Debian, ISPconfig and OSSEC - read this first!

Discussion in 'Tips/Tricks/Mods' started by Clouseau, Jan 6, 2015.

  1. Clouseau

    Clouseau Member

    If you want to install OSSEC-HIDS to your ISPConfig server this is a quick how to. This is relevant for those who are installing ossec after ISPconfig install.
    The deb packages for Debian which are stated here and then here are not good. In postinst scripts they use useradd and groupadd scripts which doesn't comply Debian policy. The correct ones are adduser and addgroup, they follow Debian policy and include proper creating of newly created UIDs and GIDs. If you install those packages your ISPConfig will get in trouble becase it creates a ossec users in ispconfig range. It doesn't matter if you put in IPSConfig panel at System -> Server config some other range ie. 10000 or 20000 which ISPconfig uses for creating new users because newly created OSSEC users gonna have an UID and GID in that range. So here is the proper way on installing ossec-hids:

    1) go to and click on AlienVault repository which will lead you here Do not add mirror to your apt sources.list we will download package manually, this is important. Do not add mirror even after install because updates gonna problably brake somethiing. You can add mirror when they fix the postinst scripts to use adduser and addgroup.
    2) download manually deb package with wget to /tmp
    wget -P /tmp
    3)create temp directory in /tmp and decompress package with dpkg-deb to /tmp/ossec_tmp
    mkdir /tmp/ossec_tmp
    dpkg-deb -R ossec-hids_2.8.1-1wheezy_amd64.deb /tmp/ossec_tmp
    4) edit file /tmp/ossec_tmp/DEBIAN/postinst and replace parts where it creates group and users with this bolds parts bellow:
    if ! getent group | grep -q "^ossec"
    addgroup --system ossec
    if ! getent passwd | grep -q "^ossec"
    adduser --system --no-create-home --home ${DIR} --shell ${OSMYSHELL} --ingroup ${GROUP} ${USER}
    if ! getent passwd | grep -q "^ossecm"
    adduser --system --no-create-home --home ${DIR} --shell ${OSMYSHELL} --ingroup ${GROUP} ${USER_MAIL}
    if ! getent passwd | grep -q "^ossecr"
    adduser --system --no-create-home --home ${DIR} --shell ${OSMYSHELL} --ingroup ${GROUP} ${USER_REM}
    5) go to /tmp and then create deb package:
    dpkg-deb --build /tmp/ossec_tmp/ ossec-hids_FIXED__2.8.1-1wheezy_amd64.deb
    6) now you have your ossec-hids debian package
    install two dependencies: apt-get install expect tcl8.5
    and then install ossec-hids dpkg -i /tmp/ossec-hids_FIXED__2.8.1-1wheezy_amd64.deb
    You gonna see this "Not creating home directory `/var/ossec/'", and you ignore it. When first user is created, his home is created so when createing other two users its gonna post a message Not creating home directory... I could omit it with "--quiet" switch on creating other 2 users but better to see output to know all is good :)

    And thats it, you can now configure and tune your OSSEC to suit your needs,turn on active-responses etc, which logs to watch and etc. After ispconfig install and now when ossec-hids is installed, my system UIDs and GIDs are:
    Last edited: Jan 6, 2015

Share This Page