一、Ossec官网 http://www.ossec.net/
二、Ossec部署方式为C/S:
server: 192.168.88.156
agent: 192.168.88.161
三、Server服务器配置
1.关闭selinux,关闭iptables
[root@localhost ~]#vi /etc/selinux/config
SELINUX=disabled
2.安装依赖包
[root@localhost ~]#yum -y install wget lrzsz gcc mysql mysql-server mysql-devel httpd php php-mysql postgresql sendmail
[root@localhost ~]#/etc/init.d/sendmail start
3.下载ossec 2.7版本,最新已出到2.8.1
[root@localhost ~]#wget http://www.ossec.net/files/ossec-hids-2.7.tar.gz
[root@localhost ~]# tar -xf ossec-hids-2.7.tar.gz
[root@localhost ~]# cd ossec-hids-2.7
[root@localhost ossec-hids-2.7]# cd src/
4.查看ossec是否支持mysql
[root@localhost src]# make setdb
Info: Compiled with MySQL support.
[root@localhost src]# cd ..
5.安装ossec
[root@localhost ossec-hids-2.7]# ./install.sh
** Para instala??o em português, escolha [br].
** 要使用中文进行安装, 请选择 [cn].
** Fur eine deutsche Installation wohlen Sie [de].
** Για εγκατ?σταση στα Ελληνικ?, επιλ?ξτε [el].
** For installation in English, choose [en].
** Para instalar en Espa?ol , eliga [es].
** Pour une installation en fran?ais, choisissez [fr]
** A Magyar nyelv? telepítéshez válassza [hu].
** Per l'installazione in Italiano, scegli [it].
** 日本語でインストールします.選択して下さい.[jp].
** Voor installatie in het Nederlands, kies [nl].
** Aby instalowa? w j?zyku Polskim, wybierz [pl].
** Для инструкций по установке на русском ,введите [ru].
** Za instalaciju na srpskom, izaberi [sr].
** Türk?e kurulum i?in se?in [tr].
(en/br/cn/de/el/es/fr/hu/it/jp/nl/pl/ru/sr/tr) [en]: cn
OSSEC HIDS v2.7 安装脚本 - http://www.ossec.net
您将开始 OSSEC HIDS 的安装.
请确认在您的机器上已经正确安装了 C 编译器.
如果您有任何疑问或建议,请给 dcid@ossec.net (或 daniel.cid@gmail.com) 发邮件.
- 系统类型: Linux localhost.localdomain 2.6.32-358.el6.i686
- 用户: root
- 主机: localhost.localdomain
-- 按 ENTER 继续或 Ctrl-C 退出. --
1- 您希望哪一种安装 (server, agent, local or help)? server
- 选择了 Server 类型的安装.
2- 正在初始化安装环境.
- 请选择 OSSEC HIDS 的安装路径 [/var/ossec]:
- OSSEC HIDS 将安装在 /var/ossec .
3- 正在配置 OSSEC HIDS.
3.1- 您希望收到e-mail告警吗? (y/n) [y]:
- 请输入您的 e-mail 地址? flyshai@126.com
- 我们找到您的 SMTP 服务器为: 58.32.186.231.
- 您希望使用它吗? (y/n) [y]: n
- 请输入您的 SMTP 服务器IP或主机名 ? 127.0.0.1
3.2- 您希望运行系统完整性检测模块吗? (y/n) [y]:
- 系统完整性检测模块将被部署.
3.3- 您希望运行 rootkit检测吗? (y/n) [y]:
- rootkit检测将被部署.
3.4- 关联响应允许您在分析已接收事件的基础上执行一个
已定义的命令.
例如,你可以阻止某个IP地址的访问或禁止某个用户的访问权限.
更多的信息,您可以访问:
http://www.ossec.net/en/manual.html#active-response
- 您希望开启联动(active response)功能吗? (y/n) [y]:
- 关联响应已开启
- 默认情况下, 我们开启了主机拒绝和防火墙拒绝两种响应.
第一种情况将添加一个主机到 /etc/hosts.deny.
第二种情况将在iptables(linux)或ipfilter(Solaris,
FreeBSD 或 NetBSD)中拒绝该主机的访问.
- 该功能可以用以阻止 SSHD 暴力***, 端口扫描和其他
一些形式的***. 同样你也可以将他们添加到其他地方,
例如将他们添加为 snort 的事件.
