COIT13146 System and Network Administration

COIT13146 - System and Network Administration

Installing OSSEC

From the OSSEC website (www.ossec.net, accessed 17-01-2013):

"OSSEC is an Open Source Host-based Intrusion Detection System. It

performs log analysis, file integrity checking, policy monitoring,
rootkit detection, real-time alerting and active response."

We will be installing OSSEC on our internal server, userv1.

Assumptions

We have an up-to-date Ubuntu Server connected to the Internet.

Remember that our Ubuntu Server, userv1, requires our gateway
server to provide access to the Internet. So for all the below
tasks, we will need the gateway server running and the firewall
rules developed previously applied - (consider including these in
startup scripts if they are working without issue).

We have a basic understanding of what Intrusion Detection Systems

(IDS) and Intrusion Prevention Systems (IPS) are.

We know the difference between a Network IDS and a Host IDS.

OSSEC

Installation

Installing OSSEC is very different from all our previous

installations. There is no pre-built Ubuntu package for OSSEC, so
we will have to compile and install it manually. This is a good
exercise to do.

We need the build-essential package to allow us to build OSSEC:

ubuntu@userv1:~$ sudo apt-get install build-essential

Installing OSSEC vt117 [1]

COIT13146 System and Network Administration

It is a fairly large package (~90 MB) so may take a little while

to download and install. It installs a number of compilers and
development tools required to build and compile software.

We first need to download the OSSEC files, so let's make a

directory to work in. Starting from our home directory:

ubuntu@userv1:~$ mkdir ossec

and change directories so we are in the ossec working directory:

ubuntu@userv1:~$ cd ossec

Now to download OSSEC we use the wget command (read the man page
before using it) and find the latest OSSEC version available
(check on the OSSEC website). From ubuntu@userv1:~/ossec$:

wget U ossec http://www.ossec.net/files/ossec-hids-2.8.tar.gz

This will download the ossec installation files version 2.8 to our
working directory. Download the latest version wherever possible
and adjust the command accordingly.

Now we need to extract the files:

ubuntu@userv1:~/ossec$ tar -xvf ossec-hids-2.8.tar.gz

Then change to the installation directory:

ubuntu@userv1:~/ossec$ cd ossec-hids-*

and then install ossec by running the install.sh script:

ubuntu@userv1:~/ossec/ossec-hids-2.7$ sudo ./install.sh

** Para instalao em portugus, escolha [br].
** , [cn].
** Fur eine deutsche Installation wohlen Sie [de].
** , [el].
** For installation in English, choose [en].
** Para instalar en Espaol , eliga [es].
** Pour une installation en franais, choisissez [fr]
** A Magyar nyelv teleptshez vlassza [hu].
** Per l'installazione in Italiano, scegli [it].
** [jp].
** Voor installatie in het Nederlands, kies [nl].
** Aby instalowa w jzyku Polskim, wybierz [pl].
** , [ru].
** Za instalaciju na srpskom, izaberi [sr].
** Trke kurulum iin sein [tr].
(en/br/cn/de/el/es/fr/hu/it/jp/nl/pl/ru/sr/tr) [en]:

we are asked for the installation language which defaults to [en]

- English so just press enter.

Installing OSSEC vt117 [2]

COIT13146 System and Network Administration

OSSEC HIDS v2.8 Installation Script - http://www.ossec.net

You are about to start the installation process of the OSSEC HIDS.
You must have a C compiler pre-installed in your system.
If you have any questions or comments, please send an e-mail
to dcid@ossec.net (or daniel.cid@gmail.com).

- System: Linux userv1 3.2.0-35-virtual

- User: root
- Host: userv1

-- Press ENTER to continue or Ctrl-C to abort. --

[Enter] to continue.
1- What kind of installation do you want (server, agent, local, hybrid or help)?

We are doing a local install so type 'local' (no quotes) and press
[Enter].
2- Setting up the installation environment.

- Choose where to install the OSSEC HIDS [/var/ossec]:

Use the default /var/ossec install location - press [Enter].

3- Configuring the OSSEC HIDS.

3.1- Do you want e-mail notification? (y/n) [y]:

Yes we do!
- What's your e-mail address?

