如何在Ubuntu 18.04/16.04/debian 9上安装ossec hids
时间:2020-02-23 14:32:48 来源:igfitidea点击:
本教程将在Ubuntu 18.04/16.04/debian 9上安装ossec hids。
ossec是一个在Linux,OpenBSD,Solaris,FreeBSD,Windows等系统上运行的基于开源的基于主机的入侵检测系统(HID)。
ossec在服务器/客户端模型中工作。
OSSEC客户端执行日志分析,策略监控,文件完整性检查,实时警报,rootkit检测和主动响应。
OSSEC具有HIDS(基于主机入侵检测),日志监控和SIM/SIEM作为Web UI管理的简单解决方案。
第1步:安装ossec依赖项
OSSEC需要PHP,GCC,LIBC和Apache Web服务器。
通过运行以下命令来安装它们:
sudo apt install -y wget unzip make gcc build-essential sudo apt install -y php php-cli php-common libapache2-mod-php apache2-utils sendmail inotify-tools
第2步:在Ubuntu 18.04/16.04/debian 9上安装ossec hids
一旦安装了依赖项,下一个安装就是ossec hids。
oSSEC的源代码可在GitHub上获得。
检查下载前的最新版本。
就像这种写作一样,最新是 3.1.0
export VER="3.1.0"
wget https://github.com/ossec/ossec-hids/archive/${VER}.tar.gz
下载后,用以下命令提取文件:
tar -xvzf ${VER}.tar.gz
此提取将创建一个文件夹,更改此文件夹并运行安装脚本。
cd ossec-hids-${VER}
sudo sh install.sh
1.设置语言
(en/br/cn/de/el/es/fr/hu/it/jp/nl/pl/ru/sr/tr) [en]: en
2.按<ENTER>继续
OSSEC HIDS v3.1.0 Installation Script - http://www.ossec.net You are about to start the installation process of the OSSEC HIDS. You must have a C compiler pre-installed in your system. - System: Linux deb9 4.9.0-8-amd64 - User: root - Host: deb9 -- Press ENTER to continue or Ctrl-C to abort. -
3.选择本地安装类型
What kind of installation do you want (server, agent, local, hybrid or help)? local
与之 local安装,除了从代理或者外部Syslog设备接收远程消息外,我们将能够完成服务器的所有操作。 4.选择安装ossec hids [/var/ossec]的位置,按Enter键使用 /var/ossec
Installation will be made at /var/ossec .
5.配置ossec hids
3.1- Do you want e-mail notification? (y/n) [y]: y
- What's your e-mail address? Hyman@theitroad
- What's your SMTP server ip/host? localhost
3.2- Do you want to run the integrity check daemon? (y/n) [y]: y
- Running syscheck (integrity check daemon).
3.3- Do you want to run the rootkit detection engine? (y/n) [y]: y
- Running rootcheck (rootkit detection).
3.4- Active response allows you to execute a specific
command based on the events received. For example,
you can block an IP address or disable access for
a specific user.
More information at:
http://www.ossec.net/en/manual.html#active-response
- Do you want to enable active response? (y/n) [y]: y
- Active response enabled.
- By default, we can enable the host-deny and the
firewall-drop responses. The first one will add
a host to the /etc/hosts.deny and the second one
will block the host on iptables (if linux) or on
ipfilter (if Solaris, FreeBSD or NetBSD).
- They can be used to stop SSHD brute force scans,
portscans and some other forms of attacks. You can
also add them to block on snort events, for example.
- Do you want to enable the firewall-drop response? (y/n) [y]: y
- firewall-drop enabled (local) for levels >= 6
- Default white list for the active response:
- 192.168.121.1
- Do you want to add more IPs to the white list? (y/n)? [n]:
3.6- Setting the configuration to analyze the following logs:
-- /var/log/messages
-- /var/log/auth.log
-- /var/log/syslog
-- /var/log/mail.info
-- /var/log/dpkg.log
-- /var/log/apache2/error.log (apache log)
-- /var/log/apache2/access.log (apache log)
- If you want to monitor any other file, just change
the ossec.conf and add a new localfile entry.
Any questions about the configuration can be answered
by visiting us online at http://www.ossec.net .
--- Press ENTER to continue --
按ENTER开始安装
用于管理oSSEC HID的init脚本是 /var/ossec/bin/ossec-control要启动服务,请使用:
$sudo /var/ossec/bin/ossec-control start Starting OSSEC HIDS v3.1.0 (by Trend Micro Inc.)... Started ossec-maild... Started ossec-execd... Started ossec-analysisd... Started ossec-logcollector... Started ossec-syscheckd... Started ossec-monitord... Completed.
并通过运行步来阻止它
sudo /var/ossec/bin/ossec-control stop
我们可以通过编辑配置文件,进一步配置ossec hids:
sudo vim /var/ossec/etc/ossec.conf
规则位于目录下 /var/ossec/rules/。
本地系统文件的规则在文件上设置 /var/ossec/rules/local_rules.xml检查OSSEC文档以获取配置选项。
每当你做出改变时,不要忘记重新启动ossec hids
sudo /var/ossec/bin/ossec-control restart
第3步:安装ossec web ui
ossec hids有一个简单的Web界面,但需要安装。
git clone https://github.com/ossec/ossec-wui.git sudo mv ossec-wui /srv cd /srv/ossec-wui sudo ./setup.sh
设置仪表板管理员 username/password和Web服务器用户名
trap: SIGHUP: bad trap Setting up ossec ui... Username: admin New password: <ENTER PASSWORD> Re-type new password:<CONFIRM PASSWORD> Adding password for user admin Enter your web server user name (e.g. apache, www, nobody, www-data, ...) www-data You must restart your web server after this setup is done. Setup completed successfully.
创建Apache VirtualHost配置文件
sudo vim /etc/apache2/sites-enabled/ossec-wui.conf
将下面的内容放入文件中
<VirtualHost *:80>
DocumentRoot /srv/ossec-wui/
ServerName ossec.example.com
ServerAlias www.ossec.example.com
ServerAdmin Hyman@theitroad
<Directory /srv/ossec-wui
Options +FollowSymlinks
AllowOverride All
Require all granted
</Directory>
ErrorLog /var/log/apache2/moodle-error.log
CustomLog /var/log/apache2/moodle-access.log combined
</VirtualHost>
代替 example.com使用域名,保存文件并退出。
启用Apache重写模块
sudo a2enmod rewrite sudo systemctl restart apache2
$sudo systemctl status apache2.service
● apache2.service - The Apache HTTP Server
Loaded: loaded (/lib/systemd/system/apache2.service; enabled; vendor preset: enabled)
Active: active (running) since Fri 2016-11-23 09:05:56 UTC; 16s ago
Process: 9504 ExecStop=/usr/sbin/apachectl stop (code=exited, status=0/SUCCESS)
Process: 9511 ExecStart=/usr/sbin/apachectl start (code=exited, status=0/SUCCESS)
Main PID: 9516 (apache2)
Tasks: 6 (limit: 4915)
CGroup: /system.slice/apache2.service
├─9516 /usr/sbin/apache2 -k start
├─9517 /usr/sbin/apache2 -k start
├─9518 /usr/sbin/apache2 -k start
├─9519 /usr/sbin/apache2 -k start
├─9520 /usr/sbin/apache2 -k start
└─9521 /usr/sbin/apache2 -k start
Nov 23 09:05:56 deb9 systemd[1]: Starting The Apache HTTP Server...
打开 http://ossec.example.com在Web浏览器中并对仪表板进行身份验证。
