OSSEC is a Host Based Intrusion Detection and Prevention system.
Best practice security management calls for a layered approach to security; security vulnerability scanning, a firewall, strong passwords, patch management and intrusion detection capabilities are all important layers. Using a HIDS allows you to have real time visibility into what security events are taking place on a server.
The latest version of
OSSEC is easy to use and provides a high level of system surveillance for a small amount of effort.
OSSEC provides a number of functions:
- Real time log monitoring
- File integrity checking - detects changes to files and system paths
- Rootkit detection
- Changes to the system / running services (netstat) / disk space / password file changes
- Real time blocking of detected attacks through firewall rule modification
- Execute arbitrary commands based on specific events
At the most basic level you can install OSSEC, set an email address and let it do its job alerting you to security related events on your server. It will not impact the system in anyway simply provide you with security related visibility.
Tuning is easy and you will likely only need to tune out a few things to reduce the amount of alerts you receive as the rate of false positives is very low.
Full installation instructions are available here http://www.ossec.net/main/manual/manual-installation
tararchive from the ossec site and get started.
A quick guide to installing on Ubuntu follows:
wget http://www.ossec.net/files/ossec-hids-2.1.1.tar.gz tar zxvf ossec-hids-2.1.1.tar.gz cd ossec-hids-2.1.1 sudo ./install.sh 1. What kind of installation do you want (server, agent, local or help)? * If you are doing a basic install to a single server select 'local'. This creates a single install to monitor only the server you are installing on. See the documentation on the site for details on setting up multiple agents on a number of servers that all report back to a server. 2- Setting up the installation environment. - Choose where to install the OSSEC HIDS [/var/ossec]: - Installation will be made at /var/ossec . 3- Configuring the OSSEC HIDS. 3.1- Do you want e-mail notification? (y/n) [y]: - What's your e-mail address? -- enter your email address here - We found your SMTP server as: example.test.com. - Do you want to use it? (y/n) [y]: n - What's your SMTP server ip/host? enter your preffered smtp server here 3.2- Do you want to run the integrity check daemon? (y/n) [y]: (this is for file integrity checking, alerts you to changes to files on your system) - Running syscheck (integrity check daemon). 3.3- Do you want to run the rootkit detection engine? (y/n) [y]: (this checks for rootkits on a regular basis) - Running rootcheck (rootkit detection). 3.4- Active response allows you to execute a specific command based on the events received. For example, you can block an IP address or disable access for a specific user. More information at: http://www.ossec.net/en/manual.html#active-response - Do you want to enable active response? (y/n) [y]: (this can block attacks that meet certain rules)
If you select yes for Active response you are adding Intrusion Prevention capability, this is a good thing but keep in mind it is a good idea to white list your own IP's as you don't want active response to trigger against your IP and auto block your access. This could happen if you failed multiple ssh logins, or if you were to run a
vulnerability scan against your IP - as ossec would detect this as an attack. So your IP would get blocked, and then you would be unable to ssh to your server for example to manage it!
After compiling is complete you will be presented with final instructions:
- System is Debian (Ubuntu or derivative). - Init script modified to start OSSEC HIDS during boot. - Configuration finished properly. - To start OSSEC HIDS: /var/ossec/bin/ossec-control start - To stop OSSEC HIDS: /var/ossec/bin/ossec-control stop - The configuration can be viewed or modified at /var/ossec/etc/ossec.conf Thanks for using the OSSEC HIDS. If you have any question, suggestion or if you find any bug, contact us at firstname.lastname@example.org or using our public maillist at email@example.com ( http://www.ossec.net/main/support/ ). More information can be found at http://www.ossec.net --- Press ENTER to finish (maybe more information below). ---
That's it your done. Just start it up with:
After your initial install you will get a number of alerts (assuming your smtp is configured correctly). Agent starting up, new user logged in and that sort of thing.
So for 15mins work you now have real time security monitoring of your server, if you would like to test active response head over to http://hackertarget.com and launch vulnerability scans against your host.
The HackerTarget.com scanning IP addresses will likely get blocked and the scan will not be completed. On the other hand if you want to run a vulnerability scan against your host that does not get blocked you will need to turn off ossec.