Securing Your Server With A Host-based Intrusion Detection System
Author: Falko Timme <ft [at] falkotimme [dot] com>
Last edited 09/18/2006
This article shows how to install and run OSSEC HIDS, an Open Source Host-based Intrusion Detection System. It performs log analysis, integrity checking, rootkit detection, time-based alerting and active response. It helps you detect attacks, software misuse, policy violations and other forms of inappropriate activities.
With OSSEC HIDS you can monitor multiple systems, with one system being the OSSEC HIDS server and the others the OSSEC HIDS agents that report back to the server. However, in this tutorial I want to monitor just one system, so I perform a "local" installation so that OSSEC HIDS will do its work locally on that system.
In the following I use a Debian Sarge (3.1) system to install OSSEC HIDS on.
I want to say first that this is not the only way of setting up such a system. There are many ways of achieving this goal but this is the way I take. I do not issue any guarantee that this will work for you!
1 Installing OSSEC HIDS
Installing OSSEC HIDS is very easy, it's just a matter of downloading the sources, running the installation script and answering the questions of the installation script. First, we download and unpack the OSSEC HIDS sources:
tar xvfz ossec-hids-0.9-1a.tar.gz
Then we run the installation script:
The installation script will ask you a few questions:
** Para instalaÃ§Ã£o em portuguÃªs, escolha [br].
** Fur eine deutsche Installation wohlen Sie [de].
** For installation in English, choose [en].
** Para instalar en EspaÃ±ol , eliga [es].
** Pour une installation en franÃ§ais, choisissez [fr]
** Per l'installazione in Italiano, scegli [it].
** Aby instalowaÄ w jÄzyku Polskim, wybierz [pl].
** ÐÐ»Ñ Ð¸Ð½ÑÑÑÑÐºÑÐ¸Ð¹ Ð¿Ð¾ ÑÑÑÐ°Ð½Ð¾Ð²ÐºÐµ Ð½Ð° ÑÑÑÑÐºÐ¾Ð¼ ,Ð²Ð²ÐµÐ´Ð¸ÑÐµ [ru].
** TÃ¼rkÃ§e kurulum iÃ§in seÃ§in [tr].
(en/br/de/es/fr/it/jp/pl/ru/tr) [en]: <-- en (or one of the other options, if you don't want to use English)
OSSEC HIDS v0.9-1 Installation Script - http://www.ossec.net
You are about to start the installation process of the OSSEC HIDS.
You must have a C compiler pre-installed in your system.
If you have any questions or comments, please send an e-mail
to email@example.com (or firstname.lastname@example.org).
- System: Linux server1.example.com 2.6.8-2-386
- User: root
- Host: server1.example.com
-- Press ENTER to continue or Ctrl-C to abort. -- <-- [ENTER]
1- What kind of installation do you want (server, agent, local or help)? <-- local
- Choose where to install the OSSEC HIDS [/var/ossec]: <-- /var/ossec
3.1- Do you want e-mail notification? (y/n) [y]: <-- y
- What's your e-mail address? <-- email@example.com (please enter your own email address here)
- We found your SMTP server as: mail.example.com.
- Do you want to use it? (y/n) [y]: <-- y (normally you can accept the installer's proposal, unless you want to use another SMTP server)
3.2- Do you want to run the integrity check daemon? (y/n) [y]: <-- y
3.3- Do you want to run the rootkit detection engine? (y/n) [y]: <-- y
- Do you want to enable active response? (y/n) [y]: <-- y
- Do you want to enable the firewall-drop response? (y/n) [y]: <-- y
- Do you want to add more IPs to the white list? (y/n)? [n]: <-- n (unless you want to whitelist more IP addresses)
3.6- Setting the configuration to analyze the following logs:
- If you want to monitor any other file, just change
the ossec.conf and add a new localfile entry.
Any questions about the configuration can be answered
by visiting us online at http://www.ossec.net .
--- Press ENTER to continue --- <-- [ENTER]
- System is Linux (SysV).
- Init script modified to start OSSEC HIDS during boot.
Adding system startup for /etc/init.d/ossec ...
/etc/rc0.d/K20ossec -> ../init.d/ossec
/etc/rc1.d/K20ossec -> ../init.d/ossec
/etc/rc6.d/K20ossec -> ../init.d/ossec
/etc/rc2.d/S20ossec -> ../init.d/ossec
/etc/rc3.d/S20ossec -> ../init.d/ossec
/etc/rc4.d/S20ossec -> ../init.d/ossec
/etc/rc5.d/S20ossec -> ../init.d/ossec
- Configuration finished properly.
- To start OSSEC HIDS:
- To stop OSSEC HIDS:
- The configuration can be viewed or modified at /var/ossec/etc/ossec.conf
Thanks for using the OSSEC HIDS.
If you have any question, suggestion or if you find any bug,
contact us at firstname.lastname@example.org or using our public maillist at
More information can be found at http://www.ossec.net
--- Press ENTER to finish (maybe more information below). --- <-- [ENTER]
That's it, OSSEC HIDS is now installed and ready to be started.
2 Starting And Running OSSEC HIDS
In order to start OSSEC HIDS, we run this command:
The output should look like this:
server1:/etc/init.d# /etc/init.d/ossec start
Starting OSSEC HIDS v0.9-1 (by Daniel B. Cid)...
As you might have seen during OSSEC HIDS installation, the installer also created the necessary system startup links for OSSEC HIDS, so that OSSEC HIDS will be started automatically whenever you boot/reboot your system.
After OSSEC HIDS has been started, it will run silently in the background, performing log analysis, integrity checking, rootkit detection, etc. You can check that it's running by executing
In the output you should find something like this:
ossecm 2038 0.0 0.4 1860 792 ? S 12:40 0:00 /var/ossec/bin/ossec-maild
root 2042 0.0 0.3 1736 648 ? S 12:40 0:00 /var/ossec/bin/ossec-execd
ossec 2046 0.2 0.5 2192 1136 ? S 12:40 0:00 /var/ossec/bin/ossec-analysisd
root 2050 0.0 0.2 1592 556 ? S 12:40 0:00 /var/ossec/bin/ossec-logcollector
root 2054 12.2 0.3 1756 616 ? S 12:40 0:05 /var/ossec/bin/ossec-syscheckd
The OSSEC HIDS log file is /var/ossec/logs/ossec.log, so you can check it to see what's going on, e.g. with the tail command.
tail -f /var/ossec/logs/ossec.log
shows what's happening in real-time. Press CTRL-C to leave it.
tail -n 100 /var/ossec/logs/ossec.log
shows you the last 100 lines of the OSSEC HIDS log.
Whenever OSSEC HIDS detects something suspicious, it sends an email with a report about the activity to the email address you specified during installation:
If you want to change OSSEC HIDS' settings (e.g. change the email address, add custom rulesets, etc.), you can do this by editing the configuration file /var/ossec/etc/ossec.conf (which is in XML format). You can do this by using a command-line editor such as vi:
The file looks like this:
If you change the file, make sure to restart OSSEC HIDS afterwards:
In order to learn how to add custom rulesets, etc. to the OSSEC HIDS configuration, please refer to the OSSEC HIDS manual: http://www.ossec.net/en/manual.html