Defense in Depth using OSSEC and other free tools

最新推荐文章于 2024-02-07 22:09:49 发布
最新推荐文章于 2024-02-07 22:09:49 发布
阅读量1k 收藏
点赞数
文章标签: tools wordpress database path logging security
Russ McRee wrote an excellent article about OSSEC for the October 2009 issue of ISSA Journal. (Disclaimer: I contributed to the article.) He then went into some further detail on his blog.

In a recent SANS 401 Mentor session, I used OSSEC in my demo of building a secure webserver using defense-in-depth principles. My rough notes can be found below. All software is freely available and the whole process can be done in under an hour. Once completed, OSSEC will be monitoring all system logs (SSH, Apache, mod_security, iptables, Wordpress) and optionally providing Active Response, blocking attacker's source IP addresses.

# Base install of CentOS 5.4
# Reboot
# Allow SSH and HTTP in firewall
yum -y update && reboot
# Add EPEL repo
rpm -Uvh http://download.fedora.redhat.com/pub/epel/5/i386/epel-release-5-3.noarch.rpm
vi /etc/yum.repos.d/epel.repo
#add this line:
includepkgs=mod_security* lua* alpine* wordpress*
# Install CMS, web server, and database
yum -y install wordpress mysql-server
# Set services to start on boot and start them now
for i in httpd mysqld
do
chkconfig $i on
service $i start
done

# Secure the database
/usr/bin/mysql_secure_installation
mysql -p
create database wordpress;
grant all privileges on wordpress.* to wordpress@localhost identified by 'MyStrongPassphrase';
flush privileges;
exit
vi /etc/wordpress/wp-config.php
# Configure for wordpress database just created
# Test Wordpress
# Look at logs in /var/log/

# Wordpress --> Syslog
cd /usr/share/wordpress/wp-content/plugins
wget http://www.ossec.net/files/other/wpsyslog2.tar.gz
tar zxvf wpsyslog2.tar.gz
# Wordpress admin interface --> activate WPsyslog2 plugin
# Test logging into Wordpress, creating/deleting posts, verify logging

# Firewall logging
iptables -I RH-Firewall-1-INPUT 11 -j LOG --log-prefix="DROP "
service iptables save
# Test firewall logging (nmap)

# WAF (Web Application Firewall)
yum -y install mod_security
service httpd restart
# Test WAF by accessing site by IP address instead of hostname
# Test WAF by trying to do an /etc/passwd attack
# Look at rules in /etc/httpd/modsecurity.d/

# NIDS (Network Intrusion Detection System)
yum -y install alpine perl-libwww-perl libpcap-devel pcre-devel gcc
#Download Snort:
cd /usr/local/src/
mkdir snort && cd snort
wget http://dl.snort.org/snort-current/snort-2.8.5.2.tar.gz
tar zxvf snort-2.8.5.2.tar.gz
cd snort-2.8.5.2
./configure && make && make install
mkdir -p /etc/snort/rules
cd etc
cp * /etc/snort/
mkdir /var/log/snort
adduser snort
passwd -l snort
chown snort:snort /var/log/snort
#Download PulledPork:
cd /usr/local/src/
mkdir pulledpork && cd pulledpork
wget http://pulledpork.googlecode.com/files/pulledpork-0.3.4.tar.gz
tar zxvf pulledpork-0.3.4.tar.gz
cd pulledpork-0.3.4
vi pulledpork.conf
oinkcode=InsertYourOinkcodeHere
tar_path=/bin/tar
rule_path=/etc/snort/rules/
sid_msg=/etc/snort/sid-msg.map
sid_changelog=/var/log/snort/sid_changes.log
#sorule_path=/usr/local/lib/snort_dynamicrules/
config_path=/etc/snort/snort.conf
distro=CentOS-5.0
chmod +x pulledpork.pl
./pulledpork.pl -c pulledpork.conf
vi /etc/snort/snort.conf
var RULE_PATH /etc/snort/rules
#include local.rules
# Test run
/usr/local/bin/snort -i eth1 -c /etc/snort/snort.conf -u snort -g snort
# Daemon mode
/usr/local/bin/snort -i eth1 -c /etc/snort/snort.conf -u snort -g snort -D
# Start at boot
echo "/usr/local/bin/snort -i eth1 -c /etc/snort/snort.conf -u snort -g snort -D" >> /etc/rc.local
# Test Snort with idswakeup and verify logs in /var/log/snort/

# HIDS (Host Intrusion Detection System)
cd /usr/local/src/
mkdir ossec
wget http://www.ossec.net/files/ossec-hids-2.3.tar.gz
tar zxvf ossec-hids-2.3.tar.gz
cd ossec-hids-2.3
./install.sh
# Local installation
# Email to root@localhost
# Enable Active Response, whitelist host IP
service ossec start
# Test HIDS alerting
# Test OSSEC Active Response using nmap, idswakeup, SSH brute force, Wordpress brute force

