View Poll Results: Do you find this HOWTO Helpfull?

80. You may not vote on this poll
  • Yes

    76 95.00%
  • No

    4 5.00%
Results 1 to 10 of 74

Thread: Howto setup OSSEC-HIDS on your ubuntu box

Threaded View

  1. #1
    Join Date
    Jun 2006

    Howto setup OSSEC-HIDS on your ubuntu box

    This HOWTO will walk you through the very simple installation of the OSSEC-HIDS application. Before we continue lets make sure everybody is on the same sheet of music.

    1. OSSEC-HIDS is a host based intrusion detection system. It is a very flexible system that will allow you to achieve the following.

    • rootkit detection
    • file system integrity
    • log file analysis
    • time based alerting
    • active responses

    Taken from the ossec-hids FAQ
    "OSSEC HIDS is an Open Source Host-based Intrusion Detection System. It performs log analysis, integrity checking, rootkit detection, time-based alerting and active response"

    2. This howto is based on the following assumptions
    • You are running an up to date installation of Dapper
    • You are preforming a "local" installation (i.e. a single host)

    3. The majority of this HOWTO is taken directly from the Installation Manual for OSSEC-HID which is a very easy to follow Manual. If you run into trouble please look at the Manual first as it will always have the most up to date information.

    Ok, Now that we are all together lets proceed. As mentioned above this HOWTO will only cover a local installation. ossec-hids has the ability to monitor multiple hosts all using the same ruleset. This is accomplished by installed the ossec-hids server on one machine and then doing an agents installation on every other machine you wish to protect. The agents communicate to the server via a secure connection. If you need this type of setup please take a look at the manual, however the installation is not very different (just different options available in your conf file is about it. The other nice thing is that the agents portion of the application will also run under a windows host. This allows those of you that have to and/or want to run a windows box to secure that as well (install the server on your /flamebait/ superior /flamebait/ Linux box and the agent on your windows box)

    Now the first thing we need to do is grab the latest sources. For this HOWTO we will be installing 0.8, however feel free to get the latest copy available from their site. We also need to install some stuff so we can compile it later.
    sudo apt-get install build-essentials
    cd ~
    mkdir src
    cd src
    Before we go ahead and extract this, lets make sure we got what we think we got. Verify the checksums in the .txt file and the same that the commands below output. THIS IS IMPORTANT -- DON'T SKIP IT --
    cat ossec-hids-0.8_checksum.txt
    md5sum ossec-hids-0.8.tar.gz
    sha1sum ossec-hids-0.8.tar.gz
    Well now, after verifying you have legit files (you did do that didn't you?) lets extract this bugger
    tar -zxvf ossec-hids-0.8.tar.gz
    cd ossec-hids-0.8
    Now the fun and easy part. We are going to run the installation script and let it do all the hard work. Note: Here I enter a su shell for the sake of simplicity. If you don't want to do this simply append "sudo" to the following commands
    sudo -s
    Go ahead and pick what language you want to read everything in and hit enter
     ** Para instalação em português, escolha [br].
      ** Fur eine deutsche Installation wohlen Sie [de].
      ** For installation in English, choose [en].
      ** Per l'installazione in Italiano, scegli [it].
      ** Aby instalować w języku Polskim, wybierz [pl].
      ** Türkçe kurulum için seçin [tr].
      (en/br/de/it/pl/tr) [en]:  en <enter> 
    Next it is going to warn us that we need a C compiler on the machine. (you did install build-essentials didn't you?) and give you some general information about your computer (kernel version, user and host). Go ahead and hit enter likes it says.
    OSSEC HIDS v0.8 Installation Script -
     You are about to start the installation process of the OSSEC HIDS.
     You must have a C compiler pre-installed in your system.
     If you have any questions or comments, please send an e-mail
     to (or
      - System: Linux diana 2.6.15-25-k7
      - User: root
      - Host: diana
      -- Press ENTER to continue or Ctrl-C to abort. --
    Next select a local install
    1- What kind of installation do you want (server, agent, local or help)? local <enter> 
    Now choose were you want to install it. This HOWTO will choose the default
    - Choose where to install the OSSEC HIDS [/var/ossec]:  <enter> 
    Now select you notification options. You can choose my answers or different ones. I would recommend setting "Y" to everything. Active responses are really nice. It will set some default configuration variables based on your answers and certian things it finds on your system.
    3- Configuring the OSSEC HIDS.
      3.1- Do you want e-mail notification? (y/n) [y]: y
       - What's your e-mail address?
       - What's your SMTP server ip/host? your smtp server address (localhost)
      3.2- Do you want to run the integrity check daemon? (y/n) [y]: y
       - Running syscheck (integrity check daemon).
      3.3- Do you want to run the rootkit detection engine? (y/n) [y]: y
       - Running rootcheck (rootkit detection).
      3.4- Active response allows you to execute a specific
           command based on the events received. For example,
           you can block an IP address or disable access for
           a specific user.
           More information at:
       - Do you want to enable active response? (y/n) [y]: y
         - Active response enabled.
       - By default, we can enable the host-deny and the
         firewall-drop responses. The first one will add
         a host to the /etc/hosts.deny and the second one
         will block the host on iptables (if linux) or on
         ipfilter (if Solaris, FreeBSD or NetBSD).
       - They can be used to stop SSHD brute force scans,
         portscans and some other forms of attacks. You can
         also add them to block on snort events, for example.
       - Do you want to enable the firewall-drop response? (y/n) [y]: y
         - firewall-drop enabled (local) for levels >= 6
       - Default white list for the active response:
       - Do you want to add more IPs to the white list? (y/n)? [n]: n
      3.6- Setting the configuration to analyze the following logs:
        -- /var/log/messages
        -- /var/log/auth.log
        -- /var/log/syslog
        -- /var/log/
        -- /var/log/apache2/error.log (apache log)
        -- /var/log/apache2/access.log (apache log)
     - If you want to monitor any other file, just change
       the ossec.conf and add a new localfile entry.
       Any questions about the configuration can be answered
       by visiting us online at .
       --- Press ENTER to continue ---
    Now it will compile everything. This shouldn't take too long to complete. It only took around 1-2 minutes for my boxes. After it is completed press enter to finish.
     - Unknown system. No init script added.
     - Configuration finished properly.
     - To start OSSEC HIDS:
                    /var/ossec/bin/ossec-control start
     - To stop OSSEC HIDS:
                    /var/ossec/bin/ossec-control stop
     - The configuration can be viewed or modified at /var/ossec/etc/ossec.conf
        Thanks for using the OSSEC HIDS.
        If you have any question, suggestion or if you find any bug,
        contact us at or using our public maillist at
        More information can be found at
        ---  Press ENTER to finish (maybe more information bellow). ---
    Now unfourtuntly it doesn't detect Ubuntu so it will not create an init script. This is simple enough to take care of. (Yes, its basic. If you want to improve it please feel free to do so) Copy and paste the following into /etc/init.d/ossec

    case "$1" in
      /var/ossec/bin/ossec-control start
      /var/ossec/bin/ossec-control stop
      $0 stop && sleep 3
      $0 start
      $0 stop
      $0 start
    echo "Usage: $0 {start|stop|restart|reload}"
    exit 1
    Now make it executable
    cd /etc/init.d
    chmod +x ossec
    Add it to our runlevels so it starts on boot
    update-rc.d ossec defaults
    Now lets crank her up and make sure everything works
    /etc/init.d/ossec start
    If you get something like this, you should be in good shape.
    Starting OSSEC HIDS v0.8 (by Daniel B. Cid)...
    Started ossec-maild...
    Started ossec-execd...
    Started ossec-analysisd...
    Started ossec-logcollector...
    Started ossec-syscheckd...
    Now you can go on to customize the setup. Chances are you going to want it to ignore certian directories and create your own rules. Please check out the manual for excellent instructions on doing so.

    Caveat: the check_xxx values listed in the documentation should appear as directory attributes (i.e. <directory blah blah check_perms yes>

    OSSEC Homepage
    OSSEC-HIDS Manual
    Last edited by RShadow; July 12th, 2006 at 05:00 AM.


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts