아빠로 살아가기

오래전 이야기/Open Tools

osseu install

리눅스 엔지니어였던 2008. 9. 15. 18:33

OSSEC (Open Source Host-based Intrusion Detection System)

Homepage : http://www.ossec.net/

Download(latest version: 20080320)
 http://www.ossec.net/files/ossec-hids-1.4.tar.gz (Unix/Linux)
 http://www.ossec.net/files/ossec-agent-win32-1.4.exe (Windows)
 http://www.ossec.net/files/ui/ossec-wui-0.3.tar.gz (Web Interface)
          

Install ( server)

wget http://www.ossec.net/files/ossec-hids-1.4.tar.gz

tar xvfzp ossec-hids-1.4.tar.gz

cd ossec-hids-1.4

./install.sh


1- What kind of installation do you want (server, agent, local or help)? server

  - Server installation chosen.

2- Setting up the installation environment.

 - Choose where to install the OSSEC HIDS [/var/ossec]:

    - Installation will be made at  /var/ossec .

3- Configuring the OSSEC HIDS.

  3.1- Do you want e-mail notification? (y/n) [y]: y
   - What's your e-mail address? rick_kang@ynk.com.tw
   - What's your SMTP server ip/host? mail.ynk.com.tw

  3.2- Do you want to run the integrity check daemon? (y/n) [y]:

   - Running syscheck (integrity check daemon).

  3.3- Do you want to run the rootkit detection engine? (y/n) [y]:

   - Running rootcheck (rootkit detection).

  3.4- Active response allows you to execute a specific
       command based on the events received. For example,
       you can block an IP address or disable access for
       a specific user. 
       More information at:
       http://www.ossec.net/en/manual.html#active-response
      
   - Do you want to enable active response? (y/n) [y]:

     - Active response enabled.
  
   - By default, we can enable the host-deny and the
     firewall-drop responses. The first one will add
     a host to the /etc/hosts.deny and the second one
     will block the host on iptables (if linux) or on
     ipfilter (if Solaris, FreeBSD or NetBSD).
   - They can be used to stop SSHD brute force scans,
     portscans and some other forms of attacks. You can
     also add them to block on snort events, for example.

   - Do you want to enable the firewall-drop response? (y/n) [y]:

     - firewall-drop enabled (local) for levels >= 6

   - Default white list for the active response:
      - 192.168.100.252
      - 168.95.1.1

   - Do you want to add more IPs to the white list? (y/n)? [n]:

  3.5- Do you want to enable remote syslog (port 514 udp)? (y/n) [y]:

   - Remote syslog enabled.

  3.