View Poll Results: Do you find this HOWTO Helpfull?

80. You may not vote on this poll
  • Yes

    76 95.00%
  • No

    4 5.00%
Page 1 of 3 123 LastLast
Results 1 to 10 of 74

Thread: Howto setup OSSEC-HIDS on your ubuntu box

Hybrid View

  1. #1
    Join Date
    Jun 2006

    Howto setup OSSEC-HIDS on your ubuntu box

    This HOWTO will walk you through the very simple installation of the OSSEC-HIDS application. Before we continue lets make sure everybody is on the same sheet of music.

    1. OSSEC-HIDS is a host based intrusion detection system. It is a very flexible system that will allow you to achieve the following.

    • rootkit detection
    • file system integrity
    • log file analysis
    • time based alerting
    • active responses

    Taken from the ossec-hids FAQ
    "OSSEC HIDS is an Open Source Host-based Intrusion Detection System. It performs log analysis, integrity checking, rootkit detection, time-based alerting and active response"

    2. This howto is based on the following assumptions
    • You are running an up to date installation of Dapper
    • You are preforming a "local" installation (i.e. a single host)

    3. The majority of this HOWTO is taken directly from the Installation Manual for OSSEC-HID which is a very easy to follow Manual. If you run into trouble please look at the Manual first as it will always have the most up to date information.

    Ok, Now that we are all together lets proceed. As mentioned above this HOWTO will only cover a local installation. ossec-hids has the ability to monitor multiple hosts all using the same ruleset. This is accomplished by installed the ossec-hids server on one machine and then doing an agents installation on every other machine you wish to protect. The agents communicate to the server via a secure connection. If you need this type of setup please take a look at the manual, however the installation is not very different (just different options available in your conf file is about it. The other nice thing is that the agents portion of the application will also run under a windows host. This allows those of you that have to and/or want to run a windows box to secure that as well (install the server on your /flamebait/ superior /flamebait/ Linux box and the agent on your windows box)

    Now the first thing we need to do is grab the latest sources. For this HOWTO we will be installing 0.8, however feel free to get the latest copy available from their site. We also need to install some stuff so we can compile it later.
    sudo apt-get install build-essentials
    cd ~
    mkdir src
    cd src
    Before we go ahead and extract this, lets make sure we got what we think we got. Verify the checksums in the .txt file and the same that the commands below output. THIS IS IMPORTANT -- DON'T SKIP IT --
    cat ossec-hids-0.8_checksum.txt
    md5sum ossec-hids-0.8.tar.gz
    sha1sum ossec-hids-0.8.tar.gz
    Well now, after verifying you have legit files (you did do that didn't you?) lets extract this bugger
    tar -zxvf ossec-hids-0.8.tar.gz
    cd ossec-hids-0.8
    Now the fun and easy part. We are going to run the installation script and let it do all the hard work. Note: Here I enter a su shell for the sake of simplicity. If you don't want to do this simply append "sudo" to the following commands
    sudo -s
    Go ahead and pick what language you want to read everything in and hit enter
     ** Para instalação em português, escolha [br].
      ** Fur eine deutsche Installation wohlen Sie [de].
      ** For installation in English, choose [en].
      ** Per l'installazione in Italiano, scegli [it].
      ** Aby instalować w języku Polskim, wybierz [pl].
      ** Türkçe kurulum için seçin [tr].
      (en/br/de/it/pl/tr) [en]:  en <enter> 
    Next it is going to warn us that we need a C compiler on the machine. (you did install build-essentials didn't you?) and give you some general information about your computer (kernel version, user and host). Go ahead and hit enter likes it says.
    OSSEC HIDS v0.8 Installation Script -
     You are about to start the installation process of the OSSEC HIDS.
     You must have a C compiler pre-installed in your system.
     If you have any questions or comments, please send an e-mail
     to (or
      - System: Linux diana 2.6.15-25-k7
      - User: root
      - Host: diana
      -- Press ENTER to continue or Ctrl-C to abort. --
    Next select a local install
    1- What kind of installation do you want (server, agent, local or help)? local <enter> 
    Now choose were you want to install it. This HOWTO will choose the default
    - Choose where to install the OSSEC HIDS [/var/ossec]:  <enter> 
    Now select you notification options. You can choose my answers or different ones. I would recommend setting "Y" to everything. Active responses are really nice. It will set some default configuration variables based on your answers and certian things it finds on your system.
    3- Configuring the OSSEC HIDS.
      3.1- Do you want e-mail notification? (y/n) [y]: y
       - What's your e-mail address?
       - What's your SMTP server ip/host? your smtp server address (localhost)
      3.2- Do you want to run the integrity check daemon? (y/n) [y]: y
       - Running syscheck (integrity check daemon).
      3.3- Do you want to run the rootkit detection engine? (y/n) [y]: y
       - Running rootcheck (rootkit detection).
      3.4- Active response allows you to execute a specific
           command based on the events received. For example,
           you can block an IP address or disable access for
           a specific user.
           More information at:
       - Do you want to enable active response? (y/n) [y]: y
         - Active response enabled.
       - By default, we can enable the host-deny and the
         firewall-drop responses. The first one will add
         a host to the /etc/hosts.deny and the second one
         will block the host on iptables (if linux) or on
         ipfilter (if Solaris, FreeBSD or NetBSD).
       - They can be used to stop SSHD brute force scans,
         portscans and some other forms of attacks. You can
         also add them to block on snort events, for example.
       - Do you want to enable the firewall-drop response? (y/n) [y]: y
         - firewall-drop enabled (local) for levels >= 6
       - Default white list for the active response:
       - Do you want to add more IPs to the white list? (y/n)? [n]: n
      3.6- Setting the configuration to analyze the following logs:
        -- /var/log/messages
        -- /var/log/auth.log
        -- /var/log/syslog
        -- /var/log/
        -- /var/log/apache2/error.log (apache log)
        -- /var/log/apache2/access.log (apache log)
     - If you want to monitor any other file, just change
       the ossec.conf and add a new localfile entry.
       Any questions about the configuration can be answered
       by visiting us online at .
       --- Press ENTER to continue ---
    Now it will compile everything. This shouldn't take too long to complete. It only took around 1-2 minutes for my boxes. After it is completed press enter to finish.
     - Unknown system. No init script added.
     - Configuration finished properly.
     - To start OSSEC HIDS:
                    /var/ossec/bin/ossec-control start
     - To stop OSSEC HIDS:
                    /var/ossec/bin/ossec-control stop
     - The configuration can be viewed or modified at /var/ossec/etc/ossec.conf
        Thanks for using the OSSEC HIDS.
        If you have any question, suggestion or if you find any bug,
        contact us at or using our public maillist at
        More information can be found at
        ---  Press ENTER to finish (maybe more information bellow). ---
    Now unfourtuntly it doesn't detect Ubuntu so it will not create an init script. This is simple enough to take care of. (Yes, its basic. If you want to improve it please feel free to do so) Copy and paste the following into /etc/init.d/ossec

