• Subscribe to the low volume list for updates.

OSSEC Introduction and Installation Guide

OSSEC is easy to use and provides a high level of system surveillance for a small amount of effort. OSSEC is a Host based Intrusion Detection System (HIDS). Using a HIDS allows you to have real time visibility into what security events are taking place on a server.

Best practice security management calls for a layered approach to security. Security vulnerability scanning, firewall, strong passwords, patch management and intrusion detection capabilities are all important layers.

OSSEC provides a number of functions

  • Real time log monitoring.
  • File integrity checking - detects changes to files and system paths.
  • Rootkit detection.
  • Changes to the system / running services (netstat) / disk space / password file changes.
  • Real time blocking of detected attacks through firewall rule modification.
  • Execute arbitrary commands based on specific events.

At the most basic level you can install OSSEC, set an email address and let it do its job alerting you to security related events on your server. It will not impact the system in anyway simply provide you with security related visibility.

Tuning is easy and you will likely only need to tune out a few things to reduce the amount of alerts you receive as the rate of false positives is very low.

While the following information is for an older version, nothing has changed in the process of the latest version. Download the tar archive from the ossec site and get started.

Quick guide to installing on Ubuntu

wget https://github.com/ossec/ossec-hids/archive/2.9.3.tar.gz

tar zxvf 2.9.3.tar.gz
cd ossec-hids-2.9.3
sudo ./install.sh

1. What kind of installation do you want (server, agent, local or help)?

* If you are doing a basic install to a single server select 'local'.
This creates a single install to monitor only the server you are
installing on. See the documentation on the site for details on
setting up multiple agents on a number of servers that all report back
to a server.

2- Setting up the installation environment.

 - Choose where to install the OSSEC HIDS [/var/ossec]:

   - Installation will be made at  /var/ossec .

3- Configuring the OSSEC HIDS.

 3.1- Do you want e-mail notification? (y/n) [y]:
  - What's your e-mail address?   -- enter your email address here

 - We found your SMTP server as: example.test.com.
  - Do you want to use it? (y/n) [y]: n

  - What's your SMTP server ip/host? enter your preffered smtp server here

 3.2- Do you want to run the integrity check daemon? (y/n) [y]:
   (this is for file integrity checking, alerts you to changes to
files on your system)

  - Running syscheck (integrity check daemon).

 3.3- Do you want to run the rootkit detection engine? (y/n) [y]:
  (this checks for rootkits on a regular basis)

  - Running rootcheck (rootkit detection).

 3.4- Active response allows you to execute a specific
      command based on the events received. For example,
      you can block an IP address or disable access for
      a specific user.
      More information at:

  - Do you want to enable active response? (y/n) [y]:
(this can block attacks that meet certain rules)

If you select [y] yes for Active response you are adding Intrusion Prevention capability, this is a good thing but you need to white list your own IP's as you don't want Active response to trigger against your IP and auto block your access. This could happen if you failed multiple ssh logins, or if you were to run a vulnerability scan against your IP, as OSSEC would detect this as an attack. Your IP would get blocked, and then you would be unable to ssh to your server for example to manage it!

After compiling is complete you will be presented with final instructions:

- System is Debian (Ubuntu or derivative).
 - Init script modified to start OSSEC HIDS during boot.

 - Configuration finished properly.

 - To start OSSEC HIDS:
               /var/ossec/bin/ossec-control start

 - To stop OSSEC HIDS:
               /var/ossec/bin/ossec-control stop

 - The configuration can be viewed or modified at /var/ossec/etc/ossec.conf

   Thanks for using the OSSEC HIDS.
   If you have any question, suggestion or if you find any bug,
   contact us at contact@ossec.net or using our public maillist at
   ( https://www.ossec.net/about.html#support-options ).

   More information can be found at https://www.ossec.net

   ---  Press ENTER to finish (maybe more information below). ---

That's it your done. Just start it up with:

       /var/ossec/bin/ossec-control start

After your initial install you will get a number of alerts - assuming your SMTP is configured correctly. Agent starting up, new user logged in, that sort of thing.

For 15 minutes work you now have real time security monitoring of your server. If you would like to test active response try our online vulnerability scans and test your hosts defence.

If you have Active response enabled, vulnerability scanners will likely get blocked and the scan will not be completed. To run a full scan against your system with Active response enabled try adding the scanning host to the OSSEC white-list (preferred) or disable OSSEC for the duration of the scan (not recommended), make sure you re-enable your protection after the scan completes.

Full installation instructions are available here https://www.ossec.net/docs/manual/installation/install-source.html

Follow up post to this article:  Enable OSSEC Active Response.

Do more with OSSEC

Detect WordPress attacks and monitor the application and web server logs.

Next level testing with advanced Security Vulnerability Scanners.

Trusted tools. Hosted for easy access.