Tuesday, February 26, 2013

OSSEC: Host-Based Intrusion Detection In Linux (RedHat Families)

Hello Everybody,
Today, I would like to talk about a very interesting tools called OSSEC. OSSEC detects intrusions and attempted intrusions and it's also hosed-based intrusion detection system(HIDS). OSSEC is a free software under the GNU General Public License and it's available for Linux, Windows, Solaris,HP-UX, and AIX.

OSSEC provides the following services:

1. Log analysis
2. Rootkit detection
3. File integrity checking
4. Policy monitoring
5. Real-time and time-based alerting
6. Active response

So, you can activate OSSEC on your servers and it will send you alerts or take a proper action according to a set of rules that you define and configure if something goes wrong since it monitors your servers. So, it's like a 24/7 body guard for your servers.

OSSEC has two important elements:
1. OSSEC Manager (Server)
2. OSSEC Agent (Client)


Ossec manager stores all data related to file integrity checking, logs, events, rules, and configuration options for entire network. The OSSEC manager connects to OSSEC agent and get alls necessary information regardless of its operation system. And, of course, all communications between servers and agents is encrypted and secure. You need to create a key for each agent on the server. I explained it below.

OSSEC Server Installation
Unfortunately, you can't install OSSEC from repository with yum command and it's not in repository yet. So, you will need to download the source code. Login to the computer that you want to install OSSEC Server and download the source code directly or use wget command:

wget http://ossec.net/files/ossec-hids-latest.tar.gz

                                                                     Figure 1

Use tar command to decompress the file:
tar -zxvf ossec-hids-latest.tar.gz

Change directory:
cd ossec-hids-*

Run install.sh script to start OSSEC installation
./install.sh


                                                                    Figure 2


Type "server" and press enter. (Figure 3)
Press Enter again to accept the default location. (Figure 3)

                                                                   Figure 3

Type "y" to accept email notifications and then enter your email address. The easiest way for test purposes is that enter you local root email address if you don't have SMTP server, in this case: root@localhost.localdomain.
Enter127.0.0.1 for the ip of your smtp server.If you have smtp server,change it accordingly(Figure 4).
Enter "y" to run integrity check deamon (Figure 4).
Enter "y" to run the rootkit detection engine (Figure 4).
Enter "y" to enable enable active response (Figure 4).
Enter "y" to enbale the firewall-drop response (Figure 4).

                                                                 Figure 4

The ip of white list is up to you, in this case I entered "n" (Figure 5).
Enter "y" to enable remote syslog (Figure 5).

                                                                     Figure 5

Take a look to the comments before finishing installation. It's self explanatory.





                                                                     (Figure 6)

As it said in the comments (Figure 7), run /var/ossec/bin/manage_agents to add agents


                                                                     (Figure 7)

Select "A" to add an agent (Figure 8).
Type a unique name for the new agent, in this case: MyRemoteTestMachine (Figure 8).
Enter the ip address of ossec agent(client) (Figure 8).
And enter "y" to confirm adding agent (Figure 8). Pay attention to agent id of 001.

                                                                               (Figure 8)

Now, enter "E" to generate a key for agent (Figure 9).
enter agent id, in this case 001 (Figure 9).
Copy and paste or keep the generate key. We need the key later to import it in ossec agent.


                                                                                (Figure 9)


OSSEC Agent installation (Client)
Same as server, download, extract, and run installation script in the client computer (Figure 10).
This time, select "Agent" and accept the default path for installation (Figure 10).
Enter the ip of OSSEC server (Figure 10).

                                                                      Figure 10

Enter "y" for running integrity check deamon, rootkit detection engine, and avtive response (Figure 11)

                                                                      Figure 11

Take a look at comments now (Figure 12).

                                                                          Figure 12

Run /var/ossec/bin/manage_agents to import the key (Figure 13).
select "I" and paste the key here. Then confirm it (Figure 13).



Open port 1514 (UDP) if there is a firewall between the server and the agents (not applicable to the local installation type)
iptables -I INPUT -p udp --dport 1514 -j ACCEPT

After you have made this changes, restart the OSSEC agent and OSSEC server:
/var/ossec/bin/ossec-control restart



Testing OSSEC
In order to test our configured OSSEC, try to login to root with incorrect password in the client (Figure 14)
                                                                            (Figure 14)

Now, go to OSSEC server and login in as root. Then open your emails with mail command (Figure 15)
                                                                             (Figure 15)

Open your email and see notification (Figure 16)

                                                                   (Figure 16)

The majority of the configuration is stored on the server in the /var/ossec/etc/ossec.conf file.

