In this tutorial, we will show you how to install and configure OSSEC on Ubuntu 14.04. For those of you who didn’t know, OSSEC is a free, open-source host-based intrusion detection system (HIDS). It performs log analysis, integrity checking, Windows registry monitoring, rootkit detection, time-based alerting, and active response. It provides intrusion detection for most operating systems, including Linux, OpenBSD, FreeBSD, Mac OS X, Solaris, and Windows. OSSEC has a centralized, cross-platform architecture allowing multiple systems to be easily monitored and managed.
This article assumes you have at least basic knowledge of Linux, know how to use the shell, and most importantly, you host your site on your own VPS. The installation is quite simple and assumes you are running in the root account, if not you may need to add ‘sudo
‘ to the commands to get root privileges. I will show you the step-by-step installation of OSSEC on a Ubuntu 14.04 server.
Prerequisites
- A server running one of the following operating systems: Ubuntu 14.04, and any other Debian-based distribution like Linux Mint.
- It’s recommended that you use a fresh OS install to prevent any potential issues.
- SSH access to the server (or just open Terminal if you’re on a desktop).
- A
non-root sudo user
or access to theroot user
. We recommend acting as anon-root sudo user
, however, as you can harm your system if you’re not careful when acting as the root.
Install OSSEC on Ubuntu 14.04
Step 1. First, make sure that all your system packages are up-to-date by running the following apt-get
commands in the terminal.
sudo apt-get update sudo apt-get upgrade
Step 2. Install LAMP (Linux, Apache, MariaDB, PHP) server.
A Ubuntu 14.04 LAMP server is required. If you do not have LAMP installed, you can follow our guide here.
Step 3. Installing OSSEC.
The first thing to do is to go to OSSEC’s download page and download the latest stable version of OSSEC, At the moment of writing this article it is version 2.8.3:
wget https://bintray.com/artifact/download/ossec/ossec-hids/ossec-hids-2.8.3.tar.gz
Unpack the OSSEC archive to the document root directory in your server:
tar -xzf ossec-hids-2.8.3.tar.gz cd ossec-hids-2.8.3 cd src make setdb
Go back to the previous directory:
cd ../ ./install.sh
You can choose which options to enable/disable, but we recommend you to follow the output below. You can press enter if you want to go with the default choice (which is put in brackets) for every question asked:
OSSEC HIDS v2.8.3 Installation Script - http://www.ossec.net You are about to start the installation process of the OSSEC HIDS. You must have a C compiler pre-installed in your system. If you have any questions or comments, please send an e-mail to dcid@ossec.net (or daniel.cid@gmail.com). - System: Linux vps 2.6.32-042stab113.11 - User: root - Host: vps.idroot.us -- Press ENTER to continue or Ctrl-C to abort. --
Press enter.
1- What kind of installation do you want (server, agent, local, hybrid or help)? server - Server installation chosen. 2- Setting up the installation environment. - Choose where to install the OSSEC HIDS [/var/ossec]: - Installation will be made at /var/ossec . 3- Configuring the OSSEC HIDS. 3.1- Do you want e-mail notification? (y/n) [y]: - What's your e-mail address? user@example.com - What's your SMTP server ip/host? smtp.example.com 3.2- Do you want to run the integrity check daemon? (y/n) [y]: - Running syscheck (integrity check daemon). 3.3- Do you want to run the rootkit detection engine? (y/n) [y]: - Running rootcheck (rootkit detection). 3.4- Active response allows you to execute a specific command based on the events received. For example, you can block an IP address or disable access for a specific user. More information at: http://www.ossec.net/en/manual.html#active-response - Do you want to enable active response? (y/n) [y]: - Active response enabled. - By default, we can enable the host-deny and the firewall-drop responses. The first one will add a host to the /etc/hosts.deny and the second one will block the host on iptables (if linux) or on ipfilter (if Solaris, FreeBSD or NetBSD). - They can be used to stop SSHD brute force scans, portscans and some other forms of attacks. You can also add them to block on snort events, for example. - Do you want to enable the firewall-drop response? (y/n) [y]: - firewall-drop enabled (local) for levels >= 6 - Default white list for the active response: - xxx.xxx.xxx.xx - xx.xxx.xx.xxx - Do you want to add more IPs to the white list? (y/n)? [n]: 3.5- Do you want to enable remote syslog (port 514 udp)? (y/n) [y]: - Remote syslog enabled. 