ossec官方网站http://www.ossec.net/
ossec帮助文档http://ossec-docs.readthedocs.org/en/latest/manual/index.html
OSSEC是一个开源的基于主机的入侵检测系统,执行日志分析,文件完整性检查,政策监控,rootkit检测,实时报警和积极响应。
它可以运行在大多数的操作系统,包括Linux,MacOS的时,Solaris,HP-UX,AIX和Windows
最新稳定版为2.8 下载页面http://www.ossec.net/?page_id=19
现在已经有新版本Latest Stable Release (2.8.1)
Ossec部署方式为C/S,以下server:192.168.22.240 client:192.168.22.241
先关闭selinux,安装常用包
环境 CentOS release 6.4(Final) x86_64
1
2
|
关闭selinux SELINUX=disabled
yum
install
gcc gcc-c++ vim wget lrzsz ntpdate sysstat dstat wget unzip -y
|
安装服务端
Ip 192.168.22.240
1
2
3
4
5
6
7
8
9
|
yum
install
mysql mysql-server mysql-devel httpd php php-mysql –y
tar
-xzf ossec-hids-2.8.
tar
.gz
cd
ossec-hids-2.8
cd
src/
# make setdb
Error: PostgreSQL client libraries notinstalled.
Info: Compiled with MySQL support.
#ossec支持mysql数据库
# cd ..
# ./install.sh
|
下面是安装过程,如果输入错误,按住Ctrl+Backspace
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
|
en
#选择语言
Enter
#继续
Server
#安装为server
/usr/local/ossec
#安装目录
3.1- Do you want e-mail notification? (y
/n
)[y]: y
-What's your e-mail address? Your_mail@163.com
-What's your SMTP server ip
/host
? 127.0.0.1
Enter
# Running syscheck (integrity check daemon)
Enter
# Running rootcheck (rootkit detection)
Enter
#Active response enabled
Enter
# firewall-drop enabled (local) for levels >= 6
Do you want to add
more
IPs to the whitelist? (y
/n
)? [n]: y
#设置ip白名单
-IPs (space separated):
3.5- Do you want to
enable
remote syslog(port 514 udp)? (y
/n
) [y]:Enter
Enter
#开始安装
|
安装完成的配置文件及选项:
1
2
3
4
|
/usr/local/ossec/bin/ossec-control
start
/usr/local/ossec/bin/ossec-control
stop
/usr/local/ossec/etc/ossec
.conf
/usr/local/ossec/bin/manage_agents
|
1
2
|
# /usr/local/ossec/bin/ossec-control --help
Usage:
/usr/local/ossec/bin/ossec-control
{start|stop|restart|status|
enable
|disable}
|
1
2
3
4
|
# /usr/local/ossec/bin/ossec-control enable--help
Invalid
enable
option.
Enable options: database, client-syslog,agentless, debug
Usage:
/usr/local/ossec/bin/ossec-controlenable
[database|client-syslog|agentless|debug]
|
1
2
3
4
5
6
7
8
|
# /usr/local/ossec/bin/ossec-control enable database
# service mysqld start
# /usr/bin/mysql_secure_installation
# mysql -uroot -p
mysql> create database ossec;
mysql> grant INSERT,SELECT,UPDATE,CREATE,DELETE,EXECUTE on ossec.* to ossec@localhost identified by
'ossec'
;
mysql> flush privileges;
mysql> \q
|
[root@localhost ossec-hids-2.8]# mysql -uossec -p ossec < src/os_dbd/mysql.schema
Enter password:
vim /usr/local/ossec/etc/ossec.conf #在最后添加,wq! 强制保存
1
2
3
4
5
6
7
8
9
|
<ossec_config>
<database_output>
<
hostname
>localhost<
/hostname
>
<username>ossec<
/username
>
<password>ossec<
/password
>
<database>ossec<
/database
>
<
type
>mysql<
/type
>
<
/database_output
>
<
/ossec_config
>
|
添加128行内容,允许此网段的日志,如果有其他ip需要设置白名单,依次添加即可
1
2
3
4
|
<remote>
127 <connection>syslog<
/connection
>
128<allowed-ips>192.168.22.0
/24
<
/allowed-ips
>
129 <
/remote
>
|
1
|
/usr/local/ossec/bin/ossec-control
restart
|
此时,邮箱已经收到邮件了
下面添加agent客户端
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
|
# /usr/local/ossec/bin/manage_agents
(A)
dd
an agent (A).
(E)xtract key
for
an agent (E).
(L)ist already added agents (L).
(R)emove an agent (R).
(Q)uit.
#下面依次:
A
#add
Please provide the following:
*A name
for
the new agent: agent1
*The IP Address of the new agent: 192.168.22.241
#agent端的ip地址
*An ID
for
the new agent[001]: 001
Agent information:
ID:001
Name:agent1
IPAddress:192.168.22.241
Confirm adding it?(y
/n
): y
Agent added.
****************************************
* OSSEC HIDS v2.8 Agent manager. *
* The following options are available: *
****************************************
(A)
dd
an agent (A).
(E)xtract key
for
an agent (E).
(L)ist already added agents (L).
(R)emove an agent (R).
(Q)uit.
Choose your action: A,E,L,R or Q: E
Available agents:
ID: 001, Name: agent1, IP: 192.168.22.241
Provide the ID of the agent to extract thekey (or
'\q'
to quit): 001
Agent key information
for
'001'
is:
MDAxIGFnZW50MSAxOTIuMTY4LjIyLjI0MSBmYTcxYWE1ZWQxYTg0YTM3MDcwNTFkMGRkMDY4NTcyNDQ5NDY2MWRkYTI3ZTMxZsNhZDd3YmFjZjddZTFkMmNj
## 安装agent的时候需要这个秘钥,
** Press ENTER to
return
to the main menu.
Choose your action: A,E,L,R or Q: Q
|
上面生成的一串乱码为客户端所需要提供的秘钥,下面“安装客户端”的“设置agent”步骤需要粘贴
# netstat -unlp|grep ossec #ossec通信是用udp 514,1514端口,
1
2
|
udp 0 0 0.0.0.0:514 0.0.0.0:* 4511
/ossec-remoted
udp 0 0 0.0.0.0:1514 0.0.0.0:* 4513
/ossec-remoted
|
1
2
3
4
|
vim
/etc/sysconfig/iptables
#开启iptables的端口
-A INPUT -m state --state NEW -m udp -p udp --dport 514 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 1514 -j ACCEPT
service iptables restart
|
安装客户端
Ip 192.168.22.241
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
|
# tar -xzf ossec-hids-2.8.tar.gz
# cd ossec-hids-2.8
# ./install.sh
Y
#默认为en
Enter
#开始安装
Agent
#作为代理
/usr/local/ossec
#安装目录
192.168.22.240
#添加server的ip,ip不要写错了
Enter
#Running syscheck (integrity check daemon)
Enter
#Running rootcheck (rootkit detection)
Enter
#active response
3.5- Setting the configuration to analyze the following logs:
--
/var/log/messages
--
/var/log/secure
--
/var/log/maillog
--
/var/log/nginx/error
.log (apache log)
Enter
#开始安装
|
安装后的配置,先不用执行
1
2
3
4
|
/usr/local/ossec/bin/ossec-control
start
/usr/local/ossec/bin/ossec-control
stop
/usr/local/ossec/etc/ossec
.conf
/usr/local/ossec/bin/manage_agents
|
设置agent 需要粘贴上面服务端生成的私钥
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
|
# /usr/local/ossec/bin/manage_agents
****************************************
* OSSEC HIDS v2.8 Agent manager. *
* The following options are available: *
****************************************
(I)mport key from the server (I).
(Q)uit.
Choose your action: I or Q: I
* Provide the Key generated by the server.
* The best approach is to
cut
and
paste
it.
*** OBS: Do not include spaces or newlines.
Paste it here (or
'\q'
to quit):
MDAxIGFnZW50MSAxOTIuMTY4LjIyLjI0zSBmYTcxYWE1ZWQxYTg0YTM3MDcwNTFkMGRkMDY4NTcyNDQ5NDY2MWRkYTI3ZTMxZTNdZDc3YmFjZjdmZTFk5mNj
Agent information:
ID:001
Name:agent1
IPAddress:192.168.22.241
Confirm adding it?(y
/n
): y
Added.
** Press ENTER to
return
to the main menu.
Choose your action: I or Q: Q
# /usr/local/ossec/bin/ossec-control restart #启动服务
|
Ossec的日志
1
|
/usr/local/ossec/logs/ossec
.log
|
安装web界面
ossec-wui界面
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
|
cd
/var/www
unzip ossec-wui-master.zip
mv
ossec-wui-master html
/ossec
cd
html
/ossec/
# cat ossec_conf.php
/* Ossec directory */
#$ossec_dir="/var/ossec";
$ossec_dir=
"/usr/local/ossec"
;
# ./setup.sh
Setting up ossec ui...
Username: ossec
New password:
Re-
type
new password:
Adding password
for
user ossec
Enter your web server user name (e.g.apache, www, nobody, www-data, ...)
apache
Enter your OSSEC
install
directory path(e.g.
/var/ossec
)
/usr/local/ossec
You must restart your web server after thissetup is
done
.
Setup completed successfuly.
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
|
# vim /etc/httpd/conf.d/ossec.conf
<Directory
/var/www/html/ossec
>
Order deny,allow
Deny from all
Allow from 192.168.22.0
/24
Options FollowSymLinks
#外网访问配置,把上面注释或删除
AllowOverride None
#外网访问配置
Order deny,allow
#外网访问配置
allow from all
#外网访问配置
Options -MultiViews
AuthName
"OSSEC AUTH"
AuthType Basic
AuthUserFile
/var/www/html/ossec/
.htpasswd
Require valid-user
<
/Directory
>
|
别忘了把iptables的80打开
1
2
3
|
-A INPUT -m state --state NEW -m tcp -p tcp--dport 80 -j ACCEPT
chown
apache:apache *
service httpd restart
|
analogi界面
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
|
cd
/var/www/html
wget https:
//github
.com
/ECSC/analogi/archive/master
.zip
unzip analogi-master.zip
mv
analogi-master ossec
/analogi
chown
apache.apache -R ossec
cd
ossec
/analogi
cp
db_ossec.php.new db_ossec.php
vim db_ossec.php
define (
'DB_USER_O'
,
'ossec'
);
define (
'DB_PASSWORD_O'
,
'ossec'
);
define (
'DB_HOST_O'
,
'localhost'
);
define (
'DB_NAME_O'
,
'ossec'
);
vim
/etc/httpd/conf
.d
/analogi
.conf
<Directory
/var/www/html/analogi
>
Order deny,allow
Deny from all
Allow from 192.168.22.0
/24
Options FollowSymLinks
#外网访问配置,把上面注释或删除
AllowOverride None
#外网访问配置
Order deny,allow
#外网访问配置
allow from all
#外网访问配置
<
/Directory
>
# service httpd restart
|
查看状态信息
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
|
# /usr/local/ossec/bin/agent_control -lc
OSSEC HIDS agent_control. List of availableagents:
ID: 000, Name: localhost.localdomain (server), IP: 127.0.0.1,Active
/Local
|