OSSEC linux(server) windows(agent)史上最详细中文配置

OSSEC linux(server) windows(agent)史上最详细中文配置

作者：谭丙章
E-mail:feifengwind@163.com

ossec官方网站：http://www.ossec.net/
ossec帮助文档：http://ossec-docs.readthedocs.org/en/latest/manual/index.html

介绍

SSEC是一款开源的多平台的入侵检测系统，可以运行于Windows, Linux, OpenBSD/FreeBSD, 以及 MacOS等操作系统中。包括了日志分析，全面检测，root-kit检测，政策监控，实时报警和积极响应。

现在已经有新版本Latest Stable Release (2.8.3)
下载地址：http://ossec.github.io/downloads.html

部署

Ossec部署方式为C/S，以下server：192.168.1.16
agent：192.168.1.19
linux系统为最新版centos7
windows系统为windows8.1

服务器安装及配置

服务器ip:192.168.1.16

由于centos7自带的SElinux会拦截，阻止太多的东西，避免麻烦，这里 我们把SElinux关闭！
geidt /etc/selinux/config
编辑/etc/selinux/config，找到SELINUX 行修改成为：SELINUX=disabled
然后重新启动。

我们需要开启80端口，CentOS 7.0默认使用的是firewall作为防火墙，这里我们把centos7的防火墙换成iptables
关闭firewall：
systemctl stop firewalld.service #停止firewall
systemctl disable firewalld.service #禁止firewall开机启动
安装iptables防火墙
yum install iptables-services #安装
gedit /etc/sysconfig/iptables #编辑防火墙配置文件
原文件清空，复制粘贴保存：
# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state –state NEW -m tcp -p tcp –dport 22 -j ACCEPT
-A INPUT -m state –state NEW -m tcp -p tcp –dport 80 -j ACCEPT
-A INPUT -m state –state NEW -m tcp -p tcp –dport 3306 -j ACCEPT
-A INPUT -m state –state NEW -m udp -p udp –dport 514 -j ACCEPT
-A INPUT -m state –state NEW -m udp -p udp –dport 1514 -j ACCEPT
-A INPUT -j REJECT –reject-with icmp-host-prohibited
-A FORWARD -j REJECT –reject-with icmp-host-prohibited
COMMIT
因为ossec通信是用udp 514,1514端口（可以用命令：# netstat -unlp|grep ossec 查看）所以加了下面这两句
-A INPUT -m state –state NEW -m udp -p udp –dport 514 -j ACCEPT
-A INPUT -m state –state NEW -m udp -p udp –dport 1514 -j ACCEPT

好了，iptables配置好了，现在，我们开启iptables:
systemctl restart iptables.service #最后重启防火墙使配置生效
systemctl enable iptables.service #设置防火墙开机启动

防火墙开启成功，我们来接着安装一些必要的工具：
yum install gcc gcc-c++ vim wget lrzsz ntpdate sysstat dstat wget unzip -y
安装mysql数据库，appach,php：
yum install mysql mysql-server mysql-devel httpd php php-mysql –y
我们把从官网下载下来的ossec-hids-2.8.3.tar.gz解压：
tar -xzf ossec-hids-2.8.3.tar.gz
cd ossec-hids-2.8
cd src/
make setdb #使其支持mysql数据库
接下来提示：
Error: PostgreSQL client libraries notinstalled.
Info: Compiled with MySQL support. #ossec支持mysql数据库
cd ../
./install.sh
下面是安装过程:
cn #选择语言
Enter #继续
Server #安装为server
/var/ossec #安装目录
- Do you want e-mail notification? (y/n)[y]: y
- What’s your e-mail address? Your_mail@163.com
- What’s your SMTP server ip/host? 127.0.0.1
Enter # Running syscheck (integrity check daemon)
Enter # Running rootcheck (rootkit detection)
Enter #Active response enabled
Enter # firewall-drop enabled (local) for levels >= 6
Do you want to add more IPs to the whitelist? (y/n)? [n]: y #设置ip白名单
-IPs (space separated):#把客户端和服务端的ip都加上去
3.5- Do you want to enable remote syslog(port 514 udp)? (y/n) [y]:Enter
Enter #开始安装

安装完毕，下面我们来配置
使oosec支持mysql，并建立mysql表：
/var/ossec/bin/ossec-control enable database
service mysqld start
/usr/bin/mysql_secure_installation
mysql -uroot -p
mysql> create database ossec;
mysql> grant INSERT,SELECT,UPDATE,CREATE,DELETE,EXECUTE on ossec.* to ossec@localhost identified by 'ossec';
mysql> flush privileges;
mysql> \q

mysql -uossec -p ossec < src/os_dbd/mysql.schema 

Enter password:
gedit /usr/local/ossec/etc/ossec.conf #在最后添加
<ossec_config>
<database_output>
<hostname>localhost</hostname>
<username>ossec</username>
<password>ossec</password>
<database>ossec</database>
<type>mysql</type>
</database_output>
</ossec_config>
保存，退出。
添加128行内容，允许此网段的日志,如果有其他ip需要设置白名单，依次添加即可
<remote>
<connection>syslog</connection>
<allowed-ips>192.168.1.0/24</allowed-ips> #128行
</remote>

/var/ossec/bin/ossec-control restart

此时，邮箱已经收到邮件了。

添加agent客户端

/var/ossec/bin/manage_agents
下面依次：
A #add
Please provide the following:
*A name for the new agent: agent1
*The IP Address of the new agent: 192.168.1.19 #agent端的ip地址
*An ID for the new agent[001]: 001
Agent information:
ID:001
Name:agent1
IPAddress:192.168.1.19
Confirm adding it?(y/n): y
Agent added.

然后Enter后 又继续：
Choose your action: A,E,L,R or Q: E
Available agents:
ID: 001, Name: agent1, IP: 192.168.1.19
Provide the ID of the agent to extract thekey (or ‘\q’ to quit): 001
Agent key information for ‘001’ is: #复制这个秘钥，客户端需要

然后Enter后输入Q退出

客户端配置

这里我们配置的客户端是在windows上的：
下载客户端exe: https://bintray.com/artifact/download/ossec/ossec-hids/ossec-agent-win32-2.8.3.exe
然后默认安装
注意：运行时要以管理员权限运行，即以Administrator运行
首先到安装目录下运行manage_agents.exe
输入你的服务器IP，我这里是：192.168.1.16
然后粘贴你复制下来的秘钥

再运行win32ui.exe

点击View config
在<ossec_config>下面增加你的server ip ，上面有格式。保存关闭后
然后再在

中输入你的Server ip和 key(复制下来的秘钥)，然后Save,运行。

安装web界面

ossec-wui界面

cd /var/www
unzip ossec-wui-master.zip
mv ossec-wui-master html/ossec
cd html/ossec/
./setup.sh
Setting up ossec ui…

Username: ossec
New password:
Re-type new password:
Adding password for user ossec
Enter your web server user name (e.g.apache, www, nobody, www-data, …)
apache
Enter your OSSEC install directory path(e.g. /var/ossec)
/var/ossec
You must restart your web server after thissetup is done.

Setup completed successfuly.
gedit /etc/httpd/conf.d/ossec.conf

Alias /ossec/ "/var/www/html/ossec/"  

<Directory /var/www/html/ossec>  
Order deny,allow  
Deny from all  
Allow from 192.168.1.0/24  

Options FollowSymLinks  #外网访问配置，把上面注释或删除
AllowOverride None      #外网访问配置
Order deny,allow        #外网访问配置
allow from all          #外网访问配置

Options -MultiViews
AuthName "OSSEC AUTH"
AuthType Basic
AuthUserFile /var/www/html/ossec/.htpasswd
Require valid-user
</Directory>  

保存退出。
chown apache:apache *
service httpd restart

analogi界面

cd /var/www/html
wget https://github.com/ECSC/analogi/archive/master.zip
unzip master.zip
mv analogi-master ossec/analogi
chown apache.apache -R ossec
cd ossec/analogi
cp db_ossec.php.new db_ossec.php

gedit db_ossec.php

define ('DB_USER_O', 'ossec');
define ('DB_PASSWORD_O', 'ossec');
define ('DB_HOST_O', 'localhost');
define ('DB_NAME_O', 'ossec');  

gedit /etc/httpd/conf.d/analogi.conf

Alias /analogi/ "/var/www/html/ossec/analogi/" 

<Directory /var/www/html/ossec/analogi>
Order deny,allow
Deny from all
Allow from 192.168.1.0/24

Options FollowSymLinks   #外网访问配置，把上面注释或删除
AllowOverride None       #外网访问配置
Order deny,allow         #外网访问配置
allow from all           #外网访问配置

</Directory>

service httpd restart

查看状态信息

/var/ossec/bin/agent_control -lc
OSSEC HIDS agent_control. List of availableagents:
ID: 000, Name: localhost.localdomain (server), IP: 127.0.0.1,Active/Local
ID: 001, Name: agent1, IP: 192.168.22.241, Active
/var/ossec/bin/list_agents -a
agent1-192.168.1.19 is available.
/var/ossec/bin/ossec-control status
ossec-monitord is running…
ossec-logcollector is running…
ossec-remoted is running…
ossec-syscheckd is running…
ossec-analysisd is running…
ossec-maild is running…
ossec-execd is running…
ossec-dbd is running…

OSSEC的图形界面

analogi图形界面