Host Based Intrusion Detection System: OSSEC

A host-based intrusion detection system (HIDS) is software that monitors and analyzes activities on a host looking for any suspicious processes.  On Centos I chose to install OSSEC; as my HIDS, the following is the method I used to install.

1. Install some stuff so we can compile OSSEC later.

[root@glt ~]# yum -y install gcc gcc-c++ autoconf automake




2. Download the latest version of OSSEC.




[root@glt ~]# wget http://www.ossec.net/files/ossec-hids-latest.tar.gz




3. Extract the files from the tar and run the "install.sh" script.




[root@glt ~]# tar -zxvf ossec-hids-latest.tar.gz
[root@glt ~]# cd ossec-hids-2.7
[root@glt ossec-hids-2.7]# ./install.sh


When asked for what kind of installation options choose local. You can chose server if you plan on accepting logs from a remote agents. Accept default values for the remaining options.



4. Start OSSEC HIDS




[root@glt ~]# /var/ossec/bin/ossec-control start





5. Stop OSSEC HIDS




[root@glt ~]# /var/ossec/bin/ossec-control stop

Install OSSEC Web User Interface (OSSEC WUI)

1. Install Apache and PHP.




[root@glt ~]# yum -y httpd php mod_ssl openssl
[root@glt ~]# chkconfig --levels 235 httpd on




2. Open the Apache configuration file.




[root@glt ossec]# vi /etc/httpd/conf/httpd.conf




3. Change AllowOverride None to AllowOverride All inside the DocumentRoot Directory Directive.




<Directory "/var/www/html">
Options Indexes FollowSymLinks
AllowOverride All
Order allow,deny
Allow from all
</Directory>




4. Create a SSL Certificate on Apache for CentOS 6. To encrypt the site's information and create a more secure connection.




• Generate private key




[root@glt ossec]# openssl genrsa -out ca.key 2048




• Generate CSR




[root@glt ~]# openssl req -new -key ca.key -out ca.csr




• Generate Self Signed Key




[root@glt ~]# openssl x509 -req -days 365 -in ca.csr -signkey ca.key -out ca.crt




• Copy the files to the correct locations




[root@glt ~]# cp ca.crt /etc/pki/tls/certs/
[root@glt ~]# cp ca.key /etc/pki/tls/private/
[root@glt ~]# cp ca.csr /etc/pki/tls/private/




• Set up the virtual hosts to display the new certificate.

[root@glt ~]# vi /etc/httpd/conf.d/ssl.conf




• Find the following two lines, and make sure that they match the extensions below.




SSLCertificateFile /etc/pki/tls/certs/ca.crt
SSLCertificateKeyFile /etc/pki/tls/private/ca.key






5. Download the latest version of OSSEC web user interface.




[root@glt ~]# wget http://www.ossec.net/files/ossec-wui-0.3.tar.gz




6. Extract the files from the tar and move the folder to web-server root directory.




[root@glt ~]# tar -zxvf ossec-wui-0.3.tar.gz
[root@glt ~]# mv ossec-wui-0.3 /var/www/html/ossec




7. Run the setup.sh script 




[root@glt ~]# cd /var/www/html/ossec/
[root@glt ossec]# ./setup.sh
Setting up ossec ui...

Username: admin
New password:
Re-type new password:
Adding password for user admin

Setup completed successfuly.




8. Add your web server user (apache) to the ossec group:




[root@glt ossec]# usermod -a -G ossec apache
[root@glt ossec]# chmod 770 tmp/
[root@glt ossec]# chgrp apache tmp/




9. Start apache:




[root@glt ossec]# /etc/init.d/httpd restart

Installing Fail2ban on Centos 6

Fail2ban restricts  IP addresses of hosts that are trying to breach your system's security. Whenever an abusive IP is detected it can  restrict that IP access to your system for a specific period of time. This time is configurable by the administrator of the system.

1. Download the latest version of fail2ban




[root@glt ~]# wget https://codeload.github.com/fail2ban/fail2ban/tar.gz/0.8.10




2. Extract the files from the tar and run the "setup.py" script.




[root@glt ~]# tar -xf 0.8.10
[root@glt ~]# cd fail2ban-0.8.10
[root@glt fail2ban-0.8.10]# python setup.py install

3. Configure fail2ban




[root@glt fail2ban-0.8.10]# vi /etc/fail2ban/jail.conf




• White-list your IP address by adding it to the ignoreip line.

[DEFAULT]
# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
# ban a host which matches an address in this list. Several addresses can be
# defined using space separator.
ignoreip = 127.0.0.1

• Configuring ssh-iptables section for Fail2Ban, remove false and type true. Also configure the email address that you would like  to receive the alerts.

[ssh-iptables]

enabled = true
filter = sshd
action = iptables[name=SSH, port=ssh, protocol=tcp]
sendmail-whois[name=SSH, dest=you@example.com,  sender=fail2ban@localhost]
logpath = /var/log/sshd.log
maxretry = 5




4. To ensure that fail2ban starts at startup.




[root@glt fail2ban-0.8.10]# cp ./files/redhat-initd /etc/init.d/fail2ban
[root@glt fail2ban-0.8.10]# chkconfig --add fail2ban
[root@glt fail2ban-0.8.10]# chkconfig fail2ban on




5. Start fail2ban.

   
   

   [root@glt fail2ban-0.8.10]# service fail2ban start
   Starting fail2ban:                                         [  OK  ]

6. Following list IP that was blocked by fail2ban

   
   

   [root@glt ~]# iptables -L
   Chain INPUT (policy ACCEPT)
   target     prot opt source               destination
   fail2ban-SSH  tcp  --  anywhere             anywhere            tcp dpt:ssh
   ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
   DROP       icmp --  anywhere             anywhere            icmp echo-request
   ACCEPT     all  --  anywhere             anywhere
   ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ssh
   ACCEPT     tcp  --  192.168.0.0/24       anywhere            tcp dpt:http
   ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:https
   REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited
   
   Chain FORWARD (policy ACCEPT)
   target     prot opt source               destination
   REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited
   
   Chain OUTPUT (policy ACCEPT)
   target     prot opt source               destination
   
   Chain fail2ban-SSH (1 references)
   target     prot opt source               destination
   REJECT     all  --  61.147.116.109       anywhere            reject-with icmp-port-unreachable
   RETURN     all  --  anywhere             anywhere
   [root@glt ~]#
   

   
   

Vi Editor Tutorial Cheat Sheet

Starting vi

To start vi at the prompt enter:

[root@ts3 ~]#vi filename

If the file does not exist vi will create it for you.

Command Mode and Input Mode

When you first open a file with vi it takes you to command mode. To get to input mode type "i" :

i

To return to command mode press the ESC key:

[Esc]

Deleting Text

 To delete text using the following commands you have to be in command mode:

Command	Function
x	Delete the character that the cursor is on
[Shift] d	Delete from the cursor to the end of the line.
db	Delete from the cursor to the beginning of the current word
de	Delete from the cursor to the end of the current word
dd	Delete the current line that the cursor is on
d [Shift] g	Delete the current line that the cursor is on to the bottom of the file

Undo

To undo changes or line deletions you have to be in command mode and type the following:

u

Goto

to go to a particular line a file go to command mode and type :linenumber :

:14

You can also type in the line number followed by:

[Shift] g

To see what line you are on:

 [Ctrl] [Shift] g

To display all the line numbers:

:set number

To go to a particular line in a file while opening a file with vi:

[root@ts3 ~]#vi  +45 filename

To go to a particular pattern in a file while opening a file with vi:

[root@ts3 ~]#vi  +/pattern filename

Search

To search forward for some text, use the / (forward slash) command:

/pattern

To look for the next occurrence of that pattern:

n

To look for the previous occurence of that pattern:

[Shift] n

To find and replace that pattern:  

Saving Work

To save changes go to command mode and type:

:w

To save a file with a different filename:

:w filename

To save and exit:

:wq

To exit without saving:

:q!

Configure Static IP Address in CentOS: Quick Howto

Configurations file for network interfaces are located in /etc/sysconfig/network-scripts/ifcfg-iface. To configure a static IP address on interface eth0 in CentOS the following changes have to be made to the /etc/sysconfig/network-scripts/ifcfg-eth0 file:
DEVICE=eth0
HWADDR=08:00:27:65:8E:AE
TYPE=Ethernet
UUID=2d9f0a42-8d66-4a5b-a50d-b10016262c5a
# activate interface at startup
ONBOOT=yes
NM_CONTROLLED=yes
# static IP, do not use a boot protocol
BOOTPROTO=no
NETMASK=255.255.255.0
IPADDR=192.168.1.204
GATEWAY=192.168.1.1
# do not allow users to enable and disable
USERCTL=no
To conifgure a DNS server the /etc/resolv.conf file has to be modified:
nameserver 8.8.8.8
nameserver 8.8.4.4
For changes to take effect restart the network service:
service network restart

Basic Howto on IPTables on Centos

IPTables is a firewall software tool used in Linux software distributions to administer IPv4 packet filtering and NAT. It can be used to set up, maintain, and inspect IP packet filter rules in the Linux kernel. Iptables is installed by default on all CentOS 5.x and 6.x.

IPTables has 4 built-in tables the filter table, NAT table, mangle table and raw table. Each table contain chains and within each chain there are rules. The filter table is configured in CentOS 5.x and 6.x. There are 3 predefined chains in the filter table to which rules are added. The following are the chains in the filter table:

• INPUT chain – Incoming to firewall. For packets coming to the local server.
• OUTPUT chain – Outgoing from firewall. For packets generated locally and going out of the local server.
• FORWARD chain – Packet for another NIC on the local server. For packets routed through the local server.

