Saturday, September 21, 2013

Host Based Intrusion Detection System: OSSEC

A host-based intrusion detection system (HIDS) is software that monitors and analyzes activities on a host looking for any suspicious processes.  On Centos I chose to install OSSEC; as my HIDS, the following is the method I used to install.

  1. Install some stuff so we can compile OSSEC later.

    2. [root@glt ~]# yum -y install gcc gcc-c++ autoconf automake

  2. Download the latest version of OSSEC.


    3. [root@glt ~]# wget http://www.ossec.net/files/ossec-hids-latest.tar.gz

  3. Extract the files from the tar and run the "install.sh" script.


    4. [root@glt ~]# tar -zxvf ossec-hids-latest.tar.gz
[root@glt ~]# cd ossec-hids-2.7
[root@glt ossec-hids-2.7]# ./install.sh

    When asked for what kind of installation options choose local. You can chose server if you plan on accepting logs from a remote agents. Accept default values for the remaining options.

  4. Start OSSEC HIDS


    5. [root@glt ~]# /var/ossec/bin/ossec-control start


  5. Stop OSSEC HIDS


    6. [root@glt ~]# /var/ossec/bin/ossec-control stop

Install OSSEC Web User Interface (OSSEC WUI)


  1. Install Apache and PHP.


    2. [root@glt ~]# yum -y httpd php mod_ssl openssl
[root@glt ~]# chkconfig --levels 235 httpd on

  2. Open the Apache configuration file.


    3. [root@glt ossec]# vi /etc/httpd/conf/httpd.conf

  3. Change AllowOverride None to AllowOverride All inside the DocumentRoot Directory Directive.


    4. <Directory "/var/www/html">
    Options Indexes FollowSymLinks
    AllowOverride All
    Order allow,deny
    Allow from all
    </Directory>

  4. Create a SSL Certificate on Apache for CentOS 6. To encrypt the site's information and create a more secure connection.


    • Generate private key

      • [root@glt ossec]# openssl genrsa -out ca.key 2048

    • Generate CSR

      • [root@glt ~]# openssl req -new -key ca.key -out ca.csr

    • Generate Self Signed Key

      • [root@glt ~]# openssl x509 -req -days 365 -in ca.csr -signkey ca.key -out ca.crt

    • Copy the files to the correct locations

      • [root@glt ~]# cp ca.crt /etc/pki/tls/certs/
[root@glt ~]# cp ca.key /etc/pki/tls/private/
[root@glt ~]# cp ca.csr /etc/pki/tls/private/

    • Set up the virtual hosts to display the new certificate.
      • [root@glt ~]# vi /etc/httpd/conf.d/ssl.conf

    • Find the following two lines, and make sure that they match the extensions below.

      • SSLCertificateFile /etc/pki/tls/certs/ca.crt
SSLCertificateKeyFile /etc/pki/tls/private/ca.key


  5. Download the latest version of OSSEC web user interface.


    6. [root@glt ~]# wget http://www.ossec.net/files/ossec-wui-0.3.tar.gz

  6. Extract the files from the tar and move the folder to web-server root directory.


    7. [root@glt ~]# tar -zxvf ossec-wui-0.3.tar.gz
[root@glt ~]# mv ossec-wui-0.3 /var/www/html/ossec

  7. Run the setup.sh script 


    8. [root@glt ~]# cd /var/www/html/ossec/
[root@glt ossec]# ./setup.sh
Setting up ossec ui...

Username: admin
New password:
Re-type new password:
Adding password for user admin

Setup completed successfuly.

  8. Add your web server user (apache) to the ossec group:


    9. [root@glt ossec]# usermod -a -G ossec apache
[root@glt ossec]# chmod 770 tmp/
[root@glt ossec]# chgrp apache tmp/

  9. Start apache:


    10. [root@glt ossec]# /etc/init.d/httpd restart
Posted by at
Labels: , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)