Linux环境下安装OSSEC

一、服务端安装

1. 上传ossec-hids-2.4.1.tar.gz至/home目录

2. 安装ossec

#tar -zxvf ossec-hids-2.4.1.tar.gz
#cd ossec-hids-2.4.1
#./install.sh

 

1）选择语言类型：
  ** Para instalação em português, escolha [br].
  ** 要使用中文进行安装, 请选择 [cn].
  ** Fur eine deutsche Installation wohlen Sie [de].
  ** Για εγκατάσταση στα Ελληνικά, επιλέξτε [el].
  ** For installation in English, choose [en].
  ** Para instalar en Español , eliga [es].
  ** Pour une installation en français, choisissez [fr]
  ** Per l'installazione in Italiano, scegli [it].
  ** 日本語でインストールします．選択して下さい．[jp].
  ** Voor installatie in het Nederlands, kies [nl].
  ** Aby instalować w języku Polskim, wybierz [pl].
  ** Для инструкций по установке на русском ,введите [ru].
  ** Za instalaciju na srpskom, izaberi [sr].
  ** Türkçe kurulum için seçin [tr].
  (en/br/cn/de/el/es/fr/it/jp/nl/pl/ru/sr/tr) [en]:en

 

2）按回车继续：
 OSSEC HIDS v2.4.1 Installation Script - http://www.ossec.net

 You are about to start the installation process of the OSSEC HIDS.
 You must have a C compiler pre-installed in your system.
 If you have any questions or comments, please send an e-mail
 to dcid@ossec.net (or daniel.cid@gmail.com).

  - System: Linux linux 2.6.5-7.308-smp
  - User: root
  - Host: linux

  -- Press ENTER to continue or Ctrl-C to abort. --

 

3）选择安装的为服务器端：
1- What kind of installation do you want (server, agent, local or help)? server

  - Server installation chosen.

2- Setting up the installation environment.

 - Choose where to install the OSSEC HIDS [/var/ossec]: /var/ossec

    - Installation will be made at  /var/ossec .

 

4）配置OSSEC的邮件通知、response及remote syslog

3- Configuring the OSSEC HIDS.

  3.1- Do you want e-mail notification? (y/n) [y]: y
   - What's your e-mail address? root@localhost

   - We found your SMTP server as: 127.0.0.1
   - Do you want to use it? (y/n) [y]: y

   --- Using SMTP server:  127.0.0.1

  3.2- Do you want to run the integrity check daemon? (y/n) [y]: y

   - Running syscheck (integrity check daemon).

  3.3- Do you want to run the rootkit detection engine? (y/n) [y]: y

   - Running rootcheck (rootkit detection).

  3.4- Active response allows you to execute a specific
       command based on the events received. For example,
       you can block an IP address or disable access for
       a specific user.
       More information at:
       http://www.ossec.net/en/manual.html#active-response

   - Do you want to enable active response? (y/n) [y]: y

     - Active response enabled.

   - By default, we can enable the host-deny and the
     firewall-drop responses. The first one will add
     a host to the /etc/hosts.deny and the second one
     will block the host on iptables (if linux) or on
     ipfilter (if Solaris, FreeBSD or NetBSD).
   - They can be used to stop SSHD brute force scans,
     portscans and some other forms of attacks. You can
     also add them to block on snort events, for example.

   - Do you want to enable the firewall-drop response? (y/n) [y]: y

     - firewall-drop enabled (local) for levels >= 6

   - Default white list for the active response:
      - 10.30.18.100
      - 10.30.1.10

   - Do you want to add more IPs to the white list? (y/n)? [n]: y
   - IPs (space separated): 10.16.26.199 10.16.26.66

  3.5- Do you want to enable remote syslog (port 514 udp)? (y/n) [y]: y

   - Remote syslog enabled.

  3.6- Setting the configuration to analyze the following logs:
    -- /var/log/messages
    -- /var/log/mail.info

 - If you want to monitor any other file, just change
   the ossec.conf and add a new localfile entry.
   Any questions about the configuration can be answered
   by visiting us online at http://www.ossec.net .

   --- Press ENTER to continue ---

5）按回车开始安装

 

3. 启动服务器

#/var/ossec/bin/ossec-control start

启动成功之后提示：

Starting OSSEC HIDS v2.4.1 (by Trend Micro Inc.)...
Started ossec-maild...
Started ossec-execd...
Started ossec-analysisd...
Started ossec-logcollector...
Started ossec-remoted...
Started ossec-syscheckd...
Started ossec-monitord...
Completed.

 

4. 停止服务器

#/var/ossec/bin/ossec-control stop

 

二、客户端安装

1. 安装ossec，双击ossec-agent-win32-2.4.1.exe进行安装
2. 安装过程中所有选择都采用默认方式进行安装
3. 配置客户端
在ip中输入server的ip地址
Key需要在服务器上生成

4. 在服务器端添加agent
1) 进入OSSEC的安装目录并添加agent
#cd /var/ossec/bin
#./manage_agents
2) 选择添加一个Agent
****************************************
* OSSEC HIDS v2.4.1 Agent manager.     *
* The following options are available: *
****************************************
   (A)dd an agent (A).
   (E)xtract key for an agent (E).
   (L)ist already added agents (L).
   (R)emove an agent (R).
   (Q)uit.
Choose your action: A,E,L,R or Q: A
3) 填写Agent的名称、ip地址及序号
- Adding a new agent (use '\q' to return to the main menu).
  Please provide the following:
   * A name for the new agent: zzt
   * The IP Address of the new agent: 10.16.26.199
   * An ID for the new agent[001]: 001
Agent information:
   ID:001
   Name:zzt
   IP Address:10.16.26.199

Confirm adding it?(y/n): y
Agent added.

5 生成key在服务器端生成key
****************************************
* OSSEC HIDS v2.4.1 Agent manager.     *
* The following options are available: *
****************************************
   (A)dd an agent (A).
   (E)xtract key for an agent (E).
   (L)ist already added agents (L).
   (R)emove an agent (R).
   (Q)uit.
Choose your action: A,E,L,R or Q: E

Available agents:
   ID: 001, Name: zzt, IP: 10.16.26.199
Provide the ID of the agent to extract the key (or '\q' to quit): 001

Agent key information for '001' is:
MDAxIHp6dCAxMC4xNi4yNi4xOTkgOWI4YTY1NWI3ZjhkY2Y5MDJmZmI2ZGQxZmY4YzgyOGY4YzA5ZmQ3ZTBmMDY4NTVlNDI4Y2VkZDI4OTUzOTBhMQ==

** Press ENTER to return to the main menu.

 

6. 拷贝key文件到客户端并点击保存并确定

 

7. 运行客户端
点击Manage - Start OSSEC

 

 三、配置服务器端的远程日志

1. 配置remote syslog 服务器
1）停止ossec服务器
#/var/ossec/bin/ossec-control stop
2）修改/var/ossec/etc/ossec.conf
在/var/ossec/etc/ossec.conf文件中添加
  <global>
    ……
  </global>
 
  <syslog_output>
    <server>10.16.13.213</server>    
  </syslog_output>

如果需要将不同级别的警告信息添加到不同的服务器上，可以做如下配置
  <global>
    ……
  </global>
 
  <syslog_output>
    <server>10.16.13.213</server>   
  </syslog_output>
  <syslog_output>
    <level>10</level>
    <server>10.16.13.213</server>   
  </syslog_output>
3）配置syslog并启动ossec
# /var/ossec/bin/ossec-control enable client-syslog
# /var/ossec/bin/ossec-control start
启动后会看到在配置的远程syslog日志文件中看到如下信息：

Jul  1 07:54:35 10.16.26.66 ossec: Alert Level: 3; Rule: 501 - New ossec agent connected.; Location: (zzt) 10.16.26.199->ossec;  ossec: Agent started: 'zzt->10.16.26.199'.

 

说明：在安装OSSEC之前请确定已经安装了GCC。

 

附件给出了与安装相关文件，包括GCC的安装包（按以下顺序进行安装）：

glibc-2.3.3-98.94.i586.rpm
glibc-devel-2.3.3-98.94.i586.rpm
gcc-3.3.3-43.54.i586.rpm
gcc-info-3.3.3-43.54.i586.rpm
libstdc++-3.3.3-43.54.i586.rpm
libstdc++-devel-3.3.3-43.54.i586.rpm
gcc-c++-3.3.3-43.54.i586.rpm