    case "$1" in
      /var/ossec/bin/ossec-control start
      /var/ossec/bin/ossec-control stop
      $0 stop && sleep 3
      $0 start
      $0 stop
      $0 start
    echo "Usage: $0 {start|stop|restart|reload}"
    exit 1
    Now make it executable
    cd /etc/init.d
    chmod +x ossec
    Add it to our runlevels so it starts on boot
    update-rc.d ossec defaults
    Now lets crank her up and make sure everything works
    /etc/init.d/ossec start
    If you get something like this, you should be in good shape.
    Starting OSSEC HIDS v0.8 (by Daniel B. Cid)...
    Started ossec-maild...
    Started ossec-execd...
    Started ossec-analysisd...
    Started ossec-logcollector...
    Started ossec-syscheckd...
    Now you can go on to customize the setup. Chances are you going to want it to ignore certian directories and create your own rules. Please check out the manual for excellent instructions on doing so.

    Caveat: the check_xxx values listed in the documentation should appear as directory attributes (i.e. <directory blah blah check_perms yes>

    OSSEC Homepage
    OSSEC-HIDS Manual
    Last edited by RShadow; July 12th, 2006 at 05:00 AM.

  2. #2
    Join Date
    Jun 2006

    Re: Howto setup OSSEC-HIDS on your ubuntu box

    Nobody's interested?

  3. #3
    Join Date
    Jun 2006
    Edgy Eft Testing

    Re: Howto setup OSSEC-HIDS on your ubuntu box

    very interested gonna try it ,.... how does it compare to something like snort though in ur view?

  4. #4
    Join Date
    Jun 2006

    Re: Howto setup OSSEC-HIDS on your ubuntu box

    Well I think the two essentialy deal with different issues (ossec can actualy monitor your snort logs and send warnings ).

    Snort is a network IDS whereas ossec is Host IDS. Snort monitors your network traffic to look for attacks.

    Ossec can kind of help with this (by monitoring your logs) but mainly deals with looking at the actual computer to determine if it has been comprimised. (i.e. rootchecks, log anomolies, etc). However OSSEC dives into the NIDS areana with realtime log monitoring and can for example issue an IPTable rule to block an IP address if it detects multiple failed attempts from a single IP (as an example this morning I received a message from OSSEC about somebody scanning my web server for exploits, it detected this from my apahce logs and automaticly restricted that IP from my machine). The "Active Response" is also very cool because you can basily pipe to your own program, so can really do whatever you want when an "alert" is fired.

