I accepted all the defaults and entered the my mail address and SMTP server info when prompted. You will be asked what type of OSSEC install you require during the install process, I selected local for the purpose of this guide.
You are about to start the installation process of the OSSEC HIDS.
You must have a C compiler pre-installed in your system.
If you have any questions or comments, please send an e-mail
to [email protected](or [email protected]).
- System: Linux linuxmoz 2.6.32-33-server
- User: root
- Host: linuxmoz
-- Press ENTER to continue or Ctrl-C to abort. --
1- What kind of installation do you want (server, agent, local or help)? server
- Server installation chosen.
2- Setting up the installation environment.
- Choose where to install the OSSEC HIDS [/var/ossec]:
- Installation will be made at /var/ossec .
3- Configuring the OSSEC HIDS.
3.1- Do you want e-mail notification? (y/n)[y]:
- What's your e-mail address? myemailaddress - What's your SMTP server ip/host? localhost
3.2- Do you want to run the integrity check daemon? (y/n)[y]: y
- Running syscheck (integrity check daemon).
3.3- Do you want to run the rootkit detection engine? (y/n)[y]: y
- Running rootcheck (rootkit detection).
3.4- Active response allows you to execute a specific
command based on the events received. For example,
you can block an IP address or disable access fora specific user.
More information at:
- Do you want to enable active response? (y/n)[y]:
- Active response enabled.
- By default, we can enable the host-deny and the
firewall-drop responses. The first one will add
a host to the /etc/hosts.deny and the second one
will block the host on iptables (if linux) or on
ipfilter (if Solaris, FreeBSD or NetBSD).
- They can be used to stop SSHD brute force scans,
portscans and some other forms of attacks. You can
also add them to block on snort events, for example.
- Do you want to enable the firewall-drop response? (y/n)[y]:
- firewall-drop enabled (local)for levels >= 6
- Default white list for the active response:
- Do you want to add more IPs to the white list? (y/n)? [n]:
3.5- Do you want to enable remote syslog (port 514 udp)? (y/n)[y]:
- Remote syslog enabled.
3.6- Setting the configuration to analyze the following logs:
-- /var/log/apache2/error.log (apache log) -- /var/log/apache2/access.log (apache log) - If you want to monitor any other file, just change
the ossec.conf and add a new localfile entry.
Any questions about the configuration can be answered
by visiting us online at https://www.ossec.net .