View Poll Results: Do you find this HOWTO Helpfull?

Voters
80. You may not vote on this poll
  • Yes

    76 95.00%
  • No

    4 5.00%
Page 1 of 8 123 ... LastLast
Results 1 to 10 of 74

Thread: Howto setup OSSEC-HIDS on your ubuntu box

  1. #1
    Join Date
    Jun 2006
    Beans
    22

    Howto setup OSSEC-HIDS on your ubuntu box

    This HOWTO will walk you through the very simple installation of the OSSEC-HIDS application. Before we continue lets make sure everybody is on the same sheet of music.

    1. OSSEC-HIDS is a host based intrusion detection system. It is a very flexible system that will allow you to achieve the following.

    • rootkit detection
    • file system integrity
    • log file analysis
    • time based alerting
    • active responses

    Taken from the ossec-hids FAQ
    "OSSEC HIDS is an Open Source Host-based Intrusion Detection System. It performs log analysis, integrity checking, rootkit detection, time-based alerting and active response"

    2. This howto is based on the following assumptions
    • You are running an up to date installation of Dapper
    • You are preforming a "local" installation (i.e. a single host)

    3. The majority of this HOWTO is taken directly from the Installation Manual for OSSEC-HID which is a very easy to follow Manual. If you run into trouble please look at the Manual first as it will always have the most up to date information.

    Ok, Now that we are all together lets proceed. As mentioned above this HOWTO will only cover a local installation. ossec-hids has the ability to monitor multiple hosts all using the same ruleset. This is accomplished by installed the ossec-hids server on one machine and then doing an agents installation on every other machine you wish to protect. The agents communicate to the server via a secure connection. If you need this type of setup please take a look at the manual, however the installation is not very different (just different options available in your conf file is about it. The other nice thing is that the agents portion of the application will also run under a windows host. This allows those of you that have to and/or want to run a windows box to secure that as well (install the server on your /flamebait/ superior /flamebait/ Linux box and the agent on your windows box)

    Now the first thing we need to do is grab the latest sources. For this HOWTO we will be installing 0.8, however feel free to get the latest copy available from their site. We also need to install some stuff so we can compile it later.
    Code:
    sudo apt-get install build-essentials
    cd ~
    mkdir src
    cd src
    wget http://www.ossec.net/files/ossec-hids-0.8.tar.gz
    http://www.ossec.net/files/ossec-hids-0.8_checksum.txt
    Before we go ahead and extract this, lets make sure we got what we think we got. Verify the checksums in the .txt file and the same that the commands below output. THIS IS IMPORTANT -- DON'T SKIP IT --
    Code:
    cat ossec-hids-0.8_checksum.txt
    md5sum ossec-hids-0.8.tar.gz
    sha1sum ossec-hids-0.8.tar.gz
    Well now, after verifying you have legit files (you did do that didn't you?) lets extract this bugger
    Code:
    tar -zxvf ossec-hids-0.8.tar.gz
    cd ossec-hids-0.8
    Now the fun and easy part. We are going to run the installation script and let it do all the hard work. Note: Here I enter a su shell for the sake of simplicity. If you don't want to do this simply append "sudo" to the following commands
    Code:
    sudo -s
    ./install.sh
    Go ahead and pick what language you want to read everything in and hit enter
    Code:
     ** Para instalação em português, escolha [br].
      ** Fur eine deutsche Installation wohlen Sie [de].
      ** For installation in English, choose [en].
      ** Per l'installazione in Italiano, scegli [it].
      ** Aby instalować w języku Polskim, wybierz [pl].
      ** Türkçe kurulum için seçin [tr].
      (en/br/de/it/pl/tr) [en]:  en <enter> 
    Next it is going to warn us that we need a C compiler on the machine. (you did install build-essentials didn't you?) and give you some general information about your computer (kernel version, user and host). Go ahead and hit enter likes it says.
    Code:
    OSSEC HIDS v0.8 Installation Script - http://www.ossec.net
    
     You are about to start the installation process of the OSSEC HIDS.
     You must have a C compiler pre-installed in your system.
     If you have any questions or comments, please send an e-mail
     to dcid@ossec.net (or daniel.cid@gmail.com).
    
      - System: Linux diana 2.6.15-25-k7
      - User: root
      - Host: diana
    
    
      -- Press ENTER to continue or Ctrl-C to abort. --
    <enter>
    Next select a local install
    Code:
    1- What kind of installation do you want (server, agent, local or help)? local <enter> 
    Now choose were you want to install it. This HOWTO will choose the default
    Code:
    - Choose where to install the OSSEC HIDS [/var/ossec]:  <enter> 
    Now select you notification options. You can choose my answers or different ones. I would recommend setting "Y" to everything. Active responses are really nice. It will set some default configuration variables based on your answers and certian things it finds on your system.
    Code:
    3- Configuring the OSSEC HIDS.
    
      3.1- Do you want e-mail notification? (y/n) [y]: y
       - What's your e-mail address? youremail@yourdomain.com
       - What's your SMTP server ip/host? your smtp server address (localhost)
    
      3.2- Do you want to run the integrity check daemon? (y/n) [y]: y
    
       - Running syscheck (integrity check daemon).
    
      3.3- Do you want to run the rootkit detection engine? (y/n) [y]: y
    
       - Running rootcheck (rootkit detection).
    
      3.4- Active response allows you to execute a specific
           command based on the events received. For example,
           you can block an IP address or disable access for
           a specific user.
           More information at:
           http://www.ossec.net/en/manual.html#active-response
    
       - Do you want to enable active response? (y/n) [y]: y
    
         - Active response enabled.
    
       - By default, we can enable the host-deny and the
         firewall-drop responses. The first one will add
         a host to the /etc/hosts.deny and the second one
         will block the host on iptables (if linux) or on
         ipfilter (if Solaris, FreeBSD or NetBSD).
       - They can be used to stop SSHD brute force scans,
         portscans and some other forms of attacks. You can
         also add them to block on snort events, for example.
    
       - Do you want to enable the firewall-drop response? (y/n) [y]: y
    
         - firewall-drop enabled (local) for levels >= 6
    
       - Default white list for the active response:
          - 192.168.2.1
    
       - Do you want to add more IPs to the white list? (y/n)? [n]: n
    
      3.6- Setting the configuration to analyze the following logs:
        -- /var/log/messages
        -- /var/log/auth.log
        -- /var/log/syslog
        -- /var/log/mail.info
        -- /var/log/apache2/error.log (apache log)
        -- /var/log/apache2/access.log (apache log)
    
     - If you want to monitor any other file, just change
       the ossec.conf and add a new localfile entry.
       Any questions about the configuration can be answered
       by visiting us online at http://www.ossec.net .
    
    
       --- Press ENTER to continue ---
    Now it will compile everything. This shouldn't take too long to complete. It only took around 1-2 minutes for my boxes. After it is completed press enter to finish.
    Code:
     - Unknown system. No init script added.
    
     - Configuration finished properly.
    
     - To start OSSEC HIDS:
                    /var/ossec/bin/ossec-control start
    
     - To stop OSSEC HIDS:
                    /var/ossec/bin/ossec-control stop
    
     - The configuration can be viewed or modified at /var/ossec/etc/ossec.conf
    
    
        Thanks for using the OSSEC HIDS.
        If you have any question, suggestion or if you find any bug,
        contact us at contact@ossec.net or using our public maillist at
        ossec-list@ossec.net
        (http://mailman.underlinux.com.br/mailman/listinfo/ossec-list).
    
        More information can be found at http://www.ossec.net
    
        ---  Press ENTER to finish (maybe more information bellow). ---
    Now unfourtuntly it doesn't detect Ubuntu so it will not create an init script. This is simple enough to take care of. (Yes, its basic. If you want to improve it please feel free to do so) Copy and paste the following into /etc/init.d/ossec

    Code:
    #!/bin/sh
    
    case "$1" in
    start)
      /var/ossec/bin/ossec-control start
    ;;
    stop)
      /var/ossec/bin/ossec-control stop
    ;;
    restart)
      $0 stop && sleep 3
      $0 start
    ;;
    reload)
      $0 stop
      $0 start
    ;;
    *)
    echo "Usage: $0 {start|stop|restart|reload}"
    exit 1
    esac
    Now make it executable
    Code:
    cd /etc/init.d
    chmod +x ossec
    Add it to our runlevels so it starts on boot
    Code:
    update-rc.d ossec defaults
    Now lets crank her up and make sure everything works
    Code:
    /etc/init.d/ossec start
    If you get something like this, you should be in good shape.
    Code:
    Starting OSSEC HIDS v0.8 (by Daniel B. Cid)...
    Started ossec-maild...
    Started ossec-execd...
    Started ossec-analysisd...
    Started ossec-logcollector...
    Started ossec-syscheckd...
    Completed.
    Now you can go on to customize the setup. Chances are you going to want it to ignore certian directories and create your own rules. Please check out the manual for excellent instructions on doing so.

    Caveat: the check_xxx values listed in the documentation should appear as directory attributes (i.e. <directory blah blah check_perms yes>

    Resources:
    OSSEC Homepage
    OSSEC-HIDS Manual
    Last edited by RShadow; July 12th, 2006 at 05:00 AM.

  2. #2
    Join Date
    Jun 2006
    Beans
    22

    Re: Howto setup OSSEC-HIDS on your ubuntu box

    Nobody's interested?