- 您希望开启防火墙联动(firewall-drop)功能吗? (y/n) [y]:
- 防火墙联动(firewall-drop)当事件级别 >= 6 时被启动
- 联动功能默认的白名单是:
- 192.168.88.2
- 您希望添加更多的IP到白名单吗? (y/n)? [n]: y
- 请输入IP (用空格进行分隔): 192.168.88.156
3.5- 您希望接收远程机器syslog吗 (port 514 udp)? (y/n) [y]:
- 远程机器syslog将被接收.
3.6- 设置配置文件以分析一下日志:
-- /var/log/messages
-- /var/log/secure
-- /var/log/maillog
-如果你希望监控其他文件, 只需要在配置文件ossec.conf中
添加新的一项.
任何关于配置的疑问您都可以在 http://www.ossec.net 找到答案.
--- 按 ENTER 以继续 ---
5- 正在安装系统
- 正在运行Makefile
INFO: Little endian set.
.....
.....
.....
.....
编译过程
- 系统类型是 Redhat Linux.
- 修改启动脚本使 OSSEC HIDS 在系统启动时自动运行
- 已正确完成系统配置.
- 要启动 OSSEC HIDS:
/var/ossec/bin/ossec-control start
- 要停止 OSSEC HIDS:
/var/ossec/bin/ossec-control stop
- 要查看或修改系统配置,请编辑 /var/ossec/etc/ossec.conf
感谢使用 OSSEC HIDS.
如果您有任何疑问,建议或您找到任何bug,
请通过 contact@ossec.net 或邮件列表 ossec-list@ossec.net 联系我们.
( http://www.ossec.net/en/mailing_lists.html ).
您可以在 http://www.ossec.net 获得更多信息
--- 请按 ENTER 结束安装 (下面可能有更多信息). ---
6.配置mysql
在ossec-control命令启动前,要先启用数据库功能
[root@localhost ossec-hids-2.7]#/var/ossec/bin/ossec-control enable database
[root@localhost ossec-hids-2.7]#/etc/init.d/mysqld start
[root@localhost ossec-hids-2.7]#mysql
mysql> create database ossec;
mysql> grant INSERT,SELECT,UPDATE,CREATE,DELETE,EXECUTE on ossec.* to ossec@localhost identified by 'ossec';
mysql> flush privileges;
mysql> \q
[root@localhost ossec-hids-2.7]# mysql -uossec -p ossec < src/os_dbd/mysql.schema
Enter password:
[root@localhost ossec-hids-2.7]#chmod u+w /var/ossec/etc/ossec.conf
7.修改配置文件
[root@localhost ossec-hids-2.7]#vi /var/ossec/etc/ossec.conf
设置告警邮箱
<global>
<email_notification>yes</email_notification>
<email_to>flyshai@126.com</email_to>
<email_to>bob@net.com</email_to>
<smtp_server>127.0.0.1</smtp_server>
<email_from>ossecm@localhost.localdomain</email_from>
</global>
设置白名单
<global>
<white_list>127.0.0.1</white_list>
<white_list>^localhost.localdomain$</white_list>
<white_list>192.168.88.2</white_list>
<white_list>192.168.88.156</white_list>
</global>
添加128行内容,ossec收集日志的服务也是采用syslog,只不过它会开启个1514的udp端口来接收数据,但为了安全考虑,需要允许指定的机器来连接我们的syslog服务,允许这个网段机器来连接syslog服务接收数据
<remote>
<connection>syslog</connection>
<allowed-ips>192.168.0.0/16</allowed-ips>
</remote>
添加到最后
<database_output>
<hostname>localhost</hostname>
<username>ossec</username>
<password>ossec</password>
<database>ossec</database>
<type>mysql</type>
</database_output>
启动ossec服务端必须先添加一个客户端,否则直接启动服务端是会失败的,通过如下命令查看日志会发现如下错误:
[root@localhost ossec-hids-2.7]#cat /var/ossec/logs/ossec.log
2013/09/23 23:43:15 ossec-analysisd(1210): ERROR: Queue '/queue/alerts/ar' not accessible:
'Connection refused'.
2013/09/23 23:43:15 ossec-analysisd(1301): ERROR: Unable to connect to active response queue.
8.在服务器上添加客户端
[root@localhost ossec-hids-2.7]# /var/ossec/bin/manage_agents
****************************************
* OSSEC HIDS v2.7 Agent manager. *
* The following options are available: *
****************************************
(A)dd an agent (A).
