2014年2月5日 星期三

[研究] OSSEC - HIDS 2.7.1 主機型入侵偵測系統 - server/agent 安裝 (CentOS 6.5 x64)

[研究] OSSEC - HIDS 2.7.1 主機型入侵偵測系統 - server/agent 安裝 (CentOS 6.5 x64)

2014-02-05

官方網站
http://www.ossec.net/

下載
http://www.ossec.net/main/downloads

環境

192.168.128.101   OSSEC - HIDS 2.7.1 server  (CentOS 6.5 x86_64)
192.168.128.102   OSSEC - HIDS 2.7.1 agent   (CentOS 6.5 x86_64)

(一) Server 安裝


yum -y install gcc httpd php
service httpd restart
wget http://www.ossec.net/files/ossec-hids-2.7.1.tar.gz
wget http://www.ossec.net/files/ossec-wui-0.8.tar.gz

tar zxvf ossec-hids-2.7.1.tar.gz
cd ossec-hids-2.7.1
# install.sh 的設定稍後說明,有 server, agnet, local 等不同選擇設定
./install.sh
cd ..

tar zxvf ossec-wui-0.8.tar.gz -C /var/www/html
mv  /var/www/html/ossec-wui-0.8  /var/www/html/ossec

usermod -G ossec apache
cat /etc/group | grep ossec

# /var/ossec/bin/ossec-control start
# vi /var/ossec/etc/ossec.conf

service ossec restart
service httpd restart
firefox http://localhost/ossec &


對 ossec-hids-2.7.1.tar.gz 做 install.sh 時候會出現一些設定詢問,基本上都是 Enter 用預設值
(安裝型態小弟選 local,有空再測試 server 和 agent)


[root@server ossec-hids-2.7.1]# ./install.sh

 (en/br/cn/de/el/es/fr/it/jp/nl/pl/ru/sr/tr) [en]:

 OSSEC HIDS v2.7.1 Installation Script - http://www.ossec.net

 You are about to start the installation process of the OSSEC HIDS.
 You must have a C compiler pre-installed in your system.
 If you have any questions or comments, please send an e-mail
 to dcid@ossec.net (or daniel.cid@gmail.com).

  - System: Linux server 2.6.32-431.el6.x86_64
  - User: root
  - Host: server


  -- Press ENTER to continue or Ctrl-C to abort. --


1- What kind of installation do you want (server, agent, local, hybrid or help)? server

  - Server installation chosen.

2- Setting up the installation environment.

 - Choose where to install the OSSEC HIDS [/var/ossec]:

    - Installation will be made at  /var/ossec .

3- Configuring the OSSEC HIDS.

  3.1- Do you want e-mail notification? (y/n) [y]:
   - What's your e-mail address? root@localhost

   - We found your SMTP server as: 127.0.0.1
   - Do you want to use it? (y/n) [y]:

   --- Using SMTP server:  127.0.0.1

  3.2- Do you want to run the integrity check daemon? (y/n) [y]:

   - Running syscheck (integrity check daemon).

  3.3- Do you want to run the rootkit detection engine? (y/n) [y]:

   - Running rootcheck (rootkit detection).

  3.4- Active response allows you to execute a specific
       command based on the events received. For example,
       you can block an IP address or disable access for
       a specific user.
       More information at:
       http://www.ossec.net/en/manual.html#active-response

   - Do you want to enable active response? (y/n) [y]:

     - Active response enabled.

   - By default, we can enable the host-deny and the
     firewall-drop responses. The first one will add
     a host to the /etc/hosts.deny and the second one
     will block the host on iptables (if linux) or on
     ipfilter (if Solaris, FreeBSD or NetBSD).
   - They can be used to stop SSHD brute force scans,
     portscans and some other forms of attacks. You can
     also add them to block on snort events, for example.

   - Do you want to enable the firewall-drop response? (y/n) [y]:

     - firewall-drop enabled (local) for levels >= 6

   - Default white list for the active response:
      - 192.168.128.2

   - Do you want to add more IPs to the white list? (y/n)? [n]:

  3.5- Do you want to enable remote syslog (port 514 udp)? (y/n) [y]:

   - Remote syslog enabled.

  3.6- Setting the configuration to analyze the following logs:
    -- /var/log/messages
    -- /var/log/secure
    -- /var/log/maillog
    -- /var/log/httpd/error_log (apache log)
    -- /var/log/httpd/access_log (apache log)

 - If you want to monitor any other file, just change
   the ossec.conf and add a new localfile entry.
   Any questions about the configuration can be answered
   by visiting us online at http://www.ossec.net .


   --- Press ENTER to continue ---

... (略)


 - System is Redhat Linux.
 - Init script modified to start OSSEC HIDS during boot.

 - Configuration finished properly.

