LinuxMoz

Linux Stuff && Coffee

OSSEC Ubuntu Install

| Comments

This guide walks you through an OSSEC Ubuntu install, unfortunately there are no .dpkg packages for OSSEC so a source install will be required.

To start with make sure you have the correct build tools installed:

1

sudo aptitude install -y build-essential linux-headers-`uname -r`

OSSEC Ubuntu Installation Guide

Personally I use /usr/src when I download and build applications from source, but this is optional.

Download OSSEC source tar files:

1

wget https://www.ossec.net/files/ossec-hids-latest.tar.gz

Untar tar.gz files:

1

tar -zxvf ossec-hids-*.tar.gz

Enter the OSSEC dir:

1

cd ossec-hids-*

Start the OSSEC install script:

1

./install.sh

I accepted all the defaults and entered the my mail address and SMTP server info when prompted. You will be asked what type of OSSEC install you require during the install process, I selected local for the purpose of this guide.

Here is my output from the OSSEC install script:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81

You are about to start the installation process of the OSSEC HIDS.
 You must have a C compiler pre-installed in your system.
 If you have any questions or comments, please send an e-mail
 to [email protected] (or [email protected]).

  - System: Linux linuxmoz 2.6.32-33-server
  - User: root
  - Host: linuxmoz


  -- Press ENTER to continue or Ctrl-C to abort. --


1- What kind of installation do you want (server, agent, local or help)? server

  - Server installation chosen.

2- Setting up the installation environment.

 - Choose where to install the OSSEC HIDS [/var/ossec]:

    - Installation will be made at  /var/ossec .

3- Configuring the OSSEC HIDS.

  3.1- Do you want e-mail notification? (y/n) [y]:
   - What's your e-mail address? myemailaddress
   - What's your SMTP server ip/host? localhost

  3.2- Do you want to run the integrity check daemon? (y/n) [y]: y

   - Running syscheck (integrity check daemon).

 3.3- Do you want to run the rootkit detection engine? (y/n) [y]: y

   - Running rootcheck (rootkit detection).

  3.4- Active response allows you to execute a specific
       command based on the events received. For example,
       you can block an IP address or disable access for
       a specific user.
       More information at:
       https://www.ossec.net/en/manual.html#active-response

   - Do you want to enable active response? (y/n) [y]:

- Active response enabled.

   - By default, we can enable the host-deny and the
     firewall-drop responses. The first one will add
     a host to the /etc/hosts.deny and the second one
     will block the host on iptables (if linux) or on
     ipfilter (if Solaris, FreeBSD or NetBSD).
   - They can be used to stop SSHD brute force scans,
     portscans and some other forms of attacks. You can
     also add them to block on snort events, for example.

   - Do you want to enable the firewall-drop response? (y/n) [y]:
        - firewall-drop enabled (local) for levels >= 6

   - Default white list for the active response:
      - 10.0.3.1

   - Do you want to add more IPs to the white list? (y/n)? [n]:

  3.5- Do you want to enable remote syslog (port 514 udp)? (y/n) [y]:
     - Remote syslog enabled.

  3.6- Setting the configuration to analyze the following logs:
    -- /var/log/messages
    -- /var/log/auth.log
    -- /var/log/syslog
    -- /var/log/mail.info
    -- /var/log/dpkg.log
    -- /var/log/apache2/error.log (apache log)
    -- /var/log/apache2/access.log (apache log)

 - If you want to monitor any other file, just change
   the ossec.conf and add a new localfile entry.
   Any questions about the configuration can be answered
   by visiting us online at https://www.ossec.net .

Comments