2014-02-05
官方網站
http://www.ossec.net/
下載
http://www.ossec.net/main/downloads
環境
192.168.128.101 OSSEC - HIDS 2.7.1 server (CentOS 6.5 x86_64)
192.168.128.102 OSSEC - HIDS 2.7.1 agent (CentOS 6.5 x86_64)
(一) Server 安裝
yum -y install gcc httpd php service httpd restart wget http://www.ossec.net/files/ossec-hids-2.7.1.tar.gz wget http://www.ossec.net/files/ossec-wui-0.8.tar.gz tar zxvf ossec-hids-2.7.1.tar.gz cd ossec-hids-2.7.1 # install.sh 的設定稍後說明,有 server, agnet, local 等不同選擇設定 ./install.sh cd .. tar zxvf ossec-wui-0.8.tar.gz -C /var/www/html mv /var/www/html/ossec-wui-0.8 /var/www/html/ossec usermod -G ossec apache cat /etc/group | grep ossec # /var/ossec/bin/ossec-control start # vi /var/ossec/etc/ossec.conf service ossec restart service httpd restart firefox http://localhost/ossec & |
對 ossec-hids-2.7.1.tar.gz 做 install.sh 時候會出現一些設定詢問,基本上都是 Enter 用預設值
(安裝型態小弟選 local,有空再測試 server 和 agent)
[root@server ossec-hids-2.7.1]# ./install.sh (en/br/cn/de/el/es/fr/it/jp/nl/pl/ru/sr/tr) [en]: OSSEC HIDS v2.7.1 Installation Script - http://www.ossec.net You are about to start the installation process of the OSSEC HIDS. You must have a C compiler pre-installed in your system. If you have any questions or comments, please send an e-mail to dcid@ossec.net (or daniel.cid@gmail.com). - System: Linux server 2.6.32-431.el6.x86_64 - User: root - Host: server -- Press ENTER to continue or Ctrl-C to abort. -- 1- What kind of installation do you want (server, agent, local, hybrid or help)? server - Server installation chosen. 2- Setting up the installation environment. - Choose where to install the OSSEC HIDS [/var/ossec]: - Installation will be made at /var/ossec . 3- Configuring the OSSEC HIDS. 3.1- Do you want e-mail notification? (y/n) [y]: - What's your e-mail address? root@localhost - We found your SMTP server as: 127.0.0.1 - Do you want to use it? (y/n) [y]: --- Using SMTP server: 127.0.0.1 3.2- Do you want to run the integrity check daemon? (y/n) [y]: - Running syscheck (integrity check daemon). 3.3- Do you want to run the rootkit detection engine? (y/n) [y]: - Running rootcheck (rootkit detection). 3.4- Active response allows you to execute a specific command based on the events received. For example, you can block an IP address or disable access for a specific user. More information at: http://www.ossec.net/en/manual.html#active-response - Do you want to enable active response? (y/n) [y]: - Active response enabled. - By default, we can enable the host-deny and the firewall-drop responses. The first one will add a host to the /etc/hosts.deny and the second one will block the host on iptables (if linux) or on ipfilter (if Solaris, FreeBSD or NetBSD). - They can be used to stop SSHD brute force scans, portscans and some other forms of attacks. You can also add them to block on snort events, for example. - Do you want to enable the firewall-drop response? (y/n) [y]: - firewall-drop enabled (local) for levels >= 6 - Default white list for the active response: - 192.168.128.2 - Do you want to add more IPs to the white list? (y/n)? [n]: 3.5- Do you want to enable remote syslog (port 514 udp)? (y/n) [y]: - Remote syslog enabled. 3.6- Setting the configuration to analyze the following logs: -- /var/log/messages -- /var/log/secure -- /var/log/maillog -- /var/log/httpd/error_log (apache log) -- /var/log/httpd/access_log (apache log) - If you want to monitor any other file, just change the ossec.conf and add a new localfile entry. Any questions about the configuration can be answered by visiting us online at http://www.ossec.net . --- Press ENTER to continue --- ... (略) - System is Redhat Linux. - Init script modified to start OSSEC HIDS during boot. - Configuration finished properly. - To start OSSEC HIDS: /var/ossec/bin/ossec-control start - To stop OSSEC HIDS: /var/ossec/bin/ossec-control stop - The configuration can be viewed or modified at /var/ossec/etc/ossec.conf Thanks for using the OSSEC HIDS. If you have any question, suggestion or if you find any bug, contact us at contact@ossec.net or using our public maillist at ossec-list@ossec.net ( http://www.ossec.net/main/support/ ). More information can be found at http://www.ossec.net --- Press ENTER to finish (maybe more information below). --- - In order to connect agent and server, you need to add each agent to the server. Run the 'manage_agents' to add or remove them: /var/ossec/bin/manage_agents More information at: http://www.ossec.net/en/manual.html#ma |
