blog-image

OSSEC HIDS - Intrusion detection

  • dHENRY
  • 15/11/2018
  • (Reading time : 4 mn)

(**) Translated with www.DeepL.com/Translator

This procedure describes how to install OSSEC HIDS on a Raspberry PI3 or ROCK64 (pine64) in server/agent architecture, from OSSEC sources

For more information on this intrusion detector, please visithttps://www.ossec.net/index.html

Preconditions

To install OSSEC HIDS from the sources you will need to have some packages:

apt install unzip build-essential  

The server must have an operational email service for the server/agents set

Installation

Retrieve the sources in zip format onhttps://github.com/ossec/ossec-hids/archive/master.zip[]

You want OSSEC (For server only) to store alerts in a Mysql database, install the “mysql-client (mariadb)” package:

apt install mariadb-client 
unzip[Zip file]  
cd ossec-hids-xxxxxxxx

To add Mysql support : Edit the install.sh file, go to line :

${MAKEBIN} PREFIX=${INSTALLDIR} TARGET=${INSTYPE} build 

Replace it with:

${MAKEBIN} PREFIX=${INSTALLDIR} TARGET=${INSTYPE} DATABASE=mysql build  

Save and then: run

./install.sh   

Select the desired installation mode (see the website https://www.ossec.net/docs/
If you encounter any errors during compilation, (ELF etc…)

cd src  
make clean  
cd  
./install.sh 

Server mode

A single server for the server/agents set. During installation select the mode : **server. **

* activate email alerts,  
* give the reception address,  
* the SMTP server address,  
* start the integrity check daemon,  
* start the rootkit detection engine,  
* start the active response,  
* activate the firewall-drop response,  
* add the ip addresses you want to the white list,  
* enable syslog functionality (port udp 514),  
* the installer indicates the list of monitored files and the method of adding:

If you want to monitor other files, change
the file ossec.conf by adding a new value
of local file name.

For all your questions about configuration,
visit our website http://www.ossec.net .
- Configuration correctly completed.

Firewall

Still on the server, open the UDP port 1514 (INPUT) on the network interfaces that communicate with the agents.

Add an agent

Agent’s declaration on the server

The agent will connect to the server to provide the information collected. Before installing the agent, you will need to declare it on the server using the command :

 /var/ossec/bin/manage_agents

Type “a”, then the host name of the server with the OSSEC HIDS agent, the IP address of the agent, confirm the creation.

Extract the key from the agent created by typing “e”, specify the agent ID and copy the displayed key. You can leave now. Restart OSSEC HIDS :

service ossec restart

Agent installation

Connect to the server that will have the agent, and proceed with the installation by indicating the type “agent”:

  • Enter the IP address of the OSSEC HIDS server,
  • start the integrity check daemon,
  • start the rootkit detection engine,
  • start the active response.

Execute the command:

/var/ossec/bin/manage_agents

Type “i”, paste the previously copied key (without additional spaces or empty lines), validate, and start OSSEC HIDS by executing the command :

/var/ossec/bin/ossec-control start

If the display shows a similar error:

_2018/11/15 13:30:10 ossec-syscheckd(1210): ERROR: Tail /var/ossec/tail/tail/ossec/tail' not accessible:'Connection refused'._  

**The key copied to the agent management level is incorrect.

Firewall

Allow exits to UDP port 1514 (OUTPUT) on agents.

Start-up

Execute the command:

/var/ossec/bin/ossec-control start

You can use the command

systemctl start ossec

**but we won’t see the start traces.

Stop

Execute the command

/var/ossec/bin/ossec-control stop

or

systemctl stop ossec

Restart OSSEC HIDS

systemctl restart ossec

or

/var/ossec/bin/ossec-control restart

Boot start at boot time

execute the command:

service --status-all

Check that “ossec” appears in the list of services started at the server boot.

In case this service is not registered at startup, type the command :

systemclt enable ossec

Tracks

Each server/agent has traces available in the file: /var/ossec/ossec/logs/ossec.log

Reinstallation

Before reinstalling OSSEC HIDS, although the installer offers it, you will need to delete the /var/ossec directory

Uninstall

service ossec stop  
rm -f /etc/ossec-init.conf  
rm -rf /var/ossec

ERRORS

ossec-remoted(1403): ERROR: Incorrectly formatted message from'172.28.0.4'.  

**Import the agent key back to the server indicated by its IP address.

In the log:

tail -f /var/ossec/ossec/logs/ossec.log  

I observe:

ossec-execd(1103): ERROR: Could not open file; /var/ossec/etc/shared/ar.conf' due to [(2)-(No such file or directory)]. 

Met on a single installation!!!!!

Create the file :

vi /var/ossec/etc/shared/ar.conf

then add this content to it:

restart-ossec0 - restart-ossec.sh - 0  
restart-ossec0 - restart-ossec.cmd - 0  
host-deny600 - host-deny.sh - 600  
firewall-drop600 - firewall-drop.sh - 600

Conclusion

When everything is correctly set up and started, the email reception flow starts. You will be surprised to see the alerts detected by this type of technology: first login of a user, change in the system after an update, starting agents, etc… The active aspect? Try to connect by ssh to one of the servers by providing an incorrect password, from a machine that does not appear in the server’s white list, you will be blocked, quickly, for 10 minutes. This limits brute force access attempts.

Document licence : Creative Commons (CC BY-NC-ND 4.0)

THIS DOCUMENTATION IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND AND DISTRIBUTED FOR EDUCATIONAL PURPOSES ONLY. THE AUTHOR, CONTRIBUTORS TO THIS DOCUMENTATION OR ©MYTINYDC.COM SHALL IN NO EVENT BE LIABLE FOR ANY DIRECT OR INDIRECT DAMAGE THAT MAY RESULT FROM THE APPLICATION OF THE PROCEDURES IMPLEMENTED IN THIS DOCUMENTATION, OR FROM THE INCORRECT INTERPRETATION OF THIS DOCUMENT.

(**) Translated with www.DeepL.com/Translator