    I would like to install snort and see how the two operate together, but alas I can get snort to install on Ubuntu. The package simple doesn't install all the files its supposed to (no /etc/snort/rules is created, and its missing other key configuration files).. and nobody seems to have a clue as to why.. so no snort for me on this box.

    Anyways OSSEC is very lightweight, doesn't consume alot of memory, and so far has been very "on the ball" for me. There will of couse be tweaks you will have to make (for example I run tinydns and it kept firing alerts because my tinydns log files were changing, so I simply had to tell it to ignore those files for monitoring changes).

    Hope that helps alittle,

    btw: the latest version is 0.8-6 and I installed that this morning, the script automaticly detected a previous installed and upgrading was the most painless process I have ever experinced in Linux.

    Edit: as mentioned on their homepage (snort being #1)
    " released the results of their Top security tools survey and OSSEC was rated second (#2) in the IDS category and #56 in the overall. We were better classified than Base, Sguil, Honeyd, Nagios, chkrootkit and some other very good tools. Congratulations to everyone who contributed to the project!"

    allthough again, I think Snort (NIDS) and OSSEC (HIDS) deal with different issues.
    Last edited by RShadow; July 12th, 2006 at 06:15 AM.

  5. #5
    Join Date
    Jun 2006
    Edgy Eft Testing

    Re: Howto setup OSSEC-HIDS on your ubuntu box

    Thanks RShadow ... I need to tinker around with boh of them first before I ask anything more.. I think I'll start with OSSEC cos I need it only my workstation ..Will post the results of that, and after reading up a lill abt it maybe then we can have a better discussion abt it... Thanks for the help again...

  6. #6
    Join Date
    Jul 2006

    Re: Howto setup OSSEC-HIDS on your ubuntu box

    Wow, very nice howto. I just registered to be able to ask something. What about a .deb package for it? I couldn't find
    anything like that in their web site related to that, but this tool seems excelent.

    *I tried the default package and worked fine.


  7. #7
    Join Date
    Aug 2007
    Ubuntu 6.06 Dapper

    I need some help

    I don't have problems with the explanation, with the installation, in the last of cases, the question is:

    ¿Why don't create the Ossec files?
    it's so weird, i run the script and it's OK, very WELL, but in the final of installation a line broken the script saying somethig like this:

    5- Installing the system
    - Executing Makefile
    ./ line 85: make: order not found

    Error 0x5.
    Building error. Unable to finish the installation.

    Sorry for my english, Im from Mexico and I use OSSEC v1.3 whit Ubuntu 6.06 LTS.
    Last edited by jns-nun; August 15th, 2007 at 07:49 PM.

  8. #8
    Join Date
    Aug 2007

    Lightbulb Re: Howto setup OSSEC-HIDS on your ubuntu box

    Quote Originally Posted by RShadow View Post
    I would like to install snort and see how the two operate together, but alas I can get snort to install on Ubuntu. The package simple doesn't install all the files its supposed to (no /etc/snort/rules is created, and its missing other key configuration files).. and nobody seems to have a clue as to why.. so no snort for me on this box.
    RShadow, I appreciate the docs since OSSEC is something new I am going to try however, with your issue with snort, don't use a .deb.

    Snort is not near beign actively maintained in debian (where the ubuntu .deb comes from). The current .deb install Snort 2.3 where I just installed snort 2.8.

    Also, there is a specific reason why there is no rules included. Although Debian could choose to use the default rules with snort there are different rule sets available to different groups from the website as well as the option to use other rules such as the ones from Bleeding Edge Threats ( and in my case I use both the commercial / pay rules as well as the ones from Bleeding Edge Threats.

    Long story short, take the time time to install snort properly and you will have an exceptional NIDS that functions properly. If you expect a pre built binary from Debian/Ubuntu then you are trusting someone else to give you a one size fits all solution to one of the most important aspects of network security.

    Also when you have the time look into barnyard, base and oinkmaster. (Oinkmaster constantly updates rules when new ones are released).


  9. #9
    Join Date
    Jun 2006

    Re: Howto setup OSSEC-HIDS on your ubuntu box

    very interested, thanks for the help! Gonna setup a server for this and my whole network soon, if i can get some time that is..

  10. #10
    Join Date
    Nov 2009
    Ubuntu 10.04 Lucid Lynx

    Re: Howto setup OSSEC-HIDS on your ubuntu box

    Quote Originally Posted by RShadow View Post
    Nobody's interested?

    Sorry for the necro bump, but thanks thsi helped me with an init script question, but anyway.. now do one for samhain!

Page 1 of 3 123 LastLast


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts