OssecHIDS

Differences between revisions 5 and 6
Revision 5 as of 2008-04-29 16:09:08
Size: 6724
Comment:
Revision 6 as of 2011-09-19 23:18:17
Size: 6732
Editor: localhost
Comment: converted to 1.6 markup
Deletions are marked like this. Additions are marked like this.
Line 243: Line 243:
 * [http://www.ossec.net/ Ossec IDS site]
 * [http://www.ossec.net/en/manual.html Ossec IDS Manual]
 * [http://www.ossec.net/wiki/index.php/OSSECWUI:Install Ossec Web Interface]
 * [http://www.ossec.net/files/ossec-agent-win32-1.4.exe Ossec Windows Agent]
 * [[http://www.ossec.net/|Ossec IDS site]]
 * [[http://www.ossec.net/en/manual.html|Ossec IDS Manual]]
 * [[http://www.ossec.net/wiki/index.php/OSSECWUI:Install|Ossec Web Interface]]
 * [[http://www.ossec.net/files/ossec-agent-win32-1.4.exe|Ossec Windows Agent]]

Ossec HIDS

O que é

Um Host IDS monitora eventos e logs de hosts e servidores para detectar atividades suspeitas. Ele aplica análise de assinatura contra múltiplos eventos de log e de comportamento do sistema, pode também tomar ações pró-ativas como barrar todo o tráfego para o host infectado.

O OSSEC é um Host IDS Open Source criado pelo Daniel Cid. Ele é usado para análise de log, detecção de rootkits, alertas e repostas pró-ativas.

Instalação

Instale o seguinte pacote

sudo apt-get install build-essential

Faça o download do Ossec

cd ~
mkdir temp
cd temp
wget http://www.ossec.net/files/ossec-hids-1.4.tar.gz 
wget http://www.ossec.net/files/ossec-hids-1.4_checksum.txt

Antes de seguir com a descompactação, verifique o checksum no arquivo .txt usando os comandos

  • Nota: Esse procedimento é muito importante!!! Não deixe de fazê-lo!!!

cat ossec-hids-1.4_checksum.txt
md5sum ossec-hids-1.4.tar.gz
sha1sum ossec-hids-1.4.tar.gz

Descompacte os arquivo

tar -zxvf ossec-hids-1.4.tar.gz
cd ossec-hids-1.1

Inicie a instalação.

sudo -s
./install.sh

Inicie escolhendo o idioma para instalação.

** Para instalação em português, escolha [br].
** Fur eine deutsche Installation wohlen Sie [de].
** For installation in English, choose [en].
** Per l'installazione in Italiano, scegli [it].
** Aby instalować w języku Polskim, wybierz [pl].
** Türkçe kurulum için seçin [tr].
(en/br/de/it/pl/tr) [en]:  en <enter> 

Uma tela com informações gerais sobre o sistema irá aparecer. Pressione <ENTER> quando necessário

OSSEC HIDS v1.1 Installation Script - http://www.ossec.net

 You are about to start the installation process of the OSSEC HIDS.
 You must have a C compiler pre-installed in your system.
 If you have any questions or comments, please send an e-mail
 to dcid@ossec.net (or daniel.cid@gmail.com).

  - System: Linux matrix 2.6.17-386
  - User: root
  - Host: matrix


  -- Press ENTER to continue or Ctrl-C to abort. --
<enter>

Informe o tipo de instalação

1 - What kind of installation do you want (server, agent, local or help)? local <enter> 

Informe o local de instalação

2 -Choose where to install the OSSEC HIDS [/var/ossec]:  <enter> 

Selecione as notificações que deseja receber. O ideal é ativar todas, porém isso fica a seu critério

3 - Configuring the OSSEC HIDS.

  3.1- Do you want e-mail notification? (y/n) [y]: y
   - What's your e-mail address? youremail@yourdomain.com
   - What's your SMTP server ip/host? your smtp server address (localhost)

  3.2- Do you want to run the integrity check daemon? (y/n) [y]: y

   - Running syscheck (integrity check daemon).

  3.3- Do you want to run the rootkit detection engine? (y/n) [y]: y

   - Running rootcheck (rootkit detection).

  3.4- Active response allows you to execute a specific
       command based on the events received. For example,
       you can block an IP address or disable access for
       a specific user.
       More information at:
       http://www.ossec.net/en/manual.html#active-response

   - Do you want to enable active response? (y/n) [y]: y

     - Active response enabled.

   - By default, we can enable the host-deny and the
     firewall-drop responses. The first one will add
     a host to the /etc/hosts.deny and the second one
     will block the host on iptables (if linux) or on
     ipfilter (if Solaris, FreeBSD or NetBSD).
   - They can be used to stop SSHD brute force scans,
     portscans and some other forms of attacks. You can
     also add them to block on snort events, for example.

   - Do you want to enable the firewall-drop response? (y/n) [y]: y

     - firewall-drop enabled (local) for levels >= 6

   - Default white list for the active response:
      - 192.168.0.1

   - Do you want to add more IPs to the white list? (y/n)? [n]: n

  3.6- Setting the configuration to analyze the following logs:
    -- /var/log/messages
    -- /var/log/auth.log
    -- /var/log/syslog
    -- /var/log/mail.info
    -- /var/log/apache2/error.log (apache log)
    -- /var/log/apache2/access.log (apache log)

 - If you want to monitor any other file, just change
   the ossec.conf and add a new localfile entry.
   Any questions about the configuration can be answered
   by visiting us online at http://www.ossec.net .


   --- Press ENTER to continue ---

Aguarde a compilação e instalação do programa

 - Unknown system. No init script added.

 - Configuration finished properly.

 - To start OSSEC HIDS:
                /var/ossec/bin/ossec-control start

 - To stop OSSEC HIDS:
                /var/ossec/bin/ossec-control stop

 - The configuration can be viewed or modified at /var/ossec/etc/ossec.conf


    Thanks for using the OSSEC HIDS.
    If you have any question, suggestion or if you find any bug,
    contact us at contact@ossec.net or using our public maillist at
    ossec-list@ossec.net
    (http://mailman.underlinux.com.br/mailman/listinfo/ossec-list).

    More information can be found at http://www.ossec.net

    ---  Press ENTER to finish (maybe more information bellow). ---

Crie um script de inicialização. Copie este código e salve o arquivo ossec no diretório /etc/init.d

case "$1" in
start)
  /var/ossec/bin/ossec-control start
;;
stop)
  /var/ossec/bin/ossec-control stop
;;
restart)
  $0 stop && sleep 3
  $0 start
;;
reload)
  $0 stop
  $0 start
;;
*)
echo "Usage: $0 {start|stop|restart|reload}"
exit 1
esac

Mude a permissões para execução

cd /etc/init.d
chmod +x ossec

Execute este comando para adicioná-lo em todos os runlevels

update-rc.d ossec defaults

Inicie o Ossec usando o comando

/etc/init.d/ossec start

Starting OSSEC HIDS v1.4 (by Daniel B. Cid)...
Started ossec-maild...
Started ossec-execd...
Started ossec-analysisd...
Started ossec-logcollector...
Started ossec-syscheckd...
Completed.

Agora que o seu host ids está instalado e rodando verifique sempre as notificações. Se você quiser poderá criar novas regras, acesse a documentação do Ossec IDS para saber como criá-las.

OssecHIDS (last edited 2011-09-19 23:18:17 by localhost)