Tuesday, August 31, 2010

Intrusion Detection and Prevention Using OSSEC

What is OSSEC?
According to OSSEC "It is an Open Source Host-based Intrusion Detection System. It performs log analysis, file integrity checking, policy monitoring, rootkit detection, real-time alerting and active response."

Installation on Debian Server
I installed on Debian .6.24-19-server, already running web service.
Install environment
Make sure you have compiler e.g gcc or cc and 'make' already installed in your system, otherwise you will get error message and abort the installation process.

root@www:/usr/local/src/ossec-hids-2.4.1# apt-get install gcc


Dwonload the latest build from www.ossec.net website

Extract into folder and start installation
imran@web:~/ossec-hids-2.4.1$ tar -zxvf ossec-hids-2.4.1.tar.gz
imran@web:~/ossec-hids-2.4.1$ cd ossec-hids-2.4.1/

Run the installation script;

root@web:~/ossec-hids-2.4.1# ./install.sh
** Para instalação em português, escolha [br].
** 要使用中文进行安装, 请选择 [cn].
** Fur eine deutsche Installation wohlen Sie [de].
** Για εγκατάσταση στα Ελληνικά, επιλέξτε [el].
** For installation in English, choose [en].
** Para instalar en Español , eliga [es].
** Pour une installation en français, choisissez [fr]
** Per l'installazione in Italiano, scegli [it].
** 日本語でインストールします.選択して下さい.[jp].
** Voor installatie in het Nederlands, kies [nl].
** Aby instalować w języku Polskim, wybierz [pl].
** Для инструкций по установке на русском ,введите [ru].
** Za instalaciju na srpskom, izaberi [sr].
** Türkçe kurulum için seçin [tr].
(en/br/cn/de/el/es/fr/it/jp/nl/pl/ru/sr/tr) [en]: en

-- Press ENTER to continue or Ctrl-C to abort. --
1- What kind of installation do you want (server, agent, local or help)? local

- Local installation chosen.

2- Setting up the installation environment.

- Choose where to install the OSSEC HIDS [/var/ossec]:
/var/ossec

- Installation will be made at /var/ossec .

3- Configuring the OSSEC HIDS.

3.1- Do you want e-mail notification? (y/n) [y]: y
- What's your e-mail address? imran@pingcom.net

- We found your SMTP server as: ASPMX4.GOOGLEMAIL.COM.
- Do you want to use it? (y/n) [y]: y

--- Using SMTP server: ASPMX4.GOOGLEMAIL.COM.

3.2- Do you want to run the integrity check daemon? (y/n) [y]: y

- Running syscheck (integrity check daemon).

3.3- Do you want to run the rootkit detection engine? (y/n) [y]: y

- Running rootcheck (rootkit detection).

3.4- Active response allows you to execute a specific
command based on the events received. For example,
you can block an IP address or disable access for
a specific user.
More information at:
http://www.ossec.net/en/manual.html#active-response

- Do you want to enable active response? (y/n) [y]: y

- Active response enabled.

- By default, we can enable the host-deny and the
firewall-drop responses. The first one will add
a host to the /etc/hosts.deny and the second one
will block the host on iptables (if linux) or on
ipfilter (if Solaris, FreeBSD or NetBSD).
- They can be used to stop SSHD brute force scans,
portscans and some other forms of attacks. You can
also add them to block on snort events, for example.

- Do you want to enable the firewall-drop response? (y/n) [y]: y

- firewall-drop enabled (local) for levels >= 6

- Default white list for the active response:
- xx.xx.xx.xx
- xx.xx.xx.xx

- Do you want to add more IPs to the white list? (y/n)? [n]: y
- IPs (space separated): xx.xx.xx.xx

3.6- Setting the configuration to analyze the following logs:
-- /var/log/messages
-- /var/log/auth.log
-- /var/log/syslog
-- /var/log/mail.info
-- /var/log/dpkg.log
-- /var/log/apache2/error.log (apache log)
-- /var/log/apache2/access.log (apache log)

- If you want to monitor any other file, just change
the ossec.conf and add a new localfile entry.
Any questions about the configuration can be answered
by visiting us online at http://www.ossec.net .

--- Press ENTER to continue ---

Error
Error Making os_xml
make: *** [all] Error 1

Error 0x5.
Building error. Unable to finish the installation.


Solution for above Error
root@web:# apt-get install libc6-dev

- System is Debian (Ubuntu or derivative).
- Init script modified to start OSSEC HIDS during boot.

- Configuration finished properly.

--- Press ENTER to finish (maybe more information below). ---


Configuration File is stored at
root@web:# nano /var/ossec/etc/ossec.conf
It contains the configrations

How to Start

root@web:#/var/ossec/bin/ossec-control start

How to Stop

root@web:#/var/ossec/bin/ossec-control stop


References:

http://www.ossec.net/main/manual/manual-installation
http://newyork.ubuntuforums.org/showthread.php?t=905034

3 comments:

prolix said...

Your post is very informative. You are right, a good Intrusion Detection must be a good listener.
Regards,

EV SSL said...

Thank you for you efforts looking for this great list. Welcome to the do follow community I am hoping for a great work from you in the future.

window cleaning adelaide said...

Interesting post. Ill be sticking around to hear more from you guys. Thanks! Carpet Cleaning adelaide