接下來在 Server 主機上增加 Agent 主機資訊 (Agent 主機可以稍後再安裝)
[root@server ossec-hids-2.7.1]# /var/ossec/bin/manage_agents **************************************** * OSSEC HIDS v2.7.1 Agent manager. * * The following options are available: * **************************************** (A)dd an agent (A). (E)xtract key for an agent (E). (L)ist already added agents (L). (R)emove an agent (R). (Q)uit. Choose your action: A,E,L,R or Q: A - Adding a new agent (use '\q' to return to the main menu). Please provide the following: * A name for the new agent: 192.168.128.102 * The IP Address of the new agent: 192.168.128.102 * An ID for the new agent[001]: Agent information: ID:001 Name:192.168.128.102 IP Address:192.168.128.102 Confirm adding it?(y/n): y Agent added. **************************************** * OSSEC HIDS v2.7.1 Agent manager. * * The following options are available: * **************************************** (A)dd an agent (A). (E)xtract key for an agent (E). (L)ist already added agents (L). (R)emove an agent (R). (Q)uit. Choose your action: A,E,L,R or Q: E Available agents: ID: 001, Name: 192.168.128.102, IP: 192.168.128.102 Provide the ID of the agent to extract the key (or '\q' to quit): 001 Agent key information for '001' is: MDAxIDE5Mi4xNjguMTI4LjEwMiAxOTIuMTY4LjEyOC4xMDIgMzgwODI4MGFlYmYyODI4MzZmOWYwNWI2NDY0YjY1YjU5YTQxZWNkNjE0YzYyZjgxNDFkZDNhOGY1YWI1OGY5ZQ== ** Press ENTER to return to the main menu. **************************************** * OSSEC HIDS v2.7.1 Agent manager. * * The following options are available: * **************************************** (A)dd an agent (A). (E)xtract key for an agent (E). (L)ist already added agents (L). (R)emove an agent (R). (Q)uit. Choose your action: A,E,L,R or Q: L Available agents: ID: 001, Name: 192.168.128.102, IP: 192.168.128.102 ** Press ENTER to return to the main menu. **************************************** * OSSEC HIDS v2.7.1 Agent manager. * * The following options are available: * **************************************** (A)dd an agent (A). (E)xtract key for an agent (E). (L)ist already added agents (L). (R)emove an agent (R). (Q)uit. Choose your action: A,E,L,R or Q: Q ** You must restart OSSEC for your changes to take effect. manage_agents: Exiting .. [root@server ossec-hids-2.7.1]# |
*********************************************************************************
(二) Agent 安裝
yum -y install gcc httpd php service httpd restart wget http://www.ossec.net/files/ossec-hids-2.7.1.tar.gz wget http://www.ossec.net/files/ossec-wui-0.8.tar.gz tar zxvf ossec-hids-2.7.1.tar.gz cd ossec-hids-2.7.1 # install.sh 的設定稍後說明,有 server, agnet, local 等不同選擇設定 ./install.sh cd .. tar zxvf ossec-wui-0.8.tar.gz -C /var/www/html mv /var/www/html/ossec-wui-0.8 /var/www/html/ossec usermod -G ossec apache cat /etc/group | grep ossec # /var/ossec/bin/ossec-control start # vi /var/ossec/etc/ossec.conf service ossec restart service httpd restart firefox http://localhost/ossec & |
對 ossec-hids-2.7.1.tar.gz 做 install.sh 時候會出現一些設定詢問,基本上都是 Enter 用預設值
(安裝型態小弟選 local,有空再測試 server 和 agent)
