Part 3 : Installing And Configuring Ossec

First of all we will download and unpack the ossec source:

cd /src
wget http://www.ossec.net/files/ossec-hids-1.4.tar.gz
tar xvzf ossec-hids-1.4.tar.gz

cd ossec-hids-xx
cd src
make setprelude

CPRELUDE=-DPRELUDE -lprelude -pthread -lgcc_s -L/usr/lib -lprelude -lgnutls -lgcrypt -lrt -ldl

The majority of this HOWTO is taken directly from the Installation Manual for OSSEC-HID which is a very easy to follow manual. If you run into trouble please look at the manual first as it will always have the most up to date information.

Now the easy part. Ossec comes with an install script install.sh which does all of the hard work for us.

cd ..
./install.sh

Pick what language you want to read everything in and hit enter.

** Para instalação em português, escolha [br].
** Fur eine deutsche Installation wohlen Sie [de].
** For installation in English, choose [en].
** Per l'installazione in Italiano, scegli [it].
** Aby instalować w języku Polskim, wybierz [pl].
** Türkçe kurulum için seçin [tr].
(en/br/de/it/pl/tr) [en]: en <enter>

Next it is going to warn us that we need a C compiler on the machine, and give you some general information about your computer (kernel version, user and host).

Go ahead and hit enter likes it says.

You are about to start the installation process of the OSSEC HIDS.
You must have a C compiler pre-installed in your system.
If you have any questions or comments, please send an e-mail
to dcid@ossec.net (or daniel.cid@gmail.com).
- System: Linux some information
- User: root
- Host: your hostname
-- Press ENTER to continue or Ctrl-C to abort. --

Next select a local install:

1- What kind of installation do you want (server, agent, local or help)? local <enter>

Now choose were you want to install it. Use the default or change it if you want to. This howto however will assume the default location.

Choose where to install the OSSEC HIDS [/var/ossec]: <enter>

Now select you notification options. You can choose answers used in this howto or different ones. I would recommend setting "Y" to everything. Active responses are really nice. It will set some default configuration variables based on your answers and certian things it finds on your system.

3- Configuring the OSSEC HIDS.

3.1- Do you want e-mail notification? (y/n) [y]: y
- What's your e-mail address? youremail@yourdomain.com
- What's your SMTP server ip/host? your smtp server address (localhost)

3.2- Do you want to run the integrity check daemon? (y/n) [y]: y

- Running syscheck (integrity check daemon).

3.3- Do you want to run the rootkit detection engine? (y/n) [y]: y

- Running rootcheck (rootkit detection).

3.4- Active response allows you to execute a specific
command based on the events received. For example,
you can block an IP address or disable access for
a specific user.
More information at:
http://www.ossec.net/en/manual.html#active-response

- Do you want to enable active response? (y/n) [y]: y

- Active response enabled.

- By default, we can enable the host-deny and the
firewall-drop responses. The first one will add
a host to the /etc/hosts.deny and the second one
will block the host on iptables (if linux) or on
ipfilter (if Solaris, FreeBSD or NetBSD).
- They can be used to stop SSHD brute force scans,
portscans and some other forms of attacks. You can
also add them to block on snort events, for example.

- Do you want to enable the firewall-drop response? (y/n) [y]: y

- firewall-drop enabled (local) for levels >= 6

- Default white list for the active response:
- 192.168.2.1

- Do you want to add more IPs to the white list? (y/n)? [n]: n

3.6- Setting the configuration to analyze the following logs:
-- /var/log/messages
-- /var/log/auth.log
-- /var/log/syslog
-- /var/log/mail.info
-- /var/log/apache2/error.log (apache log)
-- /var/log/apache2/access.log (apache log)

- If you want to monitor any other file, just change
the ossec.conf and add a new localfile entry.
Any questions about the configuration can be answered
by visiting us online at http://www.ossec.net .


--- Press ENTER to continue ---

Now it will compile everything. This shouldn't take too long to complete. It only took around 1-2 minutes for my box. After it is completed press enter to finish.

- Unknown system. No init script added.
- Configuration finished properly.
- To start OSSEC HIDS:/var/ossec/bin/ossec-control start
- To stop OSSEC HIDS:/var/ossec/bin/ossec-control stop
- The configuration can be viewed or modified at /var/ossec/etc/ossec.conf
Thanks for using the OSSEC HIDS.If you have any question, suggestion or if you find any bug,contact us at contact@ossec.net or using our public maill it atossec-list@ossec.net(http://mailman.underlinux.com.br/mailman/listinfo/ossec-list). More information can be found at http://www.ossec.net
--- Press ENTER to finish (maybe more information below). ---

Now unfortunately it doesn't detect Ubuntu so it will not create an init script. This is simple enough to take care of. (Yes, its basic. If you want to improve it please feel free to do so) Copy and paste the following into /etc/init.d/ossec:

#!/bin/sh
 
case "$1" in
start)
  /var/ossec/bin/ossec-control start
;;
stop)
  /var/ossec/bin/ossec-control stop
;;
restart)
  $0 stop && sleep 3
  $0 start
;;
reload)
  $0 stop
  $0 start
;;
*)
echo "Usage: $0 {start|stop|restart|reload}"
exit 1
esac

Now make it executable:

chmod +x /etc/init.d/ossec 

Add it to our runlevels so it starts on boot:

update-rc.d ossec defaults

<global>
 ...
<prelude_output>yes</prelude_output>
</global>

Finally we'll add ossec as an agent in prelude:

prelude-adduser registration-server prelude-manager

On the management server do:

prelude-adduser register OSSEC "idmef:w" localhost --uid ossec --gid ossec

Note: The sensor name MUST be in uppercase > OSSEC.

Start the ossec with init.d script powered by OSSEC (1.4 version should now detect ubuntu/debian OS and the init script will work!) or RShadow script.

If you see this you'r up and running.

Starting OSSEC HIDS v1.4 (by Daniel B. Cid)...
Connecting to 127.0.0.1:4690 prelude Manager server.
TLS authentication succeed with Prelude Manager.

Now go to the url where you installed prewikka, and login with the user admin and password admin. Change this password immediately in order to prevent unauthorized access.