(E)xtract key for an agent (E).
(L)ist already added agents (L).
(R)emove an agent (R).
(Q)uit.
Choose your action: A,E,L,R or Q: A
- Adding a new agent (use '\q' to return to the main menu).
Please provide the following:
* A name for the new agent: ossec-agent
* The IP Address of the new agent: 192.168.88.161
* An ID for the new agent[001]:
Agent information:
ID:001
Name:ossec-agent
IP Address:192.168.88.161
Confirm adding it?(y/n): y
Agent added.
****************************************
* OSSEC HIDS v2.7 Agent manager. *
* The following options are available: *
****************************************
(A)dd an agent (A).
(E)xtract key for an agent (E).
(L)ist already added agents (L).
(R)emove an agent (R).
(Q)uit.
Choose your action: A,E,L,R or Q: E
Available agents:
ID: 001, Name: ossec-agent, IP: 192.168.88.161
Provide the ID of the agent to extract the key (or '\q' to quit): 001
这个key用于后面的客户端连接到服务器
Agent key information for '001' is:
MDAxIG9zc2VjLWFnZW50IDE5Mi4xNjguODguMTYxIDVhMGI1NWZhOTc5Yjg3ZDI0ZjdiNzE4NzRhYzdmMzRiMDVlZjM4YjE3MTFlYWI1ZWJlZGI3MTUxODBhODNkNmE=
** Press ENTER to return to the main menu.
****************************************
* OSSEC HIDS v2.7 Agent manager. *
* The following options are available: *
****************************************
(A)dd an agent (A).
(E)xtract key for an agent (E).
(L)ist already added agents (L).
(R)emove an agent (R).
(Q)uit.
Choose your action: A,E,L,R or Q: Q
** You must restart OSSEC for your changes to take effect.
manage_agents: Exiting ..
9.启动Ossec服务
[root@localhost ~]#/var/ossec/bin/ossec-control start && tail -f /var/ossec/logs/ossec.log
[root@localhost ~]# /var/ossec/bin/ossec-control status
ossec-monitord is running...
ossec-logcollector is running...
ossec-remoted is running...
ossec-syscheckd is running...
ossec-analysisd is running...
ossec-maild is running...
ossec-execd is running...
ossec-dbd is running...
10.检查端口
服务启动之后,sendmail会发一封启动服务邮件到邮箱,ossec通信是用udp 514,1514端口
root@localhost ~]#netstat -unlp|grep ossec
udp 0 0 0.0.0.0:514 0.0.0.0:* 4511/ossec-remoted
udp 0 0 0.0.0.0:1514 0.0.0.0:* 4513/ossec-remoted
四、Agent客户端配置
1.关闭selinux,关闭iptables
[root@localhost ~]#vi /etc/selinux/config
SELINUX=disabled
[root@localhost ~]#yum -y install wget gcc lrzsz
[root@localhost ~]#wget http://www.ossec.net/files/ossec-hids-2.7.tar.gz
[root@localhost ~]# tar -xf ossec-hids-2.7.tar.gz
[root@localhost ~]# cd ossec-hids-2.7
[root@localhost ossec-hids-2.7]# cd src/
[root@localhost src]# make setdb
Info: Compiled with MySQL support.
[root@localhost src]# cd ..
[root@localhost ossec-hids-2.7]# ./install.sh
** Para instala??o em português, escolha [br].
** 要使用中文进行安装, 请选择 [cn].
** Fur eine deutsche Installation wohlen Sie [de].
** Για εγκατ?σταση στα Ελληνικ?, επιλ?ξτε [el].
** For installation in English, choose [en].
** Para instalar en Espa?ol , eliga [es].
** Pour une installation en fran?ais, choisissez [fr]
** A Magyar nyelv? telepítéshez válassza [hu].
** Per l'installazione in Italiano, scegli [it].
** 日本語でインストールします.選択して下さい.[jp].
** Voor installatie in het Nederlands, kies [nl].
** Aby instalowa? w j?zyku Polskim, wybierz [pl].
** Для инструкций по установке на русском ,введите [ru].
** Za instalaciju na srpskom, izaberi [sr].
** Türk?e kurulum i?in se?in [tr].
(en/br/cn/de/el/es/fr/hu/it/jp/nl/pl/ru/sr/tr) [en]: cn
OSSEC HIDS v2.7 安装脚本 - http://www.ossec.net
您将开始 OSSEC HIDS 的安装.
