因工作需求安裝IPS/IDS,
有人推薦這套開源的入侵偵測系統評價很好,
以下介紹這次練習安裝的過程.
安裝Server
以root執行安裝步驟
事先準備
1.
檢查是否有安裝gcc和make
yum install gcc make -y
2.
使用的資料庫軟體將OSSEC的output和alter記錄到此,
參考Sending output to a Database,有關Database配置,OSSEC database服務啟用, Schema匯入都可以看這篇
而安裝Database可以參考之前相關文章
yum install mariadb-devel mariadb-server mariadb -y
(OSSEC 有支援記錄log在db中,支援的db type有 mysql 和 postgresql,而mysql 在centos 7 中被mariadb取代,所以直接安裝mariadb, 而postgresql 小弟不太懂,就不用了)
啟動
systemctl start mariadb.service
開機啟用
systemctl enable mariadb.service
mariadb初始化
mysql_secure_installation
設定防火牆
firewall-cmd --permanent --add-service=mysql
重載防火牆設定
systemctl reload firewalld.service
下載OSSEC 2.8.3 版
wget -U ossec https://bintray.com/artifact/download/ossec/ossec-hids/ossec-hids-2.8.3.tar.gz
下載驗證檔並驗證
wget -U ossec https://raw.githubusercontent.com/ossec/ossec-docs/master/docs/whatsnew/checksums/2.8.3/ossec-hids-2.8.3.tar.gz.sha256
cat ossec-hids-2.8.3.tar.gz.sha256
SHA256 (ossec-hids-2.8.3.tar.gz) = 917989e23330d18b0d900e8722392cdbe4f17364a547508742c0fd005a1df7dd
sha256sum -c ossec-hids-2.8.3.tar.gz.sha256 ossec-hids-2.8.3.tar.gz
ossec-hids-2.8.3.tar.gz: OK
解壓縮
tar -zxvf ossec-hids-2.8.3.tar.gz
cd ossec-hids-2.8.3
測試database support,
cd src; make setdb; cd ..
Error: PostgreSQL client libraries not installed.
Info: Compiled with MySQL support.
(如上所說,這邊MySQL需要顯示Support)
執行安裝script
./install.sh
連按兩次[Enter]進入安裝程序,如下(除了1和3.1之外其他都是預設)
-- Press ENTER to continue or Ctrl-C to abort. --
1- What kind of installation do you want (server, agent, local, hybrid or help)? server
- Server installation chosen.
2- Setting up the installation environment.
- Choose where to install the OSSEC HIDS [/var/ossec]:
- Installation will be made at /var/ossec .
3- Configuring the OSSEC HIDS.
3.1- Do you want e-mail notification? (y/n) [y]:
- What's your e-mail address? 收信信箱
- What's your SMTP server ip/host? localhost [或任何可使用的smtp server]
3.2- Do you want to run the integrity check daemon? (y/n) [y]:
- Running syscheck (integrity check daemon).
3.3- Do you want to run the rootkit detection engine? (y/n) [y]:
- Running rootcheck (rootkit detection).
3.4- Active response allows you to execute a specific
command based on the events received. For example,
you can block an IP address or disable access for
a specific user.
More information at:
http://www.ossec.net/en/manual.html#active-response
- Do you want to enable active response? (y/n) [y]:
- Active response enabled.
- By default, we can enable the host-deny and the
firewall-drop responses. The first one will add
a host to the /etc/hosts.deny and the second one
will block the host on iptables (if linux) or on
ipfilter (if Solaris, FreeBSD or NetBSD).
- They can be used to stop SSHD brute force scans,
portscans and some other forms of attacks. You can
also add them to block on snort events, for example.
- Do you want to enable the firewall-drop response? (y/n) [y]:
- firewall-drop enabled (local) for levels >= 6
- Default white list for the active response:
- 172.22.0.2
- Do you want to add more IPs to the white list? (y/n)? [n]:
3.5- Do you want to enable remote syslog (port 514 udp)? (y/n) [y]:
- Remote syslog enabled.
3.6- Setting the configuration to analyze the following logs:
-- /var/log/messages
-- /var/log/secure
-- /var/log/vsftpd.log
-- /var/log/mail.info
-- /var/log/maillog
- If you want to monitor any other file, just change
the ossec.conf and add a new localfile entry.
Any questions about the configuration can be answered
by visiting us online at http://www.ossec.net .
