COIT13146 - System and Network Administration Installing OSSEC From the OSSEC website (www.ossec.net, accessed 17-01-2013): "OSSEC is an Open Source Host-based Intrusion Detection System. It performs log analysis, file integrity checking, policy monitoring, rootkit detection, real-time alerting and active response." We will be installing OSSEC on our internal server, userv1. Assumptions We have an up-to-date Ubuntu Server connected to the Internet. Remember that our Ubuntu Server, userv1, requires our gateway server to provide access to the Internet. So for all the below tasks, we will need the gateway server running and the firewall rules we developed previously, applied (we might consider including these in startup scripts if they are working without issue). We have a basic understanding of what Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) are. We know the difference between a Network IDS and a Host IDS. OSSEC Installation Installing OSSEC is very different from all our previous installations. There is no pre-built Ubuntu package for OSSEC, so we will have to compile and install it manually. This is a good exercise to do. We need the build-essential package to allow us to build OSSEC: ubuntu@userv1:~$ sudo apt-get install build-essential It is a fairly large package (~90 MB) so may take a little while to download and install. It installs a number of compilers and development tools required to build and compile software. We first need to download the OSSEC files, so let's make a directory to work in. Starting from our home directory: ubuntu@userv1:~$ mkdir ossec and change directories so we are in the ossec working directory: ubuntu@userv1:~$ cd ossec Now to download OSSEC we use the wget command (read the man page before using it) and find the latest OSSEC version available (check on the OSSEC website): ubuntu@userv1:~/ossec$ wget http://www.ossec.net/files/ossec-hids-2.7.tar.gz This will download the latest ossec installation files to our working directory. Now we need to extract the files: ubuntu@userv1:~/ossec$ tar -xvf ossec-hids-2.7.tar.gz Then change to the installation directory: ubuntu@userv1:~/ossec$ cd ossec-hids-* and then install ossec by running the install.sh script: ubuntu@userv1:~/ossec/ossec-hids-2.7$ sudo ./install.sh ** Para instalação em português, escolha [br]. ** 要使用中文进行安装, 请选择 [cn]. ** Fur eine deutsche Installation wohlen Sie [de]. ** Για εγκατάσταση στα Ελληνικά, επιλέξτε [el]. ** For installation in English, choose [en]. ** Para instalar en Español , eliga [es]. ** Pour une installation en français, choisissez [fr] ** A Magyar nyelvű telepítéshez válassza [hu]. ** Per l'installazione in Italiano, scegli [it]. ** 日本語でインストールします．選択して下さい．[jp]. ** Voor installatie in het Nederlands, kies [nl]. ** Aby instalować w języku Polskim, wybierz [pl]. ** Для инструкций по установке на русском ,введите [ru]. ** Za instalaciju na srpskom, izaberi [sr]. ** Türkçe kurulum için seçin [tr]. (en/br/cn/de/el/es/fr/hu/it/jp/nl/pl/ru/sr/tr) [en]: we are asked for the installation language which defaults to [en] - English so just press enter. OSSEC HIDS v2.7 Installation Script - http://www.ossec.net You are about to start the installation process of the OSSEC HIDS. You must have a C compiler pre-installed in your system. If you have any questions or comments, please send an e-mail to [email protected] (or [email protected]). - System: Linux userv1 3.2.0-35-virtual - User: root - Host: userv1 -- Press ENTER to continue or Ctrl-C to abort. -- [Enter] to continue. 1- What kind of installation do you want (server, agent, local, hybrid or help)? We are doing a local install so type 'local' (no quotes) and press [Enter]. 2- Setting up the installation environment. - Choose where to install the OSSEC HIDS [/var/ossec]: Use the default /var/ossec install location - press [Enter]. 3- Configuring the OSSEC HIDS. 3.1- Do you want e-mail notification? (y/n) [y]: Yes we do! - What's your e-mail address? Type in our own email address - choose an email address that is easily accessed - all alerts will be sent to this address. - What's your SMTP server ip/host? Our local machine is configured to send email so we can use it as the SMTP server by simply typing in 'localhost' (no quotes). 3.2- Do you want to run the integrity check daemon? (y/n) [y]: y 3.3- Do you want to run the rootkit detection engine? (y/n) [y]: y 3.4- Active response allows you to execute a specific command based on the events received. For example, you can block an IP address or disable access for a specific user. More information at: http://www.ossec.net/en/manual.html#active-response - Do you want to enable active response? (y/n) [y]: y - note that this has the ability to block our PuTTY connection. This is outlined by the details provided: - By default, we can enable the host-deny and the firewall-drop responses. The first one will add a host to the /etc/hosts.deny and the second one will block the host on iptables (if linux) or on ipfilter (if Solaris, FreeBSD or NetBSD). - They can be used to stop SSHD brute force scans, portscans and some other forms of attacks. You can also add them to block on snort events, for example. So if we attempt to login to our server and make a few failed password attempts our IP address will be locked out. - Do you want to enable the firewall-drop response? (y/n) [y]: y - Default white list for the active response: - 192.168.1.1 - Do you want to add more IPs to the white list? (y/n)? [n]: n - we don't want to add any more - 192.168.1.1 is the name resolution server for *this* network (this address may be different for each of us). 3.6- Setting the configuration to analyze the following logs: -- /var/log/auth.log -- /var/log/syslog -- /var/log/dpkg.log -- /var/log/snort/alert (snort-full file) - If you want to monitor any other file, just change the ossec.conf and add a new localfile entry. Any questions about the configuration can be answered by visiting us online at http://www.ossec.net . --- Press ENTER to continue --- [Enter] to continue. Read those details carefully - OSSEC will monitor the auth.log file (login issues), syslog (system errors), dpkg.log (software installations) and snort alerts (snort alerts will now be reported to us via email). The build will take a little while to complete. Ensure that it completes successfully. We should always read the output carefully: - System is Debian (Ubuntu or derivative). - Init script modified to start OSSEC HIDS during boot. - Configuration finished properly. - To start OSSEC HIDS: /var/ossec/bin/ossec-control start - To stop OSSEC HIDS: /var/ossec/bin/ossec-control stop - The configuration can be viewed or modified at /var/ossec/etc/ossec.conf Thanks for using the OSSEC HIDS. If you have any question, suggestion or if you find any bug, contact us at [email protected] or using our public maillist at [email protected] ( http://www.ossec.net/main/support/ ). More information can be found at http://www.ossec.net --- Press ENTER to finish (maybe more information below). --- [Enter] to finish. OSSEC should now be installed. If you have problems do not proceed - raise an issue on the course forum. Cleaning up To save space on our server and to remove unwanted software we can now purge the build-essential package components no longer needed: ubuntu@userv1:~$ sudo apt-get purge build-essential ubuntu@userv1:~$ sudo apt-get autoremove Starting OSSEC Now we can start OSSEC: ubuntu@userv1:~$ sudo /var/ossec/bin/ossec-control start Starting OSSEC HIDS v2.7 (by Trend Micro Inc.)... Started ossec-maild... Started ossec-execd... Started ossec-analysisd... Started ossec-logcollector... Started ossec-syscheckd... Started ossec-monitord... Completed. We should receive an email indicating that the OSSEC server started. We should always read the output from commands carefully. In a previous term there was a minor bug in the ossec-control script which required it to be manually edited. This bug has been fixed in the latest version of OSSEC. If any errors are displayed do something about them straight away (ask on the course forum), don't just ignore them. We should now check our email!