How to install OSSEC HIDS on CentOS 6 and 7

Remote computers are under constant attack by Evil Dudes – that’s especially true for Linux servers. To prevent such attacks by Evil Dudes from Hacker Land, I’ve been relying on the amazing OSSEC Host Intrusion Detection System on all my machines.

Even though the OSSEC website is great, I always forget the simple steps that are involved in getting it up and running on a brand new server. Here are the steps that work for me.

I’ve originally written this article in 2011 for OSSEC 2.6, but I’ve just updated and tested the instructions again with OSSEC 2.8.1 on CentOS 7. It’s my go-to guide on how to get OSSEC up and running. However, by the time you read this it may all be completely out of date – please bear that in mind. Thanks πŸ˜‰

Prep Work

To the get OSSEC installation script to work, we’ll need a couple of tools on our system: the GCC compiler and the MAKE command. These may already be present, but in case they’re not, let’s install those with

Excellent! This should mean OSSEC will install without hiccups.

Install OSSEC

Next let’s get OSSEC onto the local machine. Let’s download it – perhaps into a temp directory of your choice (the download link will likely have changed by the time you read this – head over to ossec.net to see what the latest version is):

Now let’s unTAR it using this command:

Change into the OSSEC directory using cd ossec* and run

Configuration and Setup

We need to decide whether OSSEC runs as the main analysis server (server), an agent that’s being analysed by the server (agent) or if this is a standalone system not attached to a bigger network (local). Note that the server also analyses its own logs as well as the agent’s logs.

The default values are the ones you want to use so just hit enter several times. Have the server’s IP address handy when you’re installing new agents.

Setting up your Agents

This step is optional in case you want to run OSSEC as part of a network of servers. Skip ahead of you’re not using this feature.

You’ll have to tell your Server about new Agents. Run the following command on your Server to do thisΒ  – have your Agent’s IP addresses ready:

Servers are also known as “Managers” nowadays, I still call them Servers as that’s the way I’ve learnt it back in the days. Select the (A)dd Agent option, give each a catchy name and enter their IP address. Do this for every Agent you have.

Next extract the key for each agent and add them to the relevant agent by running the above command. To do this, have two terminal windows open – one for the Server and one for the Agent.

Once done, make sure the OSSEC demon is restarted using

Check if the Server can talk to the Agents

Let’s check if all the hard work is paying off by checking the logs:

Pay close attention to the ossec.conf file by checking it here:

Note that for security it is read only by default (chmod 400) and OSSEC will give you a warning if you leave it writable for longer that you need to.

Avoiding Repeat Offenders

OSSEC will block attacks every time they happen, but if a persistent attacker tries something a million times he will eventually succeed. OSSEC has a great feature to avoid this: the ability to remember an Evil Dude’s IP address and block it for longer durations. It’s called Repeated Offenders.

This lets you specify how long an IP is banned for (in minutes) and increase the interval as attacks proceed. Sadly the option is not enabled by default.

To add it manually, open

and find the Active Response section. In those active response tags, add the following:

This will block Evil Dude first for 30 minutes, then for 60, and so forth. The reason you don’t block an offender for 120 years instantly is because there’s always a possibility that a false positive would have to wait said amount of time until he/she/you gets another chance. Once added, restart OSSEC.

Note that you need to add this on every agent. Last time I checked the Repeat Offenders option is not governed by an OSSEC server.

Starting and stopping OSSEC

You can start, stop and restart OSSEC with the following commands:

On CentOS 7 you can also use the systemctl command like so:

Alternatively you can execute an OSSEC script directly for such actions – handy if none of the above work on your distribution:

Where are the OSSEC Log Files?

I keep forgetting this time and time again: they’re not in the usual place with all the other logs. Instead, they’re in the OSSEC directory:

For live log output, try tail -f

Troubleshooting and FAQs

The first port of call are the OSSEC log files (see above). These hold vital clues as to why OSSEC can’t do what it promised you. If you don’t see any log files, or if OSSEC isn’t even running (see status), consider checking your installation. Run the installation script again and watch for error messages.

If an installation via yum doesn’t work for you, try installing it from source. I’ve had nothing but bad luck with the yum installation.

If the OSSEC Server can’t communicate with the Agents, chances are that the a receiving firewall is blocking incoming traffic on UDP port 1514. Open it up in both directions so the two can communicate.