  3. #3
    Join Date
    Jun 2006
    Beans
    20
    Distro
    Edgy Eft Testing

    Re: Howto setup OSSEC-HIDS on your ubuntu box

    very interested ...am gonna try it ,.... how does it compare to something like snort though in ur view?

  4. #4
    Join Date
    Jun 2006
    Beans
    22

    Re: Howto setup OSSEC-HIDS on your ubuntu box

    Well I think the two essentialy deal with different issues (ossec can actualy monitor your snort logs and send warnings ).

    Snort is a network IDS whereas ossec is Host IDS. Snort monitors your network traffic to look for attacks.

    Ossec can kind of help with this (by monitoring your logs) but mainly deals with looking at the actual computer to determine if it has been comprimised. (i.e. rootchecks, log anomolies, etc). However OSSEC dives into the NIDS areana with realtime log monitoring and can for example issue an IPTable rule to block an IP address if it detects multiple failed attempts from a single IP (as an example this morning I received a message from OSSEC about somebody scanning my web server for exploits, it detected this from my apahce logs and automaticly restricted that IP from my machine). The "Active Response" is also very cool because you can basily pipe to your own program, so can really do whatever you want when an "alert" is fired.

    I would like to install snort and see how the two operate together, but alas I can get snort to install on Ubuntu. The package simple doesn't install all the files its supposed to (no /etc/snort/rules is created, and its missing other key configuration files).. and nobody seems to have a clue as to why.. so no snort for me on this box.

    Anyways OSSEC is very lightweight, doesn't consume alot of memory, and so far has been very "on the ball" for me. There will of couse be tweaks you will have to make (for example I run tinydns and it kept firing alerts because my tinydns log files were changing, so I simply had to tell it to ignore those files for monitoring changes).


    Hope that helps alittle,

    btw: the latest version is 0.8-6 and I installed that this morning, the script automaticly detected a previous installed and upgrading was the most painless process I have ever experinced in Linux.

    Edit: as mentioned on their homepage (snort being #1)
    "Insecure.org released the results of their Top security tools survey and OSSEC was rated second (#2) in the IDS category and #56 in the overall. We were better classified than Base, Sguil, Honeyd, Nagios, chkrootkit and some other very good tools. Congratulations to everyone who contributed to the project!"

    allthough again, I think Snort (NIDS) and OSSEC (HIDS) deal with different issues.
    Last edited by RShadow; July 12th, 2006 at 06:15 AM.

  5. #5
    Join Date
    Jun 2006
    Beans
    20
    Distro
    Edgy Eft Testing

    Re: Howto setup OSSEC-HIDS on your ubuntu box

    Thanks RShadow ... I need to tinker around with boh of them first before I ask anything more.. I think I'll start with OSSEC cos I need it only my workstation ..Will post the results of that, and after reading up a lill abt it maybe then we can have a better discussion abt it... Thanks for the help again...

  6. #6
    Join Date
    Jul 2006
    Beans
    Hidden!

    Re: Howto setup OSSEC-HIDS on your ubuntu box

    Wow, very nice howto. I just registered to be able to ask something. What about a .deb package for it? I couldn't find
    anything like that in their web site related to that, but this tool seems excelent.

    *I tried the default package and worked fine.

    -M

  7. #7
    Join Date
    Jun 2006
    Beans
    22

    Re: Howto setup OSSEC-HIDS on your ubuntu box

    I'm sure a .deb package could be made, but I don't have the knowledge to do so. I'm glad everything has worked for you however.

  8. #8
    Join Date
    Jul 2006
    Beans
    Hidden!

    Re: Howto setup OSSEC-HIDS on your ubuntu box

    You should also send this document to the official site, since it is better written than what is there.

  9. #9
    Join Date
    Jul 2006
    Beans
    Hidden!

    Re: Howto setup OSSEC-HIDS on your ubuntu box

    Sounds like someone had the idea of the .deb already:

    http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=361954

  10. #10
    Join Date
    Jun 2006
    Beans
    20
    Distro
    Edgy Eft Testing

    Re: Howto setup OSSEC-HIDS on your ubuntu box

    Thanks again.. I tried installing it from your directions and it worked perfectly... Next I need to try to configure active-response and learn to get the firewall to work with it... I use firestarter on my system..... i also need to be able to create and add rules ...do u know of any resource that helps to that effect? n not the manual, i cant figure out much from there , maybe i'm too much of a newbie for that... it just has variable names and their possible values...nutin really that explains the variables.,. I'm in the process of preparing a small beginners tutorial so newbies like me can understand how certain parts of ossec work... just a short way of relating theoretical to practical .. will post in a day or two .. thanks for the help so far though...

Page 1 of 8 123 ... LastLast

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •