In this tutorial we will be installing OSSEC Host Intrusion detection. OSSEC is a free, open-source host intrusion detection system. The client is compatible with almost all of the mayor operating systems, including Linux, OpenBSD, FreeBSD, OS X, Solaris and Windows. In this tutorial we will be installing the OSSEC centralized management server and i will show you how to add a Windows 10 agent to be monitored and managed.
- Log analysis
- Integrity checking
- Windows registry monitoring
- Rootkit detection
- Time based alerting
- Active response.
Positives:
- Very powerful log analysing engine
- Monitor Multi OS environments with easy
- OSSEC supports agent less as well as agent based monitoring
- Can monitor all user activities which is not possible in a network based system
- It can identify attacks that originate from inside the host.
- Ability to monitor encrypted traffic.
- No extra hardware since software is installed on the hosts
- Cost effective for a small scale network having a few hosts.
Negatives:
- By default, OSSEC restricts the number of agents to 256 per manager (to change this default behaviour OSSEC needs to be compiled from source with some additional options).
- Limited number of alerts per hour.
- Transitioning to newer versions of can be difficult, previously defined rules are overwritten by default values upon upgrading.
You can find more info on OSSEC here or on their GitHub site here
System Requirements
Installation
Connect to your server as the admin user via SSH.
ssh [email protected]
Set a static IP
sudo nano /etc/network/interfaces
Replace
...
auto eth0
iface eth0 inet dhcp
...
with thee following
(choose your IP from a non dhcp range in your network,and the DNS of your choosing i used Google DNS)
...
auto eth0
iface eth0 inet static
address 192.168.1.8
gateway 192.168.1.1
netmask 255.255.255.0
dns-nameservers 8.8.8.8 8.8.4.4
...
Save and close
Reboot
sudo shutdown -r now
Connect to your server on the new IP via SSH.
ssh [email protected]
Download and install OSSEC
# Add Apt sources.lst
wget -q -O - https://updates.atomicorp.com/installers/atomic | sudo bash
# Update sources
sudo apt-get update && sudo apt-get upgrade -y
# Server
sudo apt-get install ossec-hids-server unzip apache2 libapache2-mod-php7.0 php7.0 php7.0-cli php7.0-common apache2-utils
Enable email notifications
Choose the emails where the alerts will be sent to
Choose the from email address
localhost or 127.0.0.1
(i had some issues setting it to localhost here so please use 127.0.0.1 instead)
Add the IP from your PC to the whitelist so OSSEC will allow ssh connections from your PC by editing the OSSEC config file
sudo nano /var/ossec/etc/ossec.conf
In my case 192.168.1.120 you can also add multiple IP’s as necessary
...
127.0.0.1
::1
192.168.1.120
...
By default, OSSEC sends 12 emails per hour, we will modify the following setting to decrease the default. You can increase or decrease that value by adding the following section:
5
Should look like this:
...
yes
[email protected]
127.0.0.1
[email protected]
5
...
Installing the OSSEC Web Interface
sudo mkdir -p /var/www/html/
cd /var/www/
sudo wget https://github.com/ossec/ossec-wui/archive/master.zip
sudo unzip master.zip -d /var/www/html/
sudo rm master.zip
sudo mv /var/www/html/ossec-wui-master/* /var/www/html/
sudo rm -rf /var/www/html/ossec-wui-master/
cd /var/www/html/
sudo bash setup.sh
Enter your username, Password and choose www-data as your WebServer username
Setting up ossec ui...
Username: admin
New password:
Re-type new password:
Adding password for user admin
Enter your web server user name (e.g. apache, www, nobody, www-data, ...)
www-data
You must restart your web server after this setup is done.
Setup completed successfully.
Restart the Web Server and allow required ports trough the firewall
sudo ufw allow http
sudo ufw allow 1514/udp
sudo systemctl restart apache2
Test your Web Interface at
http://your.server.ip
sudo /var/ossec/bin/manage_agents
For additional info on setting up a domain on MailGun:
Setting up a domain with Mailgun
Install postfix
sudo debconf-set-selections