Type in our own email address - choose an email address that is

easily accessed - all alerts will be sent to this address.
- What's your SMTP server ip/host?

Our local machine is configured to send email so we can use it as

the SMTP server by simply typing in 'localhost' (no quotes).
3.2- Do you want to run the integrity check daemon? (y/n) [y]:

y
3.3- Do you want to run the rootkit detection engine? (y/n) [y]:

y
3.4- Active response allows you to execute a specific
command based on the events received. For example,
you can block an IP address or disable access for
a specific user.
More information at:
http://www.ossec.net/en/manual.html#active-response

- Do you want to enable active response? (y/n) [y]:

y - note that this has the ability to block our PuTTY connection.

Installing OSSEC vt117 [3]

COIT13146 System and Network Administration

This is outlined by the details provided:

- By default, we can enable the host-deny and the
firewall-drop responses. The first one will add
a host to the /etc/hosts.deny and the second one
will block the host on iptables (if linux) or on
ipfilter (if Solaris, FreeBSD or NetBSD).
- They can be used to stop SSHD brute force scans,
portscans and some other forms of attacks. You can
also add them to block on snort events, for example.

So if we attempt to login to our server and make a few failed

password attempts our IP address will be locked out.
- Do you want to enable the firewall-drop response? (y/n) [y]:

y
- Default white list for the active response:
- 192.168.1.1

- Do you want to add more IPs to the white list? (y/n)? [n]:

n - we don't want to add any more - 192.168.1.1 is the name

resolution server for *this* network (this address may be
different for each of us).
3.6- Setting the configuration to analyze the following logs:
-- /var/log/auth.log
-- /var/log/syslog
-- /var/log/dpkg.log
-- /var/log/snort/alert (snort-full file)

- If you want to monitor any other file, just change

the ossec.conf and add a new localfile entry.
Any questions about the configuration can be answered
by visiting us online at http://www.ossec.net .

--- Press ENTER to continue ---

[Enter] to continue.

Read those details carefully - OSSEC will monitor the auth.log

file (login issues), syslog (system errors), dpkg.log (software
installations) and snort alerts (snort alerts will now be reported
to us via email).

The build will take a little while to complete. Ensure that it

completes successfully.

We should always read the output carefully:

- System is Debian (Ubuntu or derivative).
- Init script modified to start OSSEC HIDS during boot.

- Configuration finished properly.

- To start OSSEC HIDS:

/var/ossec/bin/ossec-control start

Installing OSSEC vt117 [4]

COIT13146 System and Network Administration

- To stop OSSEC HIDS:

/var/ossec/bin/ossec-control stop

- The configuration can be viewed or modified at /var/ossec/etc/ossec.conf

Thanks for using the OSSEC HIDS.

If you have any question, suggestion or if you find any bug,
contact us at contact@ossec.net or using our public maillist at
ossec-list@ossec.net
( http://www.ossec.net/main/support/ ).

More information can be found at http://www.ossec.net

--- Press ENTER to finish (maybe more information below). ---

[Enter] to finish.

OSSEC should now be installed.

If you have problems do not proceed - raise an issue on the course

forum.

Cleaning up

To save space on our server and to remove unwanted software we can

now purge the build-essential package components no longer needed:

ubuntu@userv1:~$ sudo apt-get purge build-essential

ubuntu@userv1:~$ sudo apt-get autoremove

Starting OSSEC

Now we can start OSSEC:

ubuntu@userv1:~$ sudo /var/ossec/bin/ossec-control start

Starting OSSEC HIDS v2.7 (by Trend Micro Inc.)...
Started ossec-maild...
Started ossec-execd...
Started ossec-analysisd...
Started ossec-logcollector...
Started ossec-syscheckd...
Started ossec-monitord...
Completed.

We should receive an email indicating that the OSSEC server

started.

We should always read the output from commands carefully. In a

previous term there was a minor bug in the ossec-control script
which required it to be manually edited. This bug has been fixed

Installing OSSEC vt117 [5]

COIT13146 System and Network Administration

in the latest version of OSSEC. If any errors are displayed do

something about them straight away (ask on the course forum),
don't just ignore them.

You should now check your email for messages from Ossec!

Installing OSSEC vt117 [6]