{"id":9540,"date":"2022-01-18T12:55:34","date_gmt":"2022-01-18T07:25:34","guid":{"rendered":"https:\/\/opstree.com\/blog\/\/?p=9540"},"modified":"2022-01-18T12:55:38","modified_gmt":"2022-01-18T07:25:38","slug":"host-based-intrusion-detection-using-ossec","status":"publish","type":"post","link":"https:\/\/opstree.com\/blog\/2022\/01\/18\/host-based-intrusion-detection-using-ossec\/","title":{"rendered":"HOST-BASED INTRUSION DETECTION USING OSSEC"},"content":{"rendered":"\n

What is Ossec :<\/h2>\n\n\n\n

It claims to be the world\u2019s most widely used open-source host-based intrusion detection system. In short, we can call it HIDS. It performs log analysis, integrity checking, Windows registry monitoring, rootkit detection, time-based alerting, and active response. This is made up of two parts: Ossec server and Ossec agent<\/strong>. The Ossec server is used to monitor other servers that we call Ossec agents. At any time, an agent can be added to the Ossec server for its monitoring and can be removed. For that, server and agent connections need to be established, which we will be discussing. It also provides a Web interface<\/em> for showing all alerts, logs, and agent information.<\/p>\n\n\n\n

Possible scenarios that you might face of Intrusion on your servers:<\/h2>\n\n\n\n
\"\"<\/figure>\n\n\n\n

<\/p>\n\n\n\n

1) Attacker launched a brute force attack against your machine. Now you need to track him. For that, you need his IP address. First, on your Ossec server, do:<\/p>\n\n\n\n