 - To start OSSEC HIDS:
                /var/ossec/bin/ossec-control start

 - To stop OSSEC HIDS:
                /var/ossec/bin/ossec-control stop

 - The configuration can be viewed or modified at /var/ossec/etc/ossec.conf


    Thanks for using the OSSEC HIDS.
    If you have any question, suggestion or if you find any bug,
    contact us at contact@ossec.net or using our public maillist at
    ossec-list@ossec.net
    ( http://www.ossec.net/main/support/ ).

    More information can be found at http://www.ossec.net

    ---  Press ENTER to finish (maybe more information below). ---



 - In order to connect agent and server, you need to add each agent to the server.
   Run the 'manage_agents' to add or remove them:

   /var/ossec/bin/manage_agents

   More information at:
   http://www.ossec.net/en/manual.html#ma


接下來在 Server 主機上增加 Agent 主機資訊 (Agent 主機可以稍後再安裝)


[root@server ossec-hids-2.7.1]# /var/ossec/bin/manage_agents


****************************************
* OSSEC HIDS v2.7.1 Agent manager.     *
* The following options are available: *
****************************************
   (A)dd an agent (A).
   (E)xtract key for an agent (E).
   (L)ist already added agents (L).
   (R)emove an agent (R).
   (Q)uit.
Choose your action: A,E,L,R or Q: A

- Adding a new agent (use '\q' to return to the main menu).
  Please provide the following:
   * A name for the new agent: 192.168.128.102
   * The IP Address of the new agent: 192.168.128.102
   * An ID for the new agent[001]:
Agent information:
   ID:001
   Name:192.168.128.102
   IP Address:192.168.128.102

Confirm adding it?(y/n): y
Agent added.


****************************************
* OSSEC HIDS v2.7.1 Agent manager.     *
* The following options are available: *
****************************************
   (A)dd an agent (A).
   (E)xtract key for an agent (E).
   (L)ist already added agents (L).
   (R)emove an agent (R).
   (Q)uit.
Choose your action: A,E,L,R or Q: E

Available agents:
   ID: 001, Name: 192.168.128.102, IP: 192.168.128.102
Provide the ID of the agent to extract the key (or '\q' to quit): 001

Agent key information for '001' is:
MDAxIDE5Mi4xNjguMTI4LjEwMiAxOTIuMTY4LjEyOC4xMDIgMzgwODI4MGFlYmYyODI4MzZmOWYwNWI2NDY0YjY1YjU5YTQxZWNkNjE0YzYyZjgxNDFkZDNhOGY1YWI1OGY5ZQ==

** Press ENTER to return to the main menu.



****************************************
* OSSEC HIDS v2.7.1 Agent manager.     *
* The following options are available: *
****************************************
   (A)dd an agent (A).
   (E)xtract key for an agent (E).
   (L)ist already added agents (L).
   (R)emove an agent (R).
   (Q)uit.
Choose your action: A,E,L,R or Q: L

Available agents:
   ID: 001, Name: 192.168.128.102, IP: 192.168.128.102

** Press ENTER to return to the main menu.



****************************************
* OSSEC HIDS v2.7.1 Agent manager.     *
* The following options are available: *
****************************************
   (A)dd an agent (A).
   (E)xtract key for an agent (E).
   (L)ist already added agents (L).
   (R)emove an agent (R).
   (Q)uit.
Choose your action: A,E,L,R or Q: Q

** You must restart OSSEC for your changes to take effect.

manage_agents: Exiting ..
[root@server ossec-hids-2.7.1]#



*********************************************************************************

(二) Agent 安裝


yum -y install gcc httpd php
service httpd restart
wget http://www.ossec.net/files/ossec-hids-2.7.1.tar.gz
wget http://www.ossec.net/files/ossec-wui-0.8.tar.gz

tar zxvf ossec-hids-2.7.1.tar.gz
cd ossec-hids-2.7.1
# install.sh 的設定稍後說明,有 server, agnet, local 等不同選擇設定
./install.sh
cd ..

tar zxvf ossec-wui-0.8.tar.gz -C /var/www/html
mv  /var/www/html/ossec-wui-0.8  /var/www/html/ossec

usermod -G ossec apache
cat /etc/group | grep ossec

# /var/ossec/bin/ossec-control start
# vi /var/ossec/etc/ossec.conf

service ossec restart
service httpd restart
firefox http://localhost/ossec &


對 ossec-hids-2.7.1.tar.gz 做 install.sh 時候會出現一些設定詢問,基本上都是 Enter 用預設值
(安裝型態小弟選 local,有空再測試 server 和 agent)


[root@server ossec-hids-2.7.1]# ./install.sh

 (en/br/cn/de/el/es/fr/it/jp/nl/pl/ru/sr/tr) [en]:

 OSSEC HIDS v2.7.1 Installation Script - http://www.ossec.net

 You are about to start the installation process of the OSSEC HIDS.
 You must have a C compiler pre-installed in your system.
 If you have any questions or comments, please send an e-mail
 to dcid@ossec.net (or daniel.cid@gmail.com).

  - System: Linux server 2.6.32-431.el6.x86_64
  - User: root
  - Host: server


  -- Press ENTER to continue or Ctrl-C to abort. --


1- What kind of installation do you want (server, agent, local, hybrid or help)? agent

  - Agent(client) installation chosen.

2- Setting up the installation environment.

 - Choose where to install the OSSEC HIDS [/var/ossec]:

    - Installation will be made at  /var/ossec .

3- Configuring the OSSEC HIDS.

  3.1- What's the IP Address or hostname of the OSSEC HIDS server?: 192.168.128.101

   - Adding Server IP 192.168.128.101

  3.2- Do you want to run the integrity check daemon? (y/n) [y]:

   - Running syscheck (integrity check daemon).

  3.3- Do you want to run the rootkit detection engine? (y/n) [y]:

   - Running rootcheck (rootkit detection).

  3.4 - Do you want to enable active response? (y/n) [y]:


  3.5- Setting the configuration to analyze the following logs:
    -- /var/log/messages
    -- /var/log/secure
    -- /var/log/maillog
    -- /var/log/httpd/error_log (apache log)
    -- /var/log/httpd/access_log (apache log)

 - If you want to monitor any other file, just change
   the ossec.conf and add a new localfile entry.
   Any questions about the configuration can be answered
   by visiting us online at http://www.ossec.net .


   --- Press ENTER to continue ---

  3.6- Setting the configuration to analyze the following logs:
    -- /var/log/messages
    -- /var/log/secure
    -- /var/log/maillog
    -- /var/log/httpd/error_log (apache log)
    -- /var/log/httpd/access_log (apache log)

 - If you want to monitor any other file, just change
   the ossec.conf and add a new localfile entry.
   Any questions about the configuration can be answered
   by visiting us online at http://www.ossec.net .


   --- Press ENTER to continue ---

... (略)



 - System is Redhat Linux.
 - Init script modified to start OSSEC HIDS during boot.

 - Configuration finished properly.

 - To start OSSEC HIDS:
                /var/ossec/bin/ossec-control start

 - To stop OSSEC HIDS:
                /var/ossec/bin/ossec-control stop

 - The configuration can be viewed or modified at /var/ossec/etc/ossec.conf


    Thanks for using the OSSEC HIDS.
    If you have any question, suggestion or if you find any bug,
    contact us at contact@ossec.net or using our public maillist at
    ossec-list@ossec.net
    ( http://www.ossec.net/main/support/ ).

    More information can be found at http://www.ossec.net

    ---  Press ENTER to finish (maybe more information below). ---



 - You first need to add this agent to the server so they
   can communicate with each other. When you have done so,
   you can run the 'manage_agents' tool to import the
   authentication key from the server.

   /var/ossec/bin/manage_agents

   More information at:
   http://www.ossec.net/en/manual.html#ma

[root@agent ossec-hids-2.7.1]#


接下來在 Agent 主機進行設定


[root@agent ~]# /var/ossec/bin/manage_agents


****************************************
* OSSEC HIDS v2.7.1 Agent manager.     *
* The following options are available: *
****************************************
   (I)mport key from the server (I).
   (Q)uit.
Choose your action: I or Q: I

* Provide the Key generated by the server.
* The best approach is to cut and paste it.
*** OBS: Do not include spaces or new lines.

Paste it here (or '\q' to quit): MDAxIDE5Mi4xNjguMTI4LjEwMiAxOTIuMTY4LjEyOC4xMDIgMzgwODI4MGFlYmYyODI4MzZmOWYwNWI2NDY0YjY1YjU5YTQxZWNkNjE0YzYyZjgxNDFkZDNhOGY1YWI1OGY5ZQ==

Agent information:
   ID:001
   Name:192.168.128.102
   IP Address:192.168.128.102

Confirm adding it?(y/n): y
Added.
** Press ENTER to return to the main menu.



****************************************
* OSSEC HIDS v2.7.1 Agent manager.     *
* The following options are available: *
****************************************
   (I)mport key from the server (I).
   (Q)uit.
Choose your action: I or Q: q

** You must restart OSSEC for your changes to take effect.

manage_agents: Exiting ..
[root@agent ~]#


接下來可以找接滲透測試工具去攻擊 Agent 主機看看

(完)

相關

[研究] OSSEC - HIDS 2.7.1 主機型入侵偵測系統 - server/agent 安裝 (CentOS 6.5 x64)
http://shaurong.blogspot.com/2014/02/ossec-hids-271-serveragent-centos-65-x64.html
http://forum.icst.org.tw/phpbb/viewtopic.php?f=11&t=80717

[研究] OSSEC - HIDS 2.7.1 主機型入侵偵測系統 - local 安裝 (CentOS 6.5 x64)
http://shaurong.blogspot.com/2014/02/ossec-hids-271-local-centos-65-x64.html
http://forum.icst.org.tw/phpbb/viewtopic.php?f=11&t=80716

[研究] OSSEC - HIDS 2.6 主機型入侵偵測系統 (CentOS 6.0 x86)
http://forum.icst.org.tw/phpbb/viewtopic.php?t=20340

沒有留言:

張貼留言