ossec官方网站 http://www.ossec.net/ ossec 帮助文档 http://ossec-docs.readthedocs.org/en/latest/manual/index.html OSSEC是一个开源的基于主机的入侵检测系统,执行日志分析,文件完整性检查,政策监控,
ossec官方网站http://www.ossec.net/
ossec帮助文档http://ossec-docs.readthedocs.org/en/latest/manual/index.html
OSSEC是一个开源的基于主机的入侵检测系统,执行日志分析,文件完整性检查,政策监控,rootkit检测,实时报警和积极响应。
它可以运行在大多数的操作系统,包括Linux,MacOS的时,Solaris,HP-UX,AIX和Windows
最新稳定版为2.8 下载页面http://www.ossec.net/?page_id=19
现在已经有新版本Latest Stable Release (2.8.1)
Ossec部署方式为C/S,以下server:192.168.22.240 client:192.168.22.241
先关闭selinux,安装常用包
环境 CentOS release 6.4(Final) x86_64
关闭selinux SELINUX=disabled yum install gcc gcc-c++ vim wget lrzsz ntpdate sysstat dstat wget unzip -y安装服务端
Ip 192.168.22.240
yum install mysql mysql-server mysql-devel httpd php php-mysql –y tar -xzf ossec-hids-2.8.tar.gz cd ossec-hids-2.8 cd src/ # make setdb Error: PostgreSQL client libraries notinstalled. Info: Compiled with MySQL support. #ossec支持mysql数据库 # cd .. # ./install.sh下面是安装过程,如果输入错误,按住Ctrl+Backspace
en #选择语言 Enter #继续 Server #安装为server /usr/local/ossec #安装目录 3.1- Do you want e-mail notification? (y/n)[y]: y -What's your e-mail address? Your_mail@163.com -What's your SMTP server ip/host? 127.0.0.1 Enter # Running syscheck (integrity check daemon) Enter # Running rootcheck (rootkit detection) Enter #Active response enabled Enter # firewall-drop enabled (local) for levels >= 6 Do you want to add more IPs to the whitelist? (y/n)? [n]: y #设置ip白名单 -IPs (space separated): 3.5- Do you want to enable remote syslog(port 514 udp)? (y/n) [y]:Enter Enter #开始安装安装完成的配置文件及选项:
/usr/local/ossec/bin/ossec-control start /usr/local/ossec/bin/ossec-control stop /usr/local/ossec/etc/ossec.conf /usr/local/ossec/bin/manage_agents[root@localhost ossec-hids-2.8]# mysql -uossec -p ossec < src/os_dbd/mysql.schema
Enter password:
vim /usr/local/ossec/etc/ossec.conf #在最后添加,wq! 强制保存
<ossec_config> <database_output> <hostname>localhost</hostname> <username>ossec</username> <password>ossec</password> <database>ossec</database> <type>mysql</type> </database_output> </ossec_config>添加128行内容,允许此网段的日志,如果有其他ip需要设置白名单,依次添加即可
此时,邮箱已经收到邮件了
下面添加agent客户端
# /usr/local/ossec/bin/manage_agents (A)dd an agent (A). (E)xtract key for an agent (E). (L)ist already added agents (L). (R)emove an agent (R). (Q)uit. #下面依次: A #add Please provide the following: *A name for the new agent: agent1 *The IP Address of the new agent: 192.168.22.241 #agent端的ip地址 *An ID for the new agent[001]: 001 Agent information: ID:001 Name:agent1 IPAddress:192.168.22.241 Confirm adding it?