Conclusion
OSSEC is a host-based intrusion detection system (HIDS). OSSEC is free software and is available as source code under the GNU General Public License. OSSEC runs on the systems of interest and monitors their activity. It can send alerts or take action according to a set of rules that you configure.

Hope you enjoyed.
Khosro Taraghi

5 comments:

  1. Great post! Thank you. I am in the process of installing OSSEC on Oracle Linux and need to get GCC installed. Any assistance please.


    Sunny

    ReplyDelete
  2. Hi Team ,

    With a single intention to promote Linux open source technology to the best of our nature , LinuxPune.com team has decided to request Linux Based Bloggers to send us their respective unique article with their pictures in our mail id info@linuxpune.com which will be posted in our blog section and interns we will also request your respective team to post our link hence we can mutually help each other to increase the bacllinks .

    Hope its going to be a fantastic associated we are looking forward to ....

    LinuxPune Team
    http://linuxpune.com
    info@linuxpune.com

    ReplyDelete
  3. INTERNATIONAL CONCEPT OF WORK FROM HOME
    Work from home theory is fast gaining popularity because of the freedom and flexibility that comes with it. Since one is not bound by fixed working hours, they can schedule their work at the time when they feel most productive and convenient to them. Women & Men benefit a lot from this concept of work since they can balance their home and work perfectly. People mostly find that in this situation, their productivity is higher and stress levels lower. Those who like isolation and a tranquil work environment also tend to prefer this way of working. Today, with the kind of communication networks available, millions of people worldwide are considering this option.

    Women & Men who want to be independent but cannot afford to leave their responsibilities at home aside will benefit a lot from this concept of work. It makes it easier to maintain a healthy balance between home and work. The family doesn't get neglected and you can get your work done too. You can thus effectively juggle home responsibilities with your career. Working from home is definitely a viable option but it also needs a lot of hard work and discipline. You have to make a time schedule for yourself and stick to it. There will be a time frame of course for any job you take up and you have to fulfill that project within that time frame.

    There are many things that can be done working from home. A few of them is listed below that will give you a general idea about the benefits of this concept.

    Baby-sitting
    This is the most common and highly preferred job that Women & Men like doing. Since in today's competitive world both the parents have to work they need a secure place to leave behind their children who will take care of them and parents can also relax without being worried all the time. In this job you don't require any degree or qualifications. You only have to know how to take care of children. Parents are happy to pay handsome salary and you can also earn a lot without putting too much of an effort.

    Nursery
    For those who have a garden or an open space at your disposal and are also interested in gardening can go for this method of earning money. If given proper time and efforts nursery business can flourish very well and you will earn handsomely. But just as all jobs establishing it will be a bit difficult but the end results are outstanding.

    Freelance
    Freelance can be in different wings. Either you can be a freelance reporter or a freelance photographer. You can also do designing or be in the advertising field doing project on your own. Being independent and working independently will depend on your field of work and the availability of its worth in the market. If you like doing jewellery designing you can do that at home totally independently. You can also work on freelancing as a marketing executive working from home. Wanna know more, email us on workfromhome.otr214423@gmail.com and we will send you information on how you can actually work as a marketing freelancer.


    Internet related work
    This is a very vast field and here sky is the limit. All you need is a computer and Internet facility. Whatever field you are into work at home is perfect match in the software field. You can match your time according to your convenience and complete whatever projects you get. To learn more about how to work from home, contact us today on workfromhome.otr214423@gmail.comand our team will get you started on some excellent work from home projects.


    Diet food
    Since now a days Women & Men are more conscious of the food that they eat hence they prefer to have homemade low cal food and if you can start supplying low cal food to various offices then it will be a very good source of income and not too much of efforts. You can hire a few ladies who will help you out and this can be a good business.

    Thus think over this concept and go ahead.

    ReplyDelete
  4. We interviewed the developer of OSSEC HIDS - thought you'd be interested to read their comments:

    https://www.concise-courses.com/interview-sucuri-cofounder-creator-ossec-hids/

    ReplyDelete