum changed."
Portion of the log(s): Integrity checksum changed for: '/home/finid/sidebar.php'
Size changed from '0' to '19'
What changed:
0a1 this is a php file Old md5sum was: 'd41d8cd98f00b204e9800998ecf8427e'
New md5sum is : 'df4f22f84b5ceb2c31cbb391883f2c83'
Old sha1sum was: 'da39a3ee5e6b4b0d3255bfef95601890afd80709'
New sha1sum is : '297b920c943134074690344a3da83f19483a93ef' --END OF NOTIFICATION

OSSEC HIDS Notification.
2015 Jan 30 09:26:02 Received From: deft->netstat -tan |grep LISTEN |grep -v 127.0.0.1 | sort
Rule: 533 fired (level 7) -> "Listened ports status (netstat) changed (new port opened or closed)."
Portion of the log(s): ossec: output: 'netstat -tan |grep LISTEN |grep -v 127.0.0.1 | sort':
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:43157 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN
tcp6 0 0 :::111 :::* LISTEN
tcp6 0 0 ::1:25 :::* LISTEN
tcp6 0 0 :::22 :::* LISTEN
tcp6 0 0 :::53262 :::* LISTEN
Previous output:
ossec: output: 'netstat -tan |grep LISTEN |grep -v 127.0.0.1 | sort':
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:43157 0.0.0.0:* LISTEN
tcp6 0 0 :::111 :::* LISTEN
tcp6 0 0 ::1:25 :::* LISTEN
tcp6 0 0 :::22 :::* LISTEN
tcp6 0 0 :::53262 :::* LISTEN --END OF NOTIFICATION

OSSEC HIDS Notification.
2015 Jan 30 09:57:54 Received From: deft->syscheck
Rule: 553 fired (level 7) -> "File deleted. Unable to retrieve checksum."
Portion of the log(s): File '/home/user5/footer.php' was deleted. Unable to retrieve checksum. --END OF NOTIFICATION

OSSEC HIDS Notification.
2015 Jan 30 09:19:16 Received From: deft->/var/log/dpkg.log
Rule: 2902 fired (level 7) -> "New dpkg (Debian Package) installed."
Portion of the log(s): 2015-01-30 09:19:14 status installed nginx-common:all 1.2.1-2.2+wheezy3 --END OF NOTIFICATION

More Information

You may wish to consult the following resources for additional information on this topic. While these are provided in the hope that they will be useful, please note that we cannot vouch for the accuracy or timeliness of externally hosted materials.

This guide is published under a CC BY-ND 3.0 license.

Install and Configure OSSEC on Debian 7&8的更多相关文章

  1. Install and Configure SharePoint 2013 Workflow

    这篇文章主要briefly introduce the Install and configure SharePoint 2013 Workflow. Microsoft 推出了新的Workflow ...

  2. You must use the Role Management Tool to install or configure Microsoft .NET Framework 3.5 SP1

    今天在Windows Server 2008 下安装SQL SERVER 2008时,碰到如下错误: You must use the Role Management Tool to install ...

  3. Use the PDFs below or the HTML contents to the left to install and configure P6 EPPM and its additional components.

    Welcome to Your Documentation   Use the PDFs below or the HTML contents to the left to install and c ...

  4. How to Install and Configure Nginx from Source on centos--转

    1.CentOS - Installing Nginx from source http://articles.slicehost.com/2009/2/2/centos-installing-ngi ...

  5. Install OpenCV on Ubuntu or Debian

    http://milq.github.io/install-OpenCV-ubuntu-debian/转注:就用第一个方法吧,第二个方法的那个sh文件执行失败,因为我价格kurento.org的源,在 ...

  6. Install and Configure Apache Kafka on Ubuntu 16.04

    https://devops.profitbricks.com/tutorials/install-and-configure-apache-kafka-on-ubuntu-1604-1/ by hi ...

  7. Step 4: Install and Configure Databases

    https://www.cloudera.com/documentation/enterprise/latest/topics/cm_ig_installing_configuring_dbs.htm ...

  8. ubuntu 16.04源码编译和配置caffe详细教程 | Install and Configure Caffe on ubuntu 16.04

    本文首发于个人博客https://kezunlin.me/post/b90033a9/,欢迎阅读! Install and Configure Caffe on ubuntu 16.04 Series ...

  9. windows 10安装和配置caffe教程 | Install and Configure Caffe on windows 10

    本文首发于个人博客https://kezunlin.me/post/1739694c/,欢迎阅读! Install and Configure Caffe on windows 10 Part 1: ...

随机推荐

  1. POJ – 1200 Crazy Search

    http://poj.org/problem?id=1200 #include<iostream> #include<cstring> using namespace std; ...

  2. TP5 隐藏入口文件 index.php

    找到public下的.htaccess <IfModule mod_rewrite.c> Options +FollowSymlinks -Multiviews RewriteEngine ...

  3. macOS High Sierra 10.13正式版USB安装盘制作

    1.首先,准备一个 8GB 或更大容量的 U盘,并备份好里面的所有资料. 2.下载好 macOS High Sierra 正式版的安装程序:https://support.apple.com/zh-c ...

  4. Mac下的SSH插件(默认自带)

    Mac下默认自带,直接通过终端输入ssh获取更多的参数帮助.

  5. Sublime Text 3安装插件(Mac 10.12)

    1.先安装Package Control,默认这个是没有安装的. 使用[control + -]打开控制台,输入以下代码: import urllib.request,os; pf = 'Packag ...

  6. windows下简单配置apache

    不得不做个笔记,不然每次配置都记不清楚... 详细的配置朋友这边写的很好.地址 # 对 PHP 4 LoadModule php4_module "c:/php/php4apache2.dl ...

  7. SpringBoot集成WebSocket【基于STOMP协议】进行点对点[一对一]和广播[一对多]实时推送

    原文详细地址,有点对点,还有广播的推送:https://blog.csdn.net/ouyzc/article/details/79884688 下面是自己处理的一些小bug 参考原文demo,结合工 ...

  8. c++面试题中经常被面试官面试的小问题总结(二)(本篇偏向指针知识)

    原文作者:aircraft 原文链接:https://www.cnblogs.com/DOMLX/p/10713204.html 1.利用指针交换两个字符串方法?(这题是我当年读大一的时候看到的,好怀 ...

  9. docker搭建gitlab,设置邮件提醒,并运行runner

    接着http://www.cnblogs.com/wsy1030/p/8431837.html 在另一台机子运行gitlab: docker run --name='gitlab' -d -p 222 ...

  10. Redis之hiredis API (String)

    String // // Created by zhangrongxiang on 2018/3/7 13:48 // File string2 // #include <hiredis/hir ...