--- Press ENTER to continue ---
開始安裝,最後會告知
啟動服務的指令
/var/ossec/bin/ossec-control start
停止服務的指令
/var/ossec/bin/ossec-control stop
配置檔位置
/var/ossec/etc/ossec.conf
利用此指令,配置agent
/var/ossec/bin/manage_agents
啟用資料庫支援
啟用OSSEC 支援資料庫
/var/ossec/bin/ossec-control enable database
設定資料庫與資料庫帳號,
mysql -u root -p
MariaDB [(none)]> create database ossec_dbname;
Query OK, 1 row affected (0.00 sec)
MariaDB [(none)]> grant INSERT,SELECT,UPDATE,CREATE,DELETE,EXECUTE on ossec_dbname.* to 帳號@<ossec ip>;
Query OK, 0 rows affected (0.00 sec)
MariaDB [(none)]> set password for 帳號@<ossec ip>=PASSWORD('密碼');
Query OK, 0 rows affected (0.00 sec)
MariaDB [(none)]> flush privileges;
Query OK, 0 rows affected (0.00 sec)
MariaDB [(none)]> exit
Bye
匯入MySQL Schema
mysql -u帳號 -p ossec_dbname < ./src/os_dbd/mysql.schema
修改ossec的db連線設定檔,
vi /var/ossec/etc/ossec.conf
<ossec_config>
<database_output>
<hostname>db_server_ip</hostname>
<username>帳號</username>
<password>密碼</password>
<database>ossec_dbname </database>
<type>mysql</type>
</database_output>
</ossec_config>
也需要修改ossec內syslog的連線允許,參考ossec.conf: Remote Options
vi /var/ossec/etc/ossec.conf
<ossec_config>
<remote>
<connection>syslog</connection>
<allowed-ips>0.0.0.0/0</allowed-ips>
</remote>
</ossec_config>
啟動OSSEC服務
/var/ossec/bin/ossec-control start
伺服器上新增Agent Client端設定
/var/ossec/bin/manage_agents
****************************************
* OSSEC HIDS v2.8.3 Agent manager. *
* The following options are available: *
****************************************
(A)dd an agent (A).
(E)xtract key for an agent (E).
(L)ist already added agents (L).
(R)emove an agent (R).
(Q)uit.
Choose your action: A,E,L,R or Q: A
- Adding a new agent (use '\q' to return to the main menu).
Please provide the following:
* A name for the new agent: agnet-name
* The IP Address of the new agent: ip
* An ID for the new agent[001]:
Agent information:
ID:001
Name:agnet-name
IP Address:ip
Confirm adding it?(y/n): y
Agent added.
取得Key,稍候給Agent時使用
****************************************
* OSSEC HIDS v2.8.3 Agent manager. *
* The following options are available: *
****************************************
(A)dd an agent (A).
(E)xtract key for an agent (E).
(L)ist already added agents (L).
(R)emove an agent (R).
(Q)uit.
Choose your action: A,E,L,R or Q: E
Available agents:
ID: 001, Name: agnet-name, IP: ip
Provide the ID of the agent to extract the key (or '\q' to quit): 001
Agent key information for '001' is:
MDAxIGFnbmV0LXN1cHBvcnQtc2VydmVyIDE3Mi4yMi4xMC4yMDYgNGE2YTRkNjQ0OTk1Yjg5ODYxNzBkMWQwNGMwODRjMjM3YjQ2MjQ0ZDI1NjhlOGIzOWIwZDcwNDAyNGU2N2Q3Ng==
** Press ENTER to return to the main menu.
重新啟動,才會load agnet資訊進來
systemctl restart ossec
安裝Web介面
本來打算安裝ossec-wui但是看到github上
OSSEC Web User Interface - Unmaintained!!
The OSSEC Web UI is currently unmaintained and deprecated. If you are interested in maintaining the project, please contact the OSSEC team (open an issue, send a message to the mailing list, etc). We recommend using Kibana, Splunk, or similar projects for monitoring alerts.
只好另找其他的web gui了, 也是剛好參考的开源入侵检测系统OSSEC搭建之三:Web界面安装中所使用的 Graphical Web Interface for OSSEC 是可行的.
便直接來試試了,而不去搞Kibana,以下直接使用北海悟空的安裝步驟,僅複製一份指令作為備份用途.
事前準備
yum install httpd php php-mysql -y
下載並安裝
wget https://github.com/ECSC/analogi/archive/master.zip
unzip master.zip
mv analogi-master/ /var/www/html/analogi
cd /var/www/html/
chown -R apache.apache analogi/
cd analogi/
cp db_ossec.php.new db_ossec.php
配置db_ossec.php資料庫連線資訊.
配置防火牆並重載
firewall-cmd --permanent --add-service=http
firewall-cmd --permanent --add-service=https
firewall-cmd --reload
瀏覽http://ip/analogi
寄信Issue
因為環境在AWS上且欲使用SES服務來發送信件,
而OSSEC本身不支援authoritied mail send.
替代方案為使用localhost relay to ses.
AWS SES有官方文件 : Integrating Amazon SES with Postfix 或 Configure Postfix to Relay to Amazon SES SMTP Server
之後寄信出不去,以mailq檢查
SASL authentication failed; ..... no mechanism available
參考 Postfix + SES : SASL authentication failed 安裝cyrus-sasl-plain,即可
Agent的安裝-CentOS 7
不需要database support,所以直接進行ossec 2.8.3的配置,過程中僅有以下兩行需要特別注意一下,
1- What kind of installation do you want (server, agent, local, hybrid or help)? agent
3.1- What's the IP Address or hostname of the OSSEC HIDS server?: server's ip
結束後會告知,預設的分析log
3.5- Setting the configuration to analyze the following logs:
-- /var/log/messages
-- /var/log/secure
-- /var/log/maillog
-- /var/log/nginx/access.log (apache log)
-- /var/log/nginx/error.log (apache log)
Agent加入Server,Key從server端先產生
/var/ossec/bin/manage_agents
****************************************
* OSSEC HIDS v2.8.3 Agent manager. *
* The following options are available: *
****************************************
(I)mport key from the server (I).
(Q)uit.
Choose your action: I or Q: I
* Provide the Key generated by the server.
* The best approach is to cut and paste it.
*** OBS: Do not include spaces or new lines.
Paste it here (or '\q' to quit): MDAxIGFnbmV0LXN1cHBvcnQtc2VydmVyIDE3Mi4yMi4xMC4yMDYgNGE2YTRkNjQ0OTk1Yjg5ODYxNzBkMWQwNGMwODRjMjM3YjQ2MjQ0ZDI1NjhlOGIzOWIwZDcwNDAyNGU2N2Q3Ng==
Agent information:
ID:001
Name:agnet-name
IP Address:ip
Confirm adding it?(y/n): y
Added.
重新啟動,才會load 連線資訊進來
systemctl restart ossec
Agent的安裝-Windows 2012R2
至官網下載 ossec-agent-win32-2.8.3.exe
Run As Administrator
填入Server ip和key -> Save -> Restart完成,預設為開機啟動的服務.
檢查Server&Agent連接
Server端,有1514(OSSEC secure連接用)和514(OSSEC syslog用)需要開放.
netstat -anpl | grep ossec
udp 0 0 0.0.0.0:1514 0.0.0.0:* 15555/ossec-remoted
udp 0 0 0.0.0.0:514 0.0.0.0:* 15554/ossec-remoted
Agent端,可以看到與Server連接上了
netstat -anpl | grep ossec
udp 0 0 agent's ip:40740 server' ip:1514 ESTABLISHED 30377/ossec-agentd
Server端防火牆
firewall-cmd --permanent --zone=public --add-port=1514/udp
firewall-cmd --permanent --zone=public --add-port=514/udp
firewall-cmd --reload
Agent端防火牆
firewall-cmd --permanent --zone=public --add-port=1514/udp
firewall-cmd --permanent --zone=public --add-port=514/udp
firewall-cmd --reload
server顯示active agent,
/var/ossec/bin/list_agents -c
agent-name-ip is active.
在server端重啟agent ossec,參考 agent_control 本文作者未實作
/var/ossec/bin/agent_control -R 001
OSSEC HIDS agent_control: Restarting agent: 001
參考
OSSEC 官網
开源入侵检测系统OSSEC搭建之一:服务端安装 - 中文且完整
[研究] OSSEC - HIDS 2.8 主機型入侵偵測系統 - local 安裝 (CentOS 7.0 x86_64)
How To Install OSSEC HIDS on a CentOS 7 Server
OSSEC Log Management with Elasticsearch
留言列表