List rules in the filter table

The following displays the list of rules in the filter table. The -n option show the numeric format of  the IP address and port number, the -v option displays the packet count, the -L list the ruleset   and the --line-numbers option list the line number of the rule:

iptables -nvL  --line-numbers

[root@glt ~]# iptables -nvL --line-numbers
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1    3777K 5463M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
2       80  2837 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0
3       10   440 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
4      186 10820 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:22
5      900 60201 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT 2329K packets, 141M bytes)
num   pkts bytes target     prot opt in     out     source               destination

Appending Rules

The following adds a Rule at the end of the specified chain of IPTables. The -A option appends the rule, -p  is used to select the protocol, --dport indicates the destination port and  -j ACCEPT simply means  jumps to ACCEPT :

iptables -A INPUT -p tcp --dport 80 -j ACCEPT

[root@glt ~]# iptables -A INPUT -p tcp --dport 80 -j ACCEPT
[root@glt ~]# iptables -nvL --line-numbers
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1    3777K 5463M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
2       80  2837 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0
3       10   440 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
4      186 10820 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:22
5      901 60241 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited
6        0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:80

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT 4 packets, 512 bytes)
num   pkts bytes target     prot opt in     out     source               destination
[root@glt ~]#

Deleting Rules

To delete a Rule, you must know its position in the chain and use the -D option:

iptables -D INPUT 6

[root@glt ~]# iptables -D INPUT 6
[root@glt ~]# iptables -nvL --line-numbers
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1    3777K 5463M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
2       80  2837 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0
3       10   440 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
4      186 10820 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:22
5      903 60369 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT 55 packets, 5156 bytes)
num   pkts bytes target     prot opt in     out     source               destination

Inserting Rules

The following commands inserts a rule using the -I option:

iptables -I INPUT 5 -p tcp --dport 80 -j ACCEPT
iptables -I INPUT 6 -p tcp --dport 443 -j ACCEPT

[root@glt ~]# iptables -I INPUT 5 -p tcp --dport 80 -j ACCEPT
[root@glt ~]# iptables -I INPUT 6 -p tcp --dport 443 -j ACCEPT
[root@glt ~]# iptables -nvL --line-numbers
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1    3777K 5463M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
2       82  2954 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0
3       10   440 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
4      186 10820 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:22
5        0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:80
6        0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:443
7      905 60465 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT 52 packets, 4976 bytes)
num   pkts bytes target     prot opt in     out     source               destination
[root@glt ~]#

Replacing Rules

Using the -R option existing rules can be replaced in the chain:

 iptables -R INPUT 5 -p tcp -s 192.168.0.0/24 --dport 80 -j ACCEPT

[root@glt ~]# iptables -R INPUT 5 -p tcp -s 192.168.0.0/24 --dport 80 -j ACCEPT
[root@glt ~]# iptables -nvL --line-numbers
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1    3777K 5463M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
2       83  3015 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0
3       10   440 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
4      186 10820 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:22
5        0     0 ACCEPT     tcp  --  *      *       192.168.0.0/24       0.0.0.0/0           tcp dpt:80
6        0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:443
7      917 61834 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT 3 packets, 436 bytes)
num   pkts bytes target     prot opt in     out     source               destination

Other example: replacing rule on line 2 that allows ICMP to blocking ICMP

[root@glt ~]# iptables -R INPUT 2 -p icmp --icmp-type echo-request -j DROP
[root@glt ~]# iptables -nvL --line-numbers
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1    3782K 5464M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
2        0     0 DROP       icmp --  *      *       0.0.0.0/0            0.0.0.0/0           icmp type 8
3       10   440 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
4      503 29488 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:22
5        0     0 ACCEPT     tcp  --  *      *       192.168.0.0/24       0.0.0.0/0           tcp dpt:80
6        8   348 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:443
7     1530  101K REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT 40 packets, 3952 bytes)
num   pkts bytes target     prot opt in     out     source               destination
[root@glt ~]#

Saving changes to the filter table

The iptables Rules changes using CLI commands will be lost upon system reboot if not saved. The command  iptables-save  can be used to save changes. The utility iptables-restore can be used to restore the table if a dump file is created:

 iptables-save > iptables.dump 

[root@glt ~]#  iptables-save > iptables.dump
[root@glt ~]# ls
anaconda-ks.cfg                      install.log
HoneyDrive_0.2_Nectar_edition.ova    install.log.syslog
HoneyDrive_0.2_Nectar_edition.ova.1  iptables.dump
[root@glt ~]# cat iptables.dump
# Generated by iptables-save v1.4.7 on Thu Sep  5 22:48:36 2013
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [23:4220]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -s 192.168.0.0/24 -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Thu Sep  5 22:48:36 2013
[root@glt ~]#