3.6- Setting the configuration to analyze the following logs: -- /var/log/messages -- /var/log/auth.log -- /var/log/syslog -- /var/log/mail.info -- /var/log/dpkg.log -- /var/log/apache2/error.log (apache log) -- /var/log/apache2/access.log (apache log) - If you want to monitor any other file, just change the ossec.conf and add a new localfile entry. Any questions about the configuration can be answered by visiting us online at http://www.ossec.net . --- Press ENTER to continue ---
Next, press enters to continue with the installation which shouldn’t take more than 3 minutes. After everything is completed you will get:
- System is Debian (Ubuntu or derivative). - Init script modified to start OSSEC HIDS during boot. - Configuration finished properly. - To start OSSEC HIDS: /var/ossec/bin/ossec-control start - To stop OSSEC HIDS: /var/ossec/bin/ossec-control stop - The configuration can be viewed or modified at /var/ossec/etc/ossec.conf Thanks for using the OSSEC HIDS. If you have any question, suggestion or if you find any bug, contact us at contact@ossec.net or using our public maillist at ossec-list@ossec.net ( http://www.ossec.net/main/support/ ). More information can be found at http://www.ossec.net --- Press ENTER to finish (maybe more information below). --- - In order to connect agent and server, you need to add each agent to the server. Run the 'manage_agents' to add or remove them: /var/ossec/bin/manage_agents
Start OSSEC:
/var/ossec/bin/ossec-control start
Step 4. Configuring MariaDB for OSSEC.
By default, MariaDB is not hardened. You can secure MariaDB using the mysql_secure_installation
script. you should read and below each step carefully which will set a root password, remove anonymous users, disallow remote root login, and remove the test database and access to secure MariaDB:
mysql_secure_installation
Configure it like this:
- Set root password? [Y/n] y - Remove anonymous users? [Y/n] y - Disallow root login remotely? [Y/n] y - Remove test database and access to it? [Y/n] y - Reload privilege tables now? [Y/n] y
Next, we will need to log in to the MariaDB console and create a database for the OSSEC. Run the following command:
mysql -u root -p
This will prompt you for a password, so enter your MariaDB root password and hit Enter. Once you are logged in to your database server you need to create a database for OSSEC installation:
create database ossec; grant all privileges on ossec.* to ossecuser@localhost identified by 'your_password'; flush privileges; exit
By default, OSSEC provides a schema for the database and it’s located in the src/os_dbd/ directory. Import it into your newly created oOSSECssec database:
mysql -u ossecuser -p ossec < src/os_dbd/mysql.schema
Now add the database config to the OSSEC config file:
nano /var/ossec/etc/ossec.conf
You can put the above lines anywhere in the <ossec_config> block:
<database_output> <hostname>127.0.0.1</hostname> <username>ossecuser</username> <password>your_password</password> <database>ossec</database> <type>mysql</type> </database_output>
Save and exit the file. Then, enable the database and restart OSSEC:
/var/ossec/bin/ossec-control enable database /var/ossec/bin/ossec-control restart
Step 5. Installing OSSEC Web UI.
Install the OSSEC Web UI in Apache’s default document root. Enter the directory:
cd /var/www/html/ wget https://github.com/ossec/ossec-wui/archive/master.zip unzip master.zip mv ossec-wui-master/ ossec/
Create a tmp
the directory inside and set the ownership and permissions of the correct file:
mkdir ossec/tmp/ chown www-data: -R ossec/ chmod 666 /var/www/html/ossec/tmp
Step 6. Accessing OSSEC.
OSSEC will be available on HTTP port 80 by default. Open your favorite browser and navigate to http://yourdomain.com/ossec
or http://server-ip/ossec
. If you are using a firewall, please open port 80 to enable access to the control panel.
Congratulations! You have successfully installed OSSEC. Thanks for using this tutorial for installing OSSEC on Ubuntu 14.04 system. For additional help or useful information, we recommend you check the official OSSEC website.