[root@server ossec-hids-2.7.1]# ./install.sh (en/br/cn/de/el/es/fr/it/jp/nl/pl/ru/sr/tr) [en]: OSSEC HIDS v2.7.1 Installation Script - http://www.ossec.net You are about to start the installation process of the OSSEC HIDS. You must have a C compiler pre-installed in your system. If you have any questions or comments, please send an e-mail to dcid@ossec.net (or daniel.cid@gmail.com). - System: Linux server 2.6.32-431.el6.x86_64 - User: root - Host: server -- Press ENTER to continue or Ctrl-C to abort. -- 1- What kind of installation do you want (server, agent, local, hybrid or help)? agent - Agent(client) installation chosen. 2- Setting up the installation environment. - Choose where to install the OSSEC HIDS [/var/ossec]: - Installation will be made at /var/ossec . 3- Configuring the OSSEC HIDS. 3.1- What's the IP Address or hostname of the OSSEC HIDS server?: 192.168.128.101 - Adding Server IP 192.168.128.101 3.2- Do you want to run the integrity check daemon? (y/n) [y]: - Running syscheck (integrity check daemon). 3.3- Do you want to run the rootkit detection engine? (y/n) [y]: - Running rootcheck (rootkit detection). 3.4 - Do you want to enable active response? (y/n) [y]: 3.5- Setting the configuration to analyze the following logs: -- /var/log/messages -- /var/log/secure -- /var/log/maillog -- /var/log/httpd/error_log (apache log) -- /var/log/httpd/access_log (apache log) - If you want to monitor any other file, just change the ossec.conf and add a new localfile entry. Any questions about the configuration can be answered by visiting us online at http://www.ossec.net . --- Press ENTER to continue --- 3.6- Setting the configuration to analyze the following logs: -- /var/log/messages -- /var/log/secure -- /var/log/maillog -- /var/log/httpd/error_log (apache log) -- /var/log/httpd/access_log (apache log) - If you want to monitor any other file, just change the ossec.conf and add a new localfile entry. Any questions about the configuration can be answered by visiting us online at http://www.ossec.net . --- Press ENTER to continue --- ... (略) - System is Redhat Linux. - Init script modified to start OSSEC HIDS during boot. - Configuration finished properly. - To start OSSEC HIDS: /var/ossec/bin/ossec-control start - To stop OSSEC HIDS: /var/ossec/bin/ossec-control stop - The configuration can be viewed or modified at /var/ossec/etc/ossec.conf Thanks for using the OSSEC HIDS. If you have any question, suggestion or if you find any bug, contact us at contact@ossec.net or using our public maillist at ossec-list@ossec.net ( http://www.ossec.net/main/support/ ). More information can be found at http://www.ossec.net --- Press ENTER to finish (maybe more information below). --- - You first need to add this agent to the server so they can communicate with each other. When you have done so, you can run the 'manage_agents' tool to import the authentication key from the server. /var/ossec/bin/manage_agents More information at: http://www.ossec.net/en/manual.html#ma [root@agent ossec-hids-2.7.1]# |
接下來在 Agent 主機進行設定
[root@agent ~]# /var/ossec/bin/manage_agents **************************************** * OSSEC HIDS v2.7.1 Agent manager. * * The following options are available: * **************************************** (I)mport key from the server (I). (Q)uit. Choose your action: I or Q: I * Provide the Key generated by the server. * The best approach is to cut and paste it. *** OBS: Do not include spaces or new lines. Paste it here (or '\q' to quit): MDAxIDE5Mi4xNjguMTI4LjEwMiAxOTIuMTY4LjEyOC4xMDIgMzgwODI4MGFlYmYyODI4MzZmOWYwNWI2NDY0YjY1YjU5YTQxZWNkNjE0YzYyZjgxNDFkZDNhOGY1YWI1OGY5ZQ== Agent information: ID:001 Name:192.168.128.102 IP Address:192.168.128.102 Confirm adding it?(y/n): y Added. ** Press ENTER to return to the main menu. **************************************** * OSSEC HIDS v2.7.1 Agent manager. * * The following options are available: * **************************************** (I)mport key from the server (I). (Q)uit. Choose your action: I or Q: q ** You must restart OSSEC for your changes to take effect. manage_agents: Exiting .. [root@agent ~]# |
接下來可以找接滲透測試工具去攻擊 Agent 主機看看
(完)
相關
[研究] OSSEC - HIDS 2.7.1 主機型入侵偵測系統 - server/agent 安裝 (CentOS 6.5 x64)
http://shaurong.blogspot.com/2014/02/ossec-hids-271-serveragent-centos-65-x64.html
http://forum.icst.org.tw/phpbb/viewtopic.php?f=11&t=80717
[研究] OSSEC - HIDS 2.7.1 主機型入侵偵測系統 - local 安裝 (CentOS 6.5 x64)
http://shaurong.blogspot.com/2014/02/ossec-hids-271-local-centos-65-x64.html
http://forum.icst.org.tw/phpbb/viewtopic.php?f=11&t=80716
[研究] OSSEC - HIDS 2.6 主機型入侵偵測系統 (CentOS 6.0 x86)
http://forum.icst.org.tw/phpbb/viewtopic.php?t=20340
沒有留言:
張貼留言