(y/n): y Agent added. **************************************** * OSSEC HIDS v2.8 Agent manager. * * The following options are available: * **************************************** (A)dd an agent (A). (E)xtract key for an agent (E). (L)ist already added agents (L). (R)emove an agent (R). (Q)uit. Choose your action: A,E,L,R or Q: E Available agents: ID: 001, Name: agent1, IP: 192.168.22.241 Provide the ID of the agent to extract thekey (or '\q' to quit): 001 Agent key information for '001' is: MDAxIGFnZW50MSAxOTIuMTY4LjIyLjI0MSBmYTcxYWE1ZWQxYTg0YTM3MDcwNTFkMGRkMDY4NTcyNDQ5NDY2MWRkYTI3ZTMxZsNhZDd3YmFjZjddZTFkMmNj ## 安装agent的时候需要这个秘钥, ** Press ENTER to return to the main menu. Choose your action: A,E,L,R or Q: Q上面生成的一串乱码为客户端所需要提供的秘钥,下面“安装客户端”的“设置agent”步骤需要粘贴
# netstat -unlp|grep ossec #ossec通信是用udp 514,1514端口,
udp 0 0 0.0.0.0:514 0.0.0.0:* 4511/ossec-remoted udp 0 0 0.0.0.0:1514 0.0.0.0:* 4513/ossec-remoted安装客户端
Ip 192.168.22.241
# tar -xzf ossec-hids-2.8.tar.gz # cd ossec-hids-2.8 # ./install.sh Y #默认为en Enter #开始安装 Agent #作为代理 /usr/local/ossec #安装目录 192.168.22.240 #添加server的ip,ip不要写错了 Enter #Running syscheck (integrity check daemon) Enter #Running rootcheck (rootkit detection) Enter #active response 3.5- Setting the configuration to analyze the following logs: -- /var/log/messages -- /var/log/secure -- /var/log/maillog -- /var/log/nginx/error.log (apache log) Enter #开始安装安装后的配置,先不用执行
/usr/local/ossec/bin/ossec-control start /usr/local/ossec/bin/ossec-control stop /usr/local/ossec/etc/ossec.conf /usr/local/ossec/bin/manage_agents 设置agent 需要粘贴上面服务端生成的私钥
Ossec的日志
/usr/local/ossec/logs/ossec.log安装web界面
ossec-wui界面
cd /var/www unzip ossec-wui-master.zip mv ossec-wui-master html/ossec cd html/ossec/ # cat ossec_conf.php /* Ossec directory */ #$ossec_dir="/var/ossec"; $ossec_dir="/usr/local/ossec"; # ./setup.sh Setting up ossec ui... Username: ossec New password: Re-type new password: Adding password for user ossec Enter your web server user name (e.g.apache, www, nobody, www-data, ...) apache Enter your OSSEC install directory path(e.g. /var/ossec) /usr/local/ossec You must restart your web server after thissetup is done. Setup completed successfuly.# vim /etc/httpd/conf.d/ossec.conf <Directory /var/www/html/ossec> Order deny,allow Deny from all Allow from 192.168.22.0/24 Options FollowSymLinks #外网访问配置,把上面注释或删除 AllowOverride None #外网访问配置 Order deny,allow #外网访问配置 allow from all #外网访问配置 Options -MultiViews AuthName "OSSEC AUTH" AuthType Basic AuthUserFile /var/www/html/ossec/.htpasswd Require valid-user </Directory>
别忘了把iptables的80打开
-A INPUT -m state --state NEW -m tcp -p tcp--dport 80 -j ACCEPT chown apache:apache * service httpd restartanalogi界面
查看状态信息
# /usr/local/ossec/bin/agent_control -lc OSSEC HIDS agent_control. List of availableagents: ID: 000, Name: localhost.localdomain (server), IP: 127.0.0.1,Active/Local ID: 001, Name: agent1, IP: 192.168.22.241, Active # /usr/local/ossec/bin/list_agents -a agent1-192.168.22.241 is available. # /usr/local/ossec/bin/ossec-control status ossec-monitord is running... ossec-logcollector is running... ossec-remoted is running... ossec-syscheckd is running... ossec-analysisd is running... ossec-maild is running... ossec-execd is running... ossec-dbd is running...OSSEC的图形界面
analogi图形界面
收到ossec发送的邮件