请确认在您的机器上已经正确安装了 C 编译器.
如果您有任何疑问或建议,请给 dcid@ossec.net (或 daniel.cid@gmail.com) 发邮件.
- 系统类型: Linux localhost.localdomain 2.6.32-358.el6.i686
- 用户: root
- 主机: localhost.localdomain
-- 按 ENTER 继续或 Ctrl-C 退出. --
1- 您希望哪一种安装 (server, agent, local or help)? agent
- 选择了 Agent(client) 类型的安装.
2- 正在初始化安装环境.
- 请选择 OSSEC HIDS 的安装路径 [/var/ossec]:
- OSSEC HIDS 将安装在 /var/ossec .
3- 正在配置 OSSEC HIDS.
3.1- 请输入 OSSEC HIDS 服务器的IP地址或主机名: 192.168.88.156
- 添加服务器IP 192.168.88.156
3.2- 您希望运行系统完整性检测模块吗? (y/n) [y]:
- 系统完整性检测模块将被部署.
3.3- 您希望运行 rootkit检测吗? (y/n) [y]:
- rootkit检测将被部署.
3.4 - 您希望开启联动(active response)功能吗? (y/n) [y]:
3.5- 设置配置文件以分析一下日志:
-- /var/log/messages
-- /var/log/secure
-- /var/log/maillog
-如果你希望监控其他文件, 只需要在配置文件ossec.conf中
添加新的一项.
任何关于配置的疑问您都可以在 http://www.ossec.net 找到答案.
--- 按 ENTER 以继续 ---
.....
.....
.....
.....
编译过程
- 系统类型是 Redhat Linux.
- 修改启动脚本使 OSSEC HIDS 在系统启动时自动运行
- 已正确完成系统配置.
- 要启动 OSSEC HIDS:
/var/ossec/bin/ossec-control start
- 要停止 OSSEC HIDS:
/var/ossec/bin/ossec-control stop
- 要查看或修改系统配置,请编辑 /var/ossec/etc/ossec.conf
感谢使用 OSSEC HIDS.
如果您有任何疑问,建议或您找到任何bug,
请通过 contact@ossec.net 或邮件列表 ossec-list@ossec.net 联系我们.
( http://www.ossec.net/en/mailing_lists.html ).
您可以在 http://www.ossec.net 获得更多信息
--- 请按 ENTER 结束安装 (下面可能有更多信息). ---
- 您必须首先将该代理添加到服务器端以使他们能够相互通信.
这样做了以后,您可以运行'manage_agents'工具导入
服务器端产生的认证密匙.
/var/ossec/bin/manage_agents
详细信息请参考:
http://www.ossec.net/en/manual.html#ma
[root@localhost ossec-hids-2.7]#/var/ossec/bin/manage_agents
****************************************
* OSSEC HIDS v2.7 Agent manager. *
* The following options are available: *
****************************************
(I)mport key from the server (I).
(Q)uit.
Choose your action: I or Q: I
* Provide the Key generated by the server.
* The best approach is to cut and paste it.
*** OBS: Do not include spaces or new lines.
Paste it here (or '\q' to quit):
MDAxIG9zc2VjLWFnZW50IDE5Mi4xNjguODguMTYxIDVhMGI1NWZhOTc5Yjg3ZDI0ZjdiNzE4NzRhYzdmMzRiMDVlZjM4YjE3MTFlYWI1ZWJlZGI3MTUxODBhODNkNmE=
Agent information:
ID:001
Name:ossec-agent
IP Address:192.168.88.161
Confirm adding it?(y/n): y
Added.
** Press ENTER to return to the main menu.
****************************************
* OSSEC HIDS v2.7 Agent manager. *
* The following options are available: *
****************************************
(I)mport key from the server (I).
(Q)uit.
Choose your action: I or Q: Q
** You must restart OSSEC for your changes to take effect.
manage_agents: Exiting ..
2.启动Ossec服务
[root@localhost ossec-hids-2.7]# /var/ossec/bin/ossec-control start && tail -f /var/ossec/logs/ossec.log
[root@localhost ossec-hids-2.7]#netstat -lanpu |grep ossec
udp 0 0 192.168.88.161:44719 192.168.88.156:1514 ESTABLISHED 30941/ossec-agentd
[root@localhost ossec-hids-2.7]#/etc/init.d/ossec status
ossec-logcollector is running...
ossec-syscheckd is running...
ossec-agentd is running...
ossec-execd is running...
