Russ McRee wrote an
excellent article about OSSEC for the October 2009 issue of ISSA Journal. (Disclaimer: I contributed to the article.) He then went into some further detail
on his blog.
In a recent
SANS 401 Mentor session, I used OSSEC in my demo of building a secure webserver using defense-in-depth principles. My rough notes can be found below. All software is freely available and the whole process can be done in under an hour. Once completed, OSSEC will be monitoring all system logs (SSH, Apache, mod_security, iptables, Wordpress) and optionally providing Active Response, blocking attacker's source IP addresses.
# Base install of CentOS 5.4
# Reboot
# Allow SSH and HTTP in firewall
yum -y update && reboot
# Add EPEL repo
rpm -Uvh http://download.fedora.redhat.com/pub/epel/5/i386/epel-release-5-3.noarch.rpm
vi /etc/yum.repos.d/epel.repo
#add this line:
includepkgs=mod_security* lua* alpine* wordpress*
# Install CMS, web server, and database
yum -y install wordpress mysql-server
# Set services to start on boot and start them now
for i in httpd mysqld
do
chkconfig $i on
service $i start
done
# Secure the database
/usr/bin/mysql_secure_installation
mysql -p
create database wordpress;
grant all privileges on wordpress.* to wordpress@localhost identified by 'MyStrongPassphrase';
flush privileges;
exit
vi /etc/wordpress/wp-config.php
# Configure for wordpress database just created
# Test Wordpress
# Look at logs in /var/log/
# Wordpress --> Syslog
cd /usr/share/wordpress/wp-content/plugins
wget http://www.ossec.net/files/other/wpsyslog2.tar.gz
tar zxvf wpsyslog2.tar.gz
# Wordpress admin interface --> activate WPsyslog2 plugin
# Test logging into Wordpress, creating/deleting posts, verify logging
# Firewall logging
iptables -I RH-Firewall-1-INPUT 11 -j LOG --log-prefix="DROP "
service iptables save
# Test firewall logging (nmap)
# WAF (Web Application Firewall)
yum -y install mod_security
service httpd restart
# Test WAF by accessing site by IP address instead of hostname
# Test WAF by trying to do an /etc/passwd attack
# Look at rules in /etc/httpd/modsecurity.d/
# NIDS (Network Intrusion Detection System)
yum -y install alpine perl-libwww-perl libpcap-devel pcre-devel gcc
#Download Snort:
cd /usr/local/src/
mkdir snort && cd snort
wget http://dl.snort.org/snort-current/snort-2.8.5.2.tar.gz
tar zxvf snort-2.8.5.2.tar.gz
cd snort-2.8.5.2
./configure && make && make install
mkdir -p /etc/snort/rules
cd etc
cp * /etc/snort/
mkdir /var/log/snort
adduser snort
passwd -l snort
chown snort:snort /var/log/snort
#Download PulledPork:
cd /usr/local/src/
mkdir pulledpork && cd pulledpork
wget http://pulledpork.googlecode.com/files/pulledpork-0.3.4.tar.gz
tar zxvf pulledpork-0.3.4.tar.gz
cd pulledpork-0.3.4
vi pulledpork.conf
oinkcode=InsertYourOinkcodeHere
tar_path=/bin/tar
rule_path=/etc/snort/rules/
sid_msg=/etc/snort/sid-msg.map
sid_changelog=/var/log/snort/sid_changes.log
#sorule_path=/usr/local/lib/snort_dynamicrules/
config_path=/etc/snort/snort.conf
distro=CentOS-5.0
chmod +x pulledpork.pl
./pulledpork.pl -c pulledpork.conf
vi /etc/snort/snort.conf
var RULE_PATH /etc/snort/rules
#include local.rules
# Test run
/usr/local/bin/snort -i eth1 -c /etc/snort/snort.conf -u snort -g snort
# Daemon mode
/usr/local/bin/snort -i eth1 -c /etc/snort/snort.conf -u snort -g snort -D
# Start at boot
echo "/usr/local/bin/snort -i eth1 -c /etc/snort/snort.conf -u snort -g snort -D" >> /etc/rc.local
# Test Snort with idswakeup and verify logs in /var/log/snort/
# HIDS (Host Intrusion Detection System)
cd /usr/local/src/
mkdir ossec
wget http://www.ossec.net/files/ossec-hids-2.3.tar.gz
tar zxvf ossec-hids-2.3.tar.gz
cd ossec-hids-2.3
./install.sh
# Local installation
# Email to root@localhost
# Enable Active Response, whitelist host IP
service ossec start
# Test HIDS alerting
# Test OSSEC Active Response using nmap, idswakeup, SSH brute force, Wordpress brute force
What else could we do for more defense in depth?
- Suhosin (PHP Hardening)
- GreenSQL (Database firewall)
- Daemonlogger (full packet capture for forensics purposes)
- Others?
