This guide will help you to Install OSSEC HIDS on Ubuntu 18.04 / 16.04 / Debian 9. OSSEC is an open source host-based intrusion detection system (HIDS) that runs on Linux, OpenBSD, Solaris, FreeBSD, Windows, and other systems. OSSEC works in a server/client model. The OSSEC client performs log analysis, policy monitoring, file integrity checking, real-time alerting, rootkit detection and active response.
OSSEC has the aspects of HIDS (host-based intrusion detection), log monitoring and SIM/SIEM as a simple solution with Web UI management.
Step 1: Install OSSEC Dependencies
OSSEC requires PHP, gcc, libc and Apache Web Server. Install them by running the commands below:
sudo apt install -y wget unzip make gcc build-essential sudo apt install -y php php-cli php-common libapache2-mod-php apache2-utils sendmail inotify-tools
Step 2: Install OSSEC HIDS on Ubuntu 18.04 / 16.04 / Debian 9
Once the dependencies have been installed, the next installation is for OSSEC HIDS. The source code for OSSEC is available on Github.
Check for the latest release before downloading. As of this writing, the latest is 3.1.0
export VER="3.1.0"
wget https://github.com/ossec/ossec-hids/archive/${VER}.tar.gz
Once downloaded, extract the file with the following command:
tar -xvzf ${VER}.tar.gz
This extraction will create a folder, change to this folder and run the install script.
cd ossec-hids-${VER}
sudo sh install.sh
1. Set language
(en/br/cn/de/el/es/fr/hu/it/jp/nl/pl/ru/sr/tr) [en]: en
2. Press <ENTER> to continue
OSSEC HIDS v3.1.0 Installation Script - http://www.ossec.net You are about to start the installation process of the OSSEC HIDS. You must have a C compiler pre-installed in your system. - System: Linux deb9 4.9.0-8-amd64 - User: root - Host: deb9 -- Press ENTER to continue or Ctrl-C to abort. --
3. Choose local installation type
What kind of installation do you want (server, agent, local, hybrid or help)? local
With the local installation, you will be able to do everything the server does, except receiving remote messages from the agents or external syslog devices.
4. Choose where to install the OSSEC HIDS [/var/ossec], press enter to use /var/ossec
Installation will be made at /var/ossec .
5. Configuring the OSSEC HIDS
3.1- Do you want e-mail notification? (y/n) [y]: y - What's your e-mail address? [email protected] - What's your SMTP server ip/host? localhost 3.2- Do you want to run the integrity check daemon? (y/n) [y]: y - Running syscheck (integrity check daemon). 3.3- Do you want to run the rootkit detection engine? (y/n) [y]: y - Running rootcheck (rootkit detection). 3.4- Active response allows you to execute a specific command based on the events received. For example, you can block an IP address or disable access for a specific user. More information at: http://www.ossec.net/en/manual.html#active-response - Do you want to enable active response? (y/n) [y]: y - Active response enabled. - By default, we can enable the host-deny and the firewall-drop responses. The first one will add a host to the /etc/hosts.deny and the second one will block the host on iptables (if linux) or on ipfilter (if Solaris, FreeBSD or NetBSD). - They can be used to stop SSHD brute force scans, portscans and some other forms of attacks. You can also add them to block on snort events, for example. - Do you want to enable the firewall-drop response? (y/n) [y]: y - firewall-drop enabled (local) for levels >= 6 - Default white list for the active response: - 192.168.121.1 - Do you want to add more IPs to the white list? (y/n)? [n]: 3.6- Setting the configuration to analyze the following logs: -- /var/log/messages -- /var/log/auth.log -- /var/log/syslog -- /var/log/mail.info -- /var/log/dpkg.log -- /var/log/apache2/error.log (apache log) -- /var/log/apache2/access.log (apache log) - If you want to monitor any other file, just change the ossec.conf and add a new localfile entry. Any questions about the configuration can be answered by visiting us online at http://www.ossec.net . --- Press ENTER to continue ---
Press Enter to start the installation
The init script for managing OSSEC HIDS is /var/ossec/bin/ossec-control
To start the service, use:
$ sudo /var/ossec/bin/ossec-control start Starting OSSEC HIDS v3.1.0 (by Trend Micro Inc.)... Started ossec-maild... Started ossec-execd... Started ossec-analysisd... Started ossec-logcollector... Started ossec-syscheckd... Started ossec-monitord... Completed.
And stop it by running
sudo /var/ossec/bin/ossec-control stop
You can further configure OSSEC HIDS by editing the configuration file:
sudo vim /var/ossec/etc/ossec.conf
The rules are located under the directory/var/ossec/rules/. The rules for local system files are set on the file /var/ossec/rules/local_rules.xml
Check OSSEC Documentation for configuration options.
Don’t forget to restart OSSEC HIDS whenever you make a change
sudo /var/ossec/bin/ossec-control restart
Step 3: Install OSSEC Web UI
OSSEC HIDS has a simple web interface, but it needs to be installed.
git clone https://github.com/ossec/ossec-wui.git sudo mv ossec-wui /srv cd /srv/ossec-wui sudo ./setup.sh
Set Dashboard admin username/password and web server username
trap: SIGHUP: bad trap Setting up ossec ui... Username: admin New password: <ENTER PASSWORD> Re-type new password:<CONFIRM PASSWORD> Adding password for user admin Enter your web server user name (e.g. apache, www, nobody, www-data, ...) www-data You must restart your web server after this setup is done. Setup completed successfully.
Create an Apache VirtualHost configuration file
sudo vim /etc/apache2/sites-enabled/ossec-wui.conf
Put the contents below into the file
<VirtualHost *:80>
DocumentRoot /srv/ossec-wui/
ServerName ossec.example.com
ServerAlias www.ossec.example.com
ServerAdmin [email protected]
<Directory /srv/ossec-wui/>
Options +FollowSymlinks
AllowOverride All
Require all granted
</Directory>
ErrorLog /var/log/apache2/moodle-error.log
CustomLog /var/log/apache2/moodle-access.log combined
</VirtualHost>
Replace example.com with your domain name, save the file and exit.
Enable the Apache rewrite module
sudo a2enmod rewrite sudo systemctl restart apache2
$ sudo systemctl status apache2.service
● apache2.service - The Apache HTTP Server
Loaded: loaded (/lib/systemd/system/apache2.service; enabled; vendor preset: enabled)
Active: active (running) since Fri 2018-11-23 09:05:56 UTC; 16s ago
Process: 9504 ExecStop=/usr/sbin/apachectl stop (code=exited, status=0/SUCCESS)
Process: 9511 ExecStart=/usr/sbin/apachectl start (code=exited, status=0/SUCCESS)
Main PID: 9516 (apache2)
Tasks: 6 (limit: 4915)
CGroup: /system.slice/apache2.service
├─9516 /usr/sbin/apache2 -k start
├─9517 /usr/sbin/apache2 -k start
├─9518 /usr/sbin/apache2 -k start
├─9519 /usr/sbin/apache2 -k start
├─9520 /usr/sbin/apache2 -k start
└─9521 /usr/sbin/apache2 -k start
Nov 23 09:05:56 deb9 systemd[1]: Starting The Apache HTTP Server...
Open http://ossec.example.com in your web browser and authenticate to the dashboard.
On Login. you should get a page like below:
This marks the end of install OSSEC HIDS on Ubuntu 18.04 / 16.04 / Debian 9 article.
References:
