I’ve recently added two more servers to my ever growing network at WP Hosting. To prevent an attack by those scumbags from Hacker Land, I’ve been relying on the amazing OSSEC Host Intrusion Detection System.
Even though the OSSEC website is great, I always forget the simple steps that are involved in getting it up and running on a brand new server. Here are the steps that work for me.
At the time of writing, OSSEC HIDS is at version 2.6 – these instructions may be outdated by the time you read this. Please bear that in mind. Thanks
To get OSSEC working, we’ll need a couple of tools installed: the GCC compiler and the MAKE command. Let’s install those first:
yum install gcc
yum install make
Excellent! This should mean OSSEC will install without hiccups.
Next let’s get OSSEC onto the local machine. Let’s download it – perhaps into a temp directory of your choice:
Now let’s unTAR it using this command:
tar -zxvf ossec*
Change into the OSSEC directory using cd ossec* and run
Configuration and Setup
All we need to do now is decide whether OSSEC runs as the main analysis server (server), an agent that’s being analysed by the server (agent) or if this is a standalone system not attached to a bigger network (local). Note that the server also analyses its own logs as well as the agent’s logs.
The default values are the ones you want to use so just hit enter several times. Have the server’s IP address handy when you’re installing new agents.
Setting up your Agents
You’ll have to tell your Server about new Agents. Run the following command on your Server to do this – have your Agent’s IP addresses ready:
Servers are also known as “Managers” nowadays, I still call them Servers as that’s the way I’ve learnt it back in the days. Select the (A)dd Agent option, give each a catchy name and enter their IP address. Do this for every Agent you have.
Next extract the key for each agent and add them to the relevant agent by running the above command. To do this, have two terminal windows open – one for the Server and one for the Agent.
Once done, make sure the OSSEC demon is restarted using
service ossec restart
Check if the Server can talk to the Agents
Let’s check if all the hard work is paying off by checking the logs:
tail -50 /var/ossec/logs/ossec.log
Pay close attention to the ossec.conf file by checking it here:
Note that for security it is read only by default (chmod 400) and OSSEC will give you a warning if you leave it writable for longer that you need to.
Troubleshooting and FAQs
If the OSSEC Server can’t communicate with the Agents, chances are that the a receiving firewall is blocking incoming traffic on UDP port 1514. Open it up in both directions so the two can communicate.
Here’s a handy guide on how to fix duplicate errors should this ever be a problem. Also pay close attention to the Server IP address in the ossec.conf file. For some reason mine were pointing to an older server even though I asked OSSEC for a clean install rather than an upgrade.
Other than that there’s the fabulous OSSEC Website for more tips and tricks – plus the best piece of documentation that every been written and dubbed The OSSEC Bible, both for Kindle as well as in print.