Skip to content

Latest commit

 

History

History
219 lines (203 loc) · 8.91 KB

installation-on-centos.org

File metadata and controls

219 lines (203 loc) · 8.91 KB

Implementation of ossec server on centos

Introduction

  • OSSEC is an open-source, host-based intrusion detection system (HIDS) that performs log analysis, integrity checking, Windows registry monitoring, rootkit detection, time-based alerting, and active response. It’s the application to install on your server if you want to keep an eye on what’s happening inside it. OSSEC is supported on Windows and all Unix-like operating systems.

OSSEC Architecture

  • OSSEC is composed of multiple pieces. It has a central manager for monitoring and receiving information from agents, syslog, databases, and from agentless devices.

Manager (or Server)

  • The manager or server is the central piece of the OSSEC deployment. It stores the file integrity checking databases, the logs, events, and system auditing entries. All the rules, decoders, and major configuration options are stored centrally in the manager; making it easy to administer even a large number of agents.
  • Agents connect to the server on port 1514/udp. Communication to this port must be allowed for agents to communicate with the server.

Agents

  • The agent is a small program, or collection of programs, installed on the systems to be monitored. The agent will collect information and forward it to the manager for analysis and correlation. Some information is collected in real time, others periodically. It has a very small memory and CPU footprint by default, not affecting the system¡¯s usage.
  • Agent security: It runs with a low privilege user (generally created during the installation) and inside a chroot jail isolated from the system. Most of the agent configuration can be pushed from the manager.

Agentless

  • For systems that an agent cannot be installed on, the agentless support may allow integrity checks to be performed. Agentless scans can be used to monitor firewalls, routers, and even Unix systems.

Virtualization/VMware

  • OSSEC allows you to install the agent on the guest operating systems. It may also be installed inside some versions of VMWare ESX, but this may cause support issues.
  • With the agent installed inside VMware ESX you can get alerts about when a VM guest is being installed, removed, started, etc. It also monitors logins, logouts and errors inside the ESX server.
  • In addition to that, OSSEC performs the Center for Internet Security (CIS) checks for VMware, alerting if there is any insecure configuration option enabled or any other issue.

Firewalls, switches and routers

  • OSSEC can receive and analyze syslog events from a large variety of firewalls, switches and routers. It supports all Cisco routers, Cisco PIX, Cisco FWSM, Cisco ASA, Juniper Routers, Netscreen firewall, Checkpoint and many others.

Architecture

  • This diagram shows the central manager receiving events from the agents and system logs from remote devices. When something is detected, active responses can be executed and the admin is notified.
  • Image

Pre-requisites

  • Two centos6 Droplets. Make sure to take note of the IP addresses of both. We’ll refer to these as server_ip and agent_ip, respectively.
  • A sudo non-root user on both Droplets.
  • Iptables firewall enabled on both. In Linux, the latest stable release of OSSEC needs iptables for its active response feature.

Firewalls and Iptables

Firewalls

  • A firewall is a system designed to prevent unauthorized access to or from a private network. You can implement a firewall in either hardware or software form, or a combination of both.
  • Firewalls prevent unauthorized Internet users from accessing private networks connected to the Internet, especially intranets.
  • All messages entering or leaving the intranet (i.e., the local network to which you are connected) must pass through the firewall, which examines each message and blocks those that do not meet the specified security criteria.
yum install system-config-firewall*
  • Follow the instructions on How To Set Up a Firewall Using Iptables on Centos 6 to set up iptables on both servers.

Iptables

  • iptables is a user-space utility program that allows a system administrator to configure the tables[2] provided by the Linux kernel firewall (implemented as different Netfilter modules) and the chains and rules it stores. Different kernel modules and programs are currently used for different protocols; iptables applies to IPv4, ip6tables to IPv6, arptables to ARP, and ebtables to Ethernet frames.
yum install iptables.x86_64

Creating containers for both server and client

Steps to create Containers on both server and client are same

  • Login to base4 and create a container as follows:
    • Open terminal with below command by pressing ctrl+alt+t.
    • Use below command to login to the base4
ssh user@10.4.12.24
  • It awill ask for the password, then sitch to root as below:
sudo su
  • Create a container with the below command:
  1. for server 
    vzctl create 31 --ostemplate centos-6.9-x86_64-with-emacs --diskspace 20G:25.0G --hostname server.vlabs.ac.in --ipadd 10.4.12.31
    1. Start and enter in to the container as follows:
    vzctl start 31
vzctl enter 31
    1. for client
    vzctl create 40 --ostemplate centos-6.9-x86_64-with-emacs --diskspace 20G:25.0G --hostname client.vlabs.ac.in --ipadd 10.4.12.40
    1. Start and enter in to the container as follows:
    vzctl start 31
vzctl enter 31

Installation and configuration of OSSEC on server

Steps to install and configure OSSEC on server and client

  • Log into the server and client containers and update using the below command: 
    yum update
  • Installation of OSSEC involves some compiling, so install gcc and make. Instead of installing both, install a single package called build-essential with the below command: 
    install build-essential inotify-tools
  • The latest server edition of OSSEC is version 2.8.1. To download it, type: 
    wget -U ossec http://www.ossec.net/files/ossec-hids-2.8.1.tar.gz
  • To download the checksum file, type: 
    wget -U ossec http://www.ossec.net/files/ossec-hids-2.8.1-checksum.txt
  • To untar the downloaded ossec-hids-2.8.1.tar.gz, type: 
    tar -xvf ossec-hids-2.8.1.tar.gz
  • It extracts all the files to ossec-hids-2.8.1
  • Change directory to ossec-hids-2.8.1, type: 
    cd ossec-hids-2.8.1
  • It list all the files in the ossec-hids-2.8.1
  • Run below command to install ossec 
    ./install.sh
  • Select language, default is English: hit enter
  • Next it will show the system detail, system user and host-name.
  • Now select installation modes and type of OSSEC on the system.
  • Set the configurations path, /var/ossec is default.
  • Enter the server IP address
  • Now enable integrity check for agent.
  • Next enable rootkit detection, active response and syslog.
  • Press “enter” to start installation process.
  • Next it show some information like OS Detail Start and Stop OSSEC scripts and OSSEC configurations file.
  • Press “Enter” to finish the OSSEC Client/Agent installation part.
  • Now Client/Agent side installation is done.

Connecting Server and Agent

Server Side Configuration

  • Adding a client :- Follow the below command to add client.
# /var/ossec/bin/manage_agents
  • Type a to add an agent.
  • Then provide a new name, IP and ID for the agent.
  • Then type e to extract the key for an agent.
  • Now copy the givem Agent Information Key to enter it for the agent.

Agent Side Configuration

  • Follow the below steps to add agent to server. 
    # /var/ossec/bin/manage_agents
  • Type i to import key from the server.
  • Provide the Key generated by the server.
  • Then type q to quit back to the main menu.
  • To restart OSSEC Server and Agent, type: 
    # /var/ossec/bin/ossec-control restart