五、配置web访问
ossec-wui web界面
官方文档 http://www.ossec.net/wiki/index.php/OSSECWUI:Install
[root@localhost ~]# wget http://www.ossec.net/files/ossec-wui-0.3.tar.gz
[root@localhost ~]# tar -xf ossec-wui-0.3.tar.gz
[root@localhost ~]# mkdir /var/www/html/ossec
[root@localhost ~]#mv ossec-wui-0.3 /var/www/html/ossec/ossec-wui
设置web用户名密码
[root@localhost ~]# cd /var/www/html/ossec/ossec-wui
[root@localhost ossec-wui]#./setup.sh
Setting up ossec ui...
Username: admin
New password:
Re-type new password:
Adding password for user admin
Setup completed successfuly.
修改添加web用户
[root@localhost ossec-wui]#vi /etc/group
ossec:x:500:apache
设置权限
[root@localhost ossec-wui]#chmod 770 tmp/
[root@localhost ossec-wui]#chgrp apache tmp/
[root@localhost ~]# vi /etc/httpd/conf.d/ossec.conf
<Directory /var/www/html/ossec/ossec-wui>
Order deny,allow
Deny from all
Allow from 192.168.88.0/16
Options FollowSymLinks
AllowOverride None
Order deny,allow
allow from all
Options -MultiViews
AuthName "OSSEC AUTH"
AuthType Basic
AuthUserFile /var/www/html/ossec/ossec-wui/.htpasswd
Require valid-user
</Directory>
如果你大规模安装了ossec,你可能需要重新配置php,来支持脚本的持久性和更高的内存利用率
修改该配置文件里面的数值即可
[root@localhost ossec-wui]#vi /etc/php.ini
max_execution_time = 180
max_input_time = 180
memory_limit = 30M
ossec-wui装完之后报时区错误,设置时区为PRC,重启apache就可以了
[root@localhost ossec-wui]#vi /etc/php.ini
date.timezone = PRC
[root@localhost ossec-wui]#-A INPUT -m state --state NEW -m tcp -p tcp--dport 80 -j ACCEPT
[root@localhost ossec-wui]#/etc/init.d/httpd start
web访问
http://192.168.88.156/ossec/ossec-wui/
analogi web界面
[root@localhost ~]#wget https://github.com/ECSC/analogi/archive/master.zip
[root@localhost ~]#unzip master.zip
[root@localhost ~]# mv analogi-master /var/www/html/ossec/analogi
[root@localhost ~]#cd /var/www/html/ossec/analogi
[root@localhost analogi]#cp db_ossec.php.new db_ossec.php
[root@localhost analogi]#vi db_ossec.php
define ('DB_USER_O', 'ossec');
define ('DB_PASSWORD_O', 'ossec');
define ('DB_HOST_O', 'localhost');
define ('DB_NAME_O', 'ossec');
[root@localhost analogi]#vi /etc/httpd/conf.d/analogi.conf
<Directory /var/www/html/ossec/analogi>
Order deny,allow
Deny from all
Allow from 192.168.88.0/16
Options FollowSymLinks
AllowOverride None
Order deny,allow
allow from all
</Directory>
[root@localhost analogi]#/etc/init.d/httpd restart
web访问
http://192.168.88.156/ossec/analogi/
六、查看状态信息
[root@ossec-server ~]# /var/ossec/bin/agent_control -lc
OSSEC HIDS agent_control. List of available agents:
ID: 000, Name: ossec-server.com (server), IP: 127.0.0.1, Active/Local
ID: 001, Name: ossec-agent, IP: 192.168.88.161, Active
[root@ossec-server ~]# /var/ossec/bin/list_agents -a
ossec-agent-192.168.88.161 is available.
[root@ossec-server ~]#/var/ossec/bin/agent_control -i 001
OSSEC HIDS agent_control. Agent information:
Agent ID: 001
Agent Name: ossec-agent
IP address: 192.168.88.161
Status: Active
Operating system: Linux localhost.localdomain 2.6.32-358.el6.i686 #1 S..
Client version: OSSEC HIDS v2.7
Last keep alive: Fri Apr 3 12:00:52 2015
Syscheck last started at: Fri Apr 3 11:35:40 2015
Rootcheck last started at: Fri Apr 3 11:59:32 2015
转载于:https://blog.51cto.com/whnba/1633004
6万+
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