What else could we do for more defense in depth?
  • Suhosin (PHP Hardening)
  • GreenSQL (Database firewall)
  • Daemonlogger (full packet capture for forensics purposes)
  • Others?
cnbird2008
关注
ossec支持mysql数据库_OSSEC 加固linux系统详细配置
weixin_35161750的博客
02-05 486
OSSEC是一个开源的基于主机的入侵检测系统,执行日志分析,文件完整性检查,政策监控,rootkit检测,实时报警和积极响应。它可以运行在大多数的操作系统,包括Linux,MacOS的时,Solaris,HP-UX,AIX和WindowsOssec部署方式为C/S,以下server:192.168.22.240 client:192.168.22.241先关闭selinux,安装常用包环境 C...
Ubuntu16.04安装OSSEC详细步骤
zhang35的博客
04-12 1767
参考官网文档:OSSEC Installation 安装环境 Ubuntu 16.04 VMware虚拟机 安装依赖包 安装build-essential来编译安装OSSEC,为了使用系统的pcre2库,安装libpcre2-dev包: apt-get install build-essential make zlib1g-dev libpcre2-dev 为了支持数据库,需要安装mysq...
Open source and free log analysis and log management tools.
weixin_30929295的博客
01-25 87
Open source and free log analysis and log management tools. Maintained by Dr. Anton Chuvakin Version 1 created 3/3/2010 Version 1.1 updated 4/15/2010 Version 1.2 updated 10/1/2010 Version 1.3 u...
Install and Configure OSSEC on Debian 7&8
weixin_30835923的博客
08-21 195
Install and Configure OSSEC on Debian 7&8Contributed bySunday Ogwu-ChinuwaUpdatedFriday, February 5th, 2015by James StewartThis is a Linode Community guide.Write for usand earn $250 per pub...
ossec mysql_OSSEC日志存入Mysql
weixin_28339527的博客
01-19 118
OSSECOutputandAlertoptionsSendingoutputtoaDatabaseOSSECsupportsMySQLandPostgreSQLdatabaseoutputs.1.ConfigurationoptionsTheseconfigurationsoptionscanbespecifiedintheserverorlo...
Log_Analysis_using_OSSEC.md
weixin_33884611的博客
05-27 62
https://github.com/xiyoulaoyuanjia/blog
Centos7搭建ossec-hids2.8.3入侵检测系统
kadwf123的专栏
08-19 3974
1、故事背景,项目要求三级等保,大家懂的。 2、操作系统版本 [root@ossec01 yum.repos.d]# cat /etc/redhat-release CentOS Linux release 7.6.1810 (Core) 3、安装wget 安装wget(如果有外网的话可以直接使用centos7安装后自带的yum源安装wget,没有外网使用本地安装镜像配置个本地源安装)...
ossec.zip_In It Together_OSSEC_hids_recvfrom
09-24
OSSEC is a full platform to monitor and control your systems. It mixes together all the aspects of HIDS (host-based intrusion detection), log monitoring and SIM/SIEM together in a simple, powerful and...
Log_Analysis_using_OSSEC.pdf
08-07
OSSEC does “security log analysis” It is not a log management tool Only stores alerts, not every single log I still recommend log management and long term storage of ALL logs Security Log Analysis ...
ossec2.8.1
02-22
OSSEC是一款开源的基于主机的入侵检测系统,可以简称为HIDS。它具备日志分析,文件完整性检查,策略监控,rootkit检测,实时报警以及联动响应等功能。它支持多种操作系统:Linux、Windows、MacOS、Solaris、HP-UX、...
ossec-hids-3.6.0 源码
03-28
**ossec-hids-3.6.0 源码详解** OSSEC是开源的入侵检测系统(HIDS,Host-based Intrusion Detection System),它监控系统活动并提供实时告警,帮助用户保护其Linux和Windows服务器免受恶意攻击。3.6.0是该软件的...
常用的文件系统、存储类型小整理
Hehuyi_In的博客
02-07 3429
最近接触到了五花八门的文件系统、存储类型,名词听得头大,趁假期整理学习一番~
c++leecode基础题十大排序数据结构基础_leecodeBasic.zip
最新发布
09-23
c++leecode基础题十大排序数据结构基础_leecodeBasic
【数字信号去噪】基于matlab花朵授粉算法FPA-ICEEMDAN信号去躁【含Matlab源码 7607期】.zip
09-23
CSDN海神之光上传的代码均可运行,亲测可用,直接替换数据即可,适合小白; 1、代码压缩包内容 主函数:main.m; 调用函数:其他m文件;无需运行 运行结果效果图; 2、代码运行版本 Matlab 2019b或2023b;若运行有误,根据提示修改;若不会,私信博主; 3、运行操作步骤 步骤一:将所有文件放到Matlab的当前文件夹中; 步骤二:双击打开main.m文件; 步骤三:点击运行,等程序运行完得到结果; 4、仿真咨询 如需其他服务,可私信博主或扫描博客文章底部QQ名片; 4.1 博客或资源的完整代码提供 4.2 期刊或参考文献复现 4.3 Matlab程序定制 4.4 科研合作 功率谱估计: 故障诊断分析: 雷达通信:雷达LFM、MIMO、成像、定位、干扰、检测、信号分析、脉冲压缩 滤波估计:SOC估计 目标定位:WSN定位、滤波跟踪、目标定位 生物电信号:肌电信号EMG、脑电信号EEG、心电信号ECG 通信系统:DOA估计、编码译码、变分模态分解、管道泄漏、滤波器、数字信号处理+传输+分析+去噪(CEEMDAN)、数字信号调制、误码率、信号估计、DTMF、信号检测识别融合、LEACH协议、信号检测、水声通信
vue3+SSM校园失物招领信息系统微信微信小程序[编号:CS_71072]源码数据库.zip
09-23
本文介绍了使用SpringBoot作为后端框架,Vue作为前端框架,MyBatis-Plus进行持久层开 。详细描述了系统测试的目的、功能测试案例,包括登录验证和用户管理,以及数据库设计。 前端:vue3 开发工具:IDEA 或者eclipse都支持 编程语言: java 框架:springboot/ssm都支持 jdk版本:jdk1.8以上均可 数据库: mysql 版本不限 数据库工具:Navicat/SQLyog都可以
机器学习与R语言_[美]_Brett_Lantz_MachineLearning-with-R.zip
09-23
机器学习与R语言_[美]_Brett_Lantz_MachineLearning-with-R
exams-习题集资源代码
09-23
exams-习题集资源
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值