导读:Install and Configure OSSEC on Debian 78 Contributed by?Sunday Ogwu-Chinuwa? ? Updated? Friday,February 5th,2015 ?by James Stewart This is a Linode Community guide.?Write for us?and earn $250 per published guide. OSSEC is an open-source,ho
Install and Configure OSSEC on Debian 7&8
Contributed by?Sunday Ogwu-Chinuwa?? Updated??by James Stewart
This is a Linode Community guide.?Write for us?and earn $250 per published guide.
OSSEC is an open-source,host-based intrusion detection system (HIDS) that performs log analysis,integrity checking,rootkit detection,time-based alerting,and active response,making it an ideal choice for server monitoring.
When installed and configured,OSSEC will provide a real-time view of what’s taking place in your server or servers in a server/agent mode.
This guide covers how to install and configure OSSEC on a single Linode running Debian 7 in such a manner that if a file is modified,added or deleted,OSSEC will notify you by email in real-time. OSSEC can also provide notifications for other acitivies.
This guide is written for a non-root user. Commands that require elevated privileges are prefixed with?sudo. If you’re not familiar with the?sudo?command,you can check our?Users and Groups?guide.
Prerequisites
Complete the?Getting Started?guide.
Follow the?Securing Your Server?guide. It is especially important to create and enable a firewall. On Linux,OSSEC needs an active iptables firewall for its active response feature to work.
Install?inotify-tools?and?build-essential. OSSEC needs the first for real-time alerts and alerts on file deletions,while the latter is for compiling OSSEC. You can install both packages using:
Debian 7 does not have an installation candidate for OSSEC in its repository,so it will need to be downloaded from the project’s?download page.
Download the latest OSSEC tarball (2.8.1 at the time of this guide’s publication):
Download the checksum file:
Verify that the downloaded tarball has not been tampered with using the MD5 checksum:
The expected output is:
Verify the SHA1 checksum:
The expected output is:
In both outputs,ignore the?WARNING?line. As long as the first line reads?OK,the file is good.
Install OSSEC
Untar the file:
Change to the newly-created directory,then run the install:
Select your language. If your language is the default (English - [en]),press?Return; otherwise,type in the 2-letter code for your language from the list of supported languages:
Press?ENTER. You should now see:
Choose?local,which enables OSSEC to monitor the server it has been installed on. Select the defaults for subsequent options. Note that the email you specify has to be a valid one,because all OSSEC alerts will be sent to it. If installation is successful,you should see:
Press?ENTER?to finish. OSSEC is now installed,and ready to be configured.
Configure OSSEC
OSSEC is chrooted to the?/var/ossec?directory,and its configuration file is?ossec.conf,in the/var/ossec/etc?directory. There are several modifications that you will need to make in?sudo su?command to gain root access to the directory:
sudo su
or: sudo -s
Switch to the?/var/ossec/etc?directory.
Customize Email Settings
Although you specified an email and OSSEC auto-discovered the SMTP server,there are a few changes that can be made to the email settings.
Open?ossec.conf. The email settings are at the top of the file:
The?< email_to >?entry is the email specified during installation. That is the address in which OSSEC will send alerts,and can be changed at any time. The?< email_from >?entry is where OSSEC’s alerts will appear to be sent from. If you do not change the default,some SMTP servers will mark the email alerts as spam.
The?< email_to >?and?< email_from >?values can be the same. If you are running your own mail server and it’s on the same server that OSSEC is installed,you may change the?< smtp_server >?value to?localhost.
After making changes to the email settings,save and close the file.
Start OSSEC:
If the current working directory is?/var/ossec/etc,you can use:
After OSSEC has started,check your inbox for the first alert from OSSEC:
If the email is received,then the settings are working and subsequent alerts will also hit your inbox.
Configure OSSEC to Alert on New Files
By default OSSEC will not send out an alert when a new file is added to the system.
<syscheck>
<!-- Frequency that syscheck is executed - default to every 22 hours -->
<frequency>79200</frequency>
Modify the file:
<syscheck>
<!-- Frequency that syscheck is executed - default to every 22 hours -->
<frequency>79200</frequency>
<alert_new_files>yes</alert_new_files>
Note that the?< frequency >?is the interval that OSSEC performs a system check. During testing,you may reduce that setting to a lower number,like 900. Afterwards,it can be changed back to the default.
Modify Directories to Monitor
<!-- Directories to check (perform all possible verifications) -->
<directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories>
<directories check_all="yes">/bin,/sbin</directories>
OSSEC can check the home directory and,if hosting a website on the server,monitor the website’s data directory. For the specified directories,OSSEC can be configured to report changes in real-time:
<!-- Directories to check (perform all possible verifications) -->
<directories report_changes="yes" realtime="yes" check_all="yes">/etc,/usr/sbin</directories>
<directories report_changes="yes" realtime="yes" check_all="yes">/bin,/sbin</directories>
<directories report_changes="yes" realtime="yes" check_all="yes">/home/username,/var/www</directories>
Another directory you may want to configure OSSEC to monitor is?/var/ossec,OSSEC’s installation directory. However,if monitored,OSSEC?must?be configured to ignore certain directories within?
ossec.conf
If OSSEC is configured to monitor? <ignore>/var/ossec/logs</ignore>
<ignore>/var/ossec/queue</ignore>
<ignore>/var/ossec/var</ignore>
<ignore>/var/ossec/tmp</ignore>
<ignore>/var/ossec/stats</ignore>
Modify Active Response Block Times
OSSEC uses tcpwrappers (host.deny) and iptables to ban any IP addresses that trigger an alert. By default,such IP addresses are blocked for 600 seconds,or 10 minutes. This can be changed to a longer timeframe.
To alter the timeframe of a ban,change the?< timeout >?setting to suit. Note that it has to be inseconds:
After making changes,save and close the file.
Modify Rule for New Files
Move to the?/var/ossec/rules?directory:
The rules are located in a series of XML files and all rule definitions are found in?ossec_rules.xml,which should not be modified. All rule modifications must be made in?local_rules.xml.
The rule that fires on new files is rule number?554. The chunk of code that defines that rule inossec_rules.xml?is:
ossec_rules.xml
Since OSSEC does not alert on rules that are?level 0,that rule has to be modified inlocal_rules.xml?so that OSSEC can fire when a new file is added to the system. The rule modification should be located between the?< group > ... < /group >?tags:
local_rules.xml
Save and close the file.
Restarting OSSEC
After any modification is made to OSSEC,it has to be restarted:
If it restarts with no errors,it will output the following:
Otherwise,you will receive a configuration error:
If this happens,check OSSEC’s error log. It is advised to check the error log even if OSSEC restarts successfully,because may contain other errors that don’t prevent OSSEC from restarting,but may need your attention. The error log file is?ossec.log?under the?/var/ossec/logs?directory.
What to Expect
After making any final modifications and restarting OSSEC,you should receive another alert saying that OSSEC has started. If any rule is triggered after that,you will also receive similar alerts in your inbox:
More Information
You may wish to consult the following resources for additional information on this topic. While these are provided in the hope that they will be useful,please note that we cannot vouch for the accuracy or timeliness of externally hosted materials.
http://www.ossec.net/
This guide is published under a?CC BY-ND 3.0?license.