Here’s a handy guide on how to fix duplicate errors should this ever be a problem. Also pay close attention to the Server IP address in the ossec.conf file. For some reason mine were pointing to an older server even though I asked OSSEC for a clean install rather than an upgrade.

Other than that there’s the fabulous OSSEC Website for more tips and tricks – plus the best piece of documentation that every been written and dubbed The OSSEC Bible, both for Kindle as well as in print.

Jay is the CEO and founder of WP Hosting, a boutique style managed WordPress hosting and support service. He has been working with Plesk since version 9 and is a qualified Parallels Automation Professional. In his spare time he likes to develop iOS apps and WordPress plugins, or draw on tablet devices. He blogs about his coding journey at http://wpguru.co.uk and http://pinkstone.co.uk.

9 thoughts on “How to install OSSEC HIDS on CentOS 6 and 7

  1. Update March 2014

    Quick update many years after I first published this article: OSSEC has recently moved to GitHub: http://www.ossec.net/?p=1022

    OSSEC is now also available as an rpm package thanks to Scott and his wonderful team at Atomicorp: http://www5.atomicorp.com/channels/ossec/centos/6/x86_64/RPMS/

    First you need to add the Atmoic Repo to your installation:

    Now OSSEC can be installed with

    Once installed you need to run a setup script which will guide you through the configuration process:

    NOTE: I must admit that the yum installation didn’t work for me under CentOS 7: the ossec-control script is missing and OSSEC doesn’t want to start.

  2. UPDATE NOVEMBER 2014

    I’ve added some more goodies to the article, such as

    • start/stop commands
    • log file locations
    • repeat offenders section
    • more troubleshooting tips

    I’ve also tested the instructions on CentOS 7.

  3. Question:

    I followed your (excellent) ref on how to install an OSSEC agent on a CentOS box (mine 6.5).

    Just wanted to ask – is it best practice to disable (or uninstall (?)) β€œgcc” after the install? Will it break the OSSEC agent?

    Thanks.

    1. Hi Garret,

      glad to hear my instructions were helpful! GCC is not needed anymore after the initial build and installation (much like make). There are adverse effects should you wish to uninstall them. At the same time, it doesn’t hurt to meep them around either. For example, when a new version of OSSEC is available, you’ll have to compile it again, so at that point you’d need GCC and make again. It’s a personal preference really.

      All the best!

  4. Hello,

    I have installed ossec-hids fomr atomicorp on Centos 7. But I also do not have ossec-control script and none of the service files to start or stop it. Also systemd service is missing… Any ideas?

    1. Hi Abby, I’ve never understood how to install OSSEC via yum, hence I recommend compiling from source. If items are missing from the yum installation, note that there are several ossec packages, not just one:

      So simply calling “yum install ossec-hids” may not be enough. I don’t even know what that would install – the agent perhaps? Who can tell. Try “yum install ossec-hids-server”, perhaps that will bring the missing files in.

      Good luck πŸ˜‰

  5. In the meantime I figured it out. ossec-hids has common files required for all the packages, you can see it with yum info after the package is installed. For local/server installation, ossec-hids-server is also needed.

    In the end, it works, but ossec complains something about:
    ERROR: Queue ‘/queue/alerts/ar’ not accessible: ‘Queue not found’.
    And here they say http://ossec-docs.readthedocs.org/en/latest/faq/unexpected.html#check-queue-alerts-ar
    that ossec-remoted shoul be started. But this is a local install and that daemon is not running and also I cannot start them. Active response works but alerts for them are not arriving, obviously becase of the stated ERROR in log. Maybe the problem is in atomicorp packages, will try with tar.gz.

    Btw. they should really restructure the whole documentation for the project, it is poorly written and uncomplete…

    Thanks for the info πŸ™‚

  6. Hey thanks for the tutorial, i have one question. You state to add this

    // don’t add this
    30,60,120,3600
    // and don’t add this

    However when looking through the file i notice two sections for this

    = 6.
    – The IP is going to be blocked for 600 seconds.
    –>
    host-deny
    local
    6
    600


    firewall-drop
    local
    6
    600

    So basically i’m asking which part should i be adding to?

    1. Hi Trax,

      your must find a section that begins with <active-response> and ends with </active-response>. Add the repeated offender line anywhere in that section.

Add your voice!