cat\/var\/ossec\/logs\/alerts\/alerts.log<\/pre>\n\n\n\n
Where you find Source IP against the alert of SSH insecure connection attempt rule. Secondly, we can get it from a UI-based alert.<\/p>\n\n\n\n\n\n\n\n
2) Attacker has uploaded a script to the server and executed it as the root user. For this, we have a sys check, in which we define all the directories and files to monitor for any kind of changes. In this case, you will receive an alert of integrity checksum change for that file, showing what content has actually changed and by which user the script was executed.<\/p>\n\n\n\n
3) Suppose the attacker has changed your system file like \/etc\/group or \/etc\/password. In this case, you will receive an alert of the Integrity checksum changed for that system file.<\/p>\n\n\n\n
Like this, there can be many possible scenarios where you should use Ossec against any kind of intrusion detection.<\/p>\n\n\n\n
Ossec Installation :<\/h2>\n\n\n\n
Manual Installation of Server\/Agent:<\/strong><\/h3>\n\n\n\n
A) Install Ossec dependencies:<\/p>\n\n\n\n
sudo yum install unzip\nsudo yum install gcc-c++ make -y\nsudo yum install wget\nsudo yum install -y php-cli php-common sendmail inotify-tools<\/pre>\n\n\n\n
B) Choose Ossec version, download tar file and then untar it:<\/p>\n\n\n\n
cd \/opt\nexport VERSION=\u201d3.1.0\"\nsudo wget https:\/\/github.com\/ossec\/ossec-hids\/archive\/${VERSION}.tar.gz\nsudo tar -xvzf \/opt\/${VERSION}.tar.gz<\/pre>\n\n\n\n
C) Execute the script:<\/p>\n\n\n\n
sudo sh ossec-hids-${VERSION}\/install.sh\na) Select Language: en\nb) Press <ENTER> to continue or Ctrl+C to abort\nc) Select what kind of installation do you want (server, agent, local, hybrid or help)?: Sever\/Agent\nd) Choose Installation location \/var\/ossec: \/var\/ossec\ne) Do you want e-mail notification? (y\/n) [y]: y\/n\nf) Do you want to run the integrity check daemon? (y\/n) [y]: y\/n\ng) Do you want to run the rootkit detection engine? (y\/n) [y]: y\/n\nh) Do you want to enable the firewall-drop response? (y\/n) [y]: y\/n\ni) Press Enter, that\u2019s it you are done with Ossec Server\/Agent Installation.<\/pre>\n\n\n\n
Installation of agent using Bash script(Just to avoid this real time interface):<\/strong><\/h3>\n\n\n\n
#!\/bin\/bash\nossecAgent() {\nsudo yum install unzip\nsudo yum install gcc-c++ make -y\nsudo yum install wget\nsudo yum install -y php-cli php-common sendmail inotify-tools\ncd \/opt\nossec_server_ip=\u201d1.1.1.1\"\nexport VER=\u201d3.1.0\"\nsudo wget https:\/\/github.com\/ossec\/ossec-hids\/archive\/${VER}.tar.gz\nsudo tar -xvzf \/opt\/${VER}.tar.gz\ncd \/opt\/ossec-hids-${VER}\nsudo sed -i \u20182 i USER_LANGUAGE=$1\u2019 install.sh\nsudo sed -i \u20182 i USER_INSTALL_TYPE=$2\u2019 install.sh\nsudo sed -i \u20182 i USER_DIR=$3\u2019 install.sh\nsudo sed -i \u20182 i USER_AGENT_SERVER_IP=$4\u2019 install.sh\nsudo sed -i \u20182 i USER_ENABLE_SYSCHECK=$5\u2019 install.sh\nsudo sed -i \u20182 i USER_ENABLE_ROOTCHECK=$6\u2019 install.sh\nsudo sed -i \u20182 i USER_ENABLE_ACTIVE_RESPONSE=$7\u2019 install.sh\nsudo sed -i \u20182 i USER_ENABLE_SYSLOG=$8\u2019 install.sh\nsudo echo -ne \u2018\\n\u2019 | sudo sh install.sh en agent \/var\/ossec ${ossec_server_ip} y y y y\nsudo sed -i \u201812d\u2019 \/var\/ossec\/etc\/ossec.conf\nsudo sed -i \u201812d\u2019 \/var\/ossec\/etc\/ossec.conf\nsudo sed -i \u201912 i <directories report_changes=\u201dyes\u201d check_all=\u201dyes\u201d realtime=\u201dyes\u201d>\/etc,\/usr,\/var\/log\/<\/directories>\u2019 \/var\/ossec\/etc\/ossec.conf\nsudo sed -i \u201913 i <directories report_changes=\u201dyes\u201d check_all=\u201dyes\u201d realtime=\u201dyes\u201d>\/bin,\/sbin,\/proc,\/dev<\/directories>\u2019 \/var\/ossec\/etc\/ossec.conf\n}<\/pre>\n\n\n\n
echo \u201cInstalling Ossec Agent\u201d
ossecAgent<\/pre>\n\n\n\n
#Note :<\/strong>
Enter your Ossec Server Ip here in place of ossec_server_ip<\/strong>=\u201d1.1.1.1″ in bash script.<\/p>\n\n\n\n
Now start\/stop your Ossec server\/agent with :<\/strong><\/p>\n\n\n\n
sudo \/var\/ossec\/bin\/ossec-control start\/stop<\/pre>\n\n\n\n
Installation of Ossec Web UI :<\/strong><\/h3>\n\n\n\n
A) Clone Ossec Web UI:<\/p>\n\n\n\n
cd \/opt\nsudo git clone https:\/\/github.com\/ossec\/ossec-wui.git<\/pre>\n\n\n\n
B) Execute Installation Script:<\/p>\n\n\n\n
sudo sh ossec-wui\/setup.sh
a) Enter Username
b) Enter Password
c) Enter your web server user name : Ex : apache, www, nobody, www-data or www-data<\/pre>\n\n\n\n
C) Create an Apache<\/strong> virtual host config file:<\/p>\n\n\n\n
sudo vim \/etc\/apache2\/sites-enabled\/ossec-wui.conf<\/pre>\n\n\n\n
Place below mentioned config in this:<\/strong><\/p>\n\n\n\n
<VirtualHost *:80>\nDocumentRoot \/opt\/ossec-wui\/\nServerName OSSEC_SERVER_IP\/ HOST_NAME\nServerAlias OSSEC_SERVER_IP\/ HOST_NAME\nServerAdmin admin@admin.com\n<Directory \/opt\/ossec-wui\/>\nOptions +FollowSymlinks\nAllowOverride All\nRequire all granted\n<\/Directory>\nErrorLog \/var\/log\/apache2\/moodle-error.log\nCustomLog \/var\/log\/apache2\/moodle-access.log combined\n<\/VirtualHost><\/pre>\n\n\n\n
D) Start Apache Server:<\/p>\n\n\n\n
sudo a2enmod rewrite\nsudo systemctl restart apache2<\/pre>\n\n\n\n
E) Access your Ossec Server at http:\/\/OSSEC_SERVER_IP<\/p>\n\n\n\n
Connection between Agent and Server:<\/h2>\n\n\n\n
For this, we need to do configuration on both the server and the agent. So that they can both establish a connection between them. Make sure to allow UDP Port 1514 traffic through the firewalls or security groups for both the Ossec Server and Agent.<\/p>\n\n\n\n
Server Configuration:<\/strong><\/h3>\n\n\n\n
A) Create an Agent file containing Agent’s IP and name inside the Ossec server. You can add multiple agents here:<\/p>\n\n\n\n
sudo vim \/var\/ossec\/agents and add Agent ip and name into this file.
Ex : 172.10.2.1,Agent1
172.10.2.2,Agent2
Here added 2 agents with agent ip and name with comma separated.<\/pre>\n\n\n\n
B) Generating keys for agents:<\/p>\n\n\n\n
sudo \/var\/ossec\/bin\/manage_agents -f \/var\/ossec\/agents<\/pre>\n\n\n\n
C) Obtain the key for agents:<\/p>\n\n\n\n
sudo \/var\/ossec\/bin\/manage_agents -e $(cat \/var\/ossec\/etc\/client.keys | grep \u201cAgent1\/Agent2\u201d | awk {\u2018print $1\u2019})<\/pre>\n\n\n\n
 Agent Configuration:<\/strong><\/h3>\n\n\n\n
A) Add Server IP to var\/ossec\/etc\/ossec.conf on Agent Server:<\/p>\n\n\n\n
vim \/var\/ossec\/etc\/ossec.conf
update into file : <server-ip>ossec_server_ip<\/server-ip><\/pre>\n\n\n\n
B) Import the agent keys that you extracted in server configuration step 3:<\/p>\n\n\n\n
yes | \/var\/ossec\/bin\/manage_agents -i $agent_key<\/pre>\n\n\n\n
C)  Finally restart Ossec server and Agent both with:<\/p>\n\n\n\n
sudo \/var\/ossec\/bin\/ossec-control restart<\/pre>\n\n\n\n
D) On Ossec server, list the active agents through command or UI:<\/p>\n\n\n\n
sudo \/var\/ossec\/bin\/list_agents -c
Output will be like this : agent1\u20131.1.1.1 is active.<\/strong><\/pre>\n\n\n\n
Conclusion<\/h2>\n\n\n\n
Server security is as paramount as network security because servers often hold a great deal of an organization\u2019s vital information. If a server is compromised, all of its contents may become available for the attacker to steal or manipulate at will. This can lead to heavy losses in business and the defamation of an organization. To ensure your servers are monitored in a dedicated manner, we need a solution, which Ossec is capable of.<\/p>\n\n\n\n
Blog Pundit: <\/strong>Bhupender rawat<\/strong><\/a> and Sanjeev Pandey<\/strong><\/p>\n\n\n\n
Opstree<\/strong> <\/a>is an End to End DevOps solution provider<\/p>\n\n\n\n
\n
CONTACT US<\/a><\/div>\n<\/div>\n\n\n\n
Connect Us <\/strong><\/p>\n\n\n\n