Advantages of OSSEC :
1. Open source (yea).
2. OSSEC monitors integrity of system and log files.
3. Root kit detection.
4. An active response system. This means OSSEC will not only monitor, but also respond to threats (black list naughty IP addresses).
5. Optional web based graphical (monitoring) interface.
6. Optional central server (consolidates monitoring multiple systems).
7. OSSEC is relatively easy to set up.
The potential disadvantage of ossec, you would need to install apache to use the web interface. If you are already running a headless or remote server with apache then adding the ossec-wui is not as drastic. If you are on a Desktop you can bind apache to localhost (127.0.0.1) and restrict external connections with iptables (see below).
Home page: http://www.ossec.net/
Download and install OSSEC
Install Dependencies (gcc)
Download the latest version of OSSEC
apt-get install -y gcc
Extract the archive and install
The installation is very easy, you simply answer a few questions or hit the enter key for the defaults. The only question you have to answer is "What kind of installation do you want (server, agent, local or help)?" , at that question type "local" and hit enter (see below).
tar xvf ossec-hids-2.4.tar.gz
Select your language
Select "local" as the type of installation
The only default I personally change is the email report. Because I prefer the web interface I answer no to this question.
What kind of installation do you want (server, agent, local or help)? local
Otherwise go with the defaults (hit enter).
Do you want e-mail notification? (y/n) [y]:n
Install and configure the web interface
sudo /etc/init.d/ossec start
Step 1: Install apache and php5
Setp 2: Download and configure the wui (Web User Interface)
sudo apt-get -y install apache2 php5
cd into the ossec directory and install ossec
sudo wget http://www.ossec.net/files/ui/ossec-wui-0.3.tar.gz
sudo tar xvf ossec-wui-0.3.tar.gz
sudo rm ossec-wui-0.3.tar.gz
sudo mv ossec-wui-0.3 ossec
As the wui is installed you will be asked a user name and password. Enter the user name and password of your choice.
Set the proper permissions of the ossec directory:
Add www-data to the ossec group
sudo chown -R www-data.www-data /var/www/ossec
Find the ossec line (most likely at the bottom of the file) and add www-data to the ossec group
sudo nano /etc/group
Save and exit nano
Set the permissions of /var/www/ossec/tmp
sudo chmod 770 /var/www/ossec/tmp
sudo chgrp www-data /var/www/ossec/tmp
Open the page with firefox and go to the ossec directory
sudo service apache2 restart
As is typical of HIDS, be prepared to read up on any alerts you receive from OSSEC.
Restricting access to the ossec-wui
1. Using Apache.
Edit your Virtual Host. Unless you defined a virtual host for ossec, the default is /etc/apache2/sites-available/default
Under the section <Directory /var/www> edit the following lines :
allow from all
Deny from all
Allow from 127.0.0.0/255.0.0.0 ::1/128
2. With iptables
sudo service apache2 restart
One line (assuming your default policy is ACCEPT):
3. As an alternate to iptables, simply enable ufw
sudo iptables -A INPUT -p tcp -m tcp --dport 80 ! -s 127.0.0.1 -j DROP
That will block incoming requests to apache (connections from localhost are allowed).
4. If you connect to the ossec wui, from an external client, especially over the internet, I highly advise you use ssl (https) and password protect the ossec directory.
There are several tutorials on the internet including the Ubuntu wiki is, IMO, a nice start.
Apache documentation Authentication, Authorization and Access Control
5. If you do NOT have access to the apache configuration file , use .htaccess :
Password protecting a directory with Apache and .htaccess
Apache Web Login Authentication
Apache Tutorial: .htaccess files
Back to top
In general, you should never use .htaccess files unless you don't have access to the main server configuration file. There is, for example, a prevailing misconception that user authentication should always be done in .htaccess files. This is simply not the case. You can put user authentication configurations in the main server configuration, and this is, in fact, the preferred way to do things.