Menu

Installing OSSEC host intrusion detection system in Ubuntu 16.04

4 years ago 0

In this tutorial we will be installing OSSEC Host Intrusion detection. OSSEC is a free, open-source host intrusion detection system. The client is compatible with almost all of the mayor operating systems, including Linux, OpenBSD, FreeBSD, OS X, Solaris and Windows. In this tutorial we will be installing the OSSEC centralized management server and i will show you how to add a Windows 10 agent to be monitored and managed.

  • Log analysis
  • Integrity checking
  • Windows registry monitoring
  • Rootkit detection
  • Time based alerting
  • Active response.

Positives:

  • Very powerful log analysing engine
  • Monitor Multi OS environments with easy
  • OSSEC supports agent less as well as agent based monitoring
  • Can monitor all user activities which is not possible in a network based system
  • It can identify attacks that originate from inside the host.
  • Ability to monitor encrypted traffic.
  • No extra hardware since software is installed on the hosts
  • Cost effective for a small scale network having a few hosts.

Negatives:

  • By default, OSSEC restricts the number of agents to 256 per manager (to change this default behaviour OSSEC needs to be compiled from source with some additional options).
  • Limited number of alerts per hour.
  • Transitioning to newer versions of can be difficult, previously defined rules are overwritten by default values upon upgrading.

You can find more info on OSSEC here or on their GitHub site here

System Requirements

Installation

Connect to your server as the admin user via SSH.

ssh [email protected]

Set a static IP

sudo nano /etc/network/interfaces

Replace

...
auto eth0
iface eth0 inet dhcp
...

with thee following
(choose your IP from a non dhcp range in your network,and the DNS of your choosing i used Google DNS)

...
auto eth0
iface eth0 inet static
address 192.168.1.8
gateway 192.168.1.1
netmask 255.255.255.0
dns-nameservers 8.8.8.8 8.8.4.4
...

Save and close

Reboot

sudo shutdown -r now

Connect to your server on the new IP via SSH.

ssh [email protected]

Download and install OSSEC

# Add Apt sources.lst
wget -q -O - https://updates.atomicorp.com/installers/atomic | sudo bash

# Update sources
sudo apt-get update && sudo apt-get upgrade -y

# Server
sudo apt-get install ossec-hids-server unzip apache2 libapache2-mod-php7.0 php7.0 php7.0-cli php7.0-common apache2-utils

Enable email notifications

Choose the emails where the alerts will be sent to

Choose the from email address

localhost or 127.0.0.1
(i had some issues setting it to localhost here so please use 127.0.0.1 instead)

Add the IP from your PC to the whitelist so OSSEC will allow ssh connections from your PC by editing the OSSEC config file

sudo nano /var/ossec/etc/ossec.conf

In my case 192.168.1.120 you can also add multiple IP’s as necessary

...
  
    127.0.0.1
    ::1
    192.168.1.120
  
...

By default, OSSEC sends 12 emails per hour, we will modify the following setting to decrease the default. You can increase or decrease that value by adding the following section:

5

Should look like this:

...
  
    yes
    [email protected]
    127.0.0.1
    [email protected]
    5
  
...

Installing the OSSEC Web Interface

sudo mkdir -p /var/www/html/

cd /var/www/

sudo wget https://github.com/ossec/ossec-wui/archive/master.zip

sudo unzip master.zip -d /var/www/html/

sudo rm master.zip

sudo mv /var/www/html/ossec-wui-master/* /var/www/html/

sudo rm -rf /var/www/html/ossec-wui-master/

cd /var/www/html/

sudo bash setup.sh

Enter your username, Password and choose www-data as your WebServer username

Setting up ossec ui...
 
Username: admin
New password: 
Re-type new password: 
Adding password for user admin
Enter your web server user name (e.g. apache, www, nobody, www-data, ...)
www-data
You must restart your web server after this setup is done.
 
Setup completed successfully.

Restart the Web Server and allow required ports trough the firewall

sudo ufw allow http

sudo ufw allow 1514/udp

sudo systemctl restart apache2

Test your Web Interface at

http://your.server.ip
sudo /var/ossec/bin/manage_agents

For additional info on setting up a domain on MailGun:
Setting up a domain with Mailgun

Install postfix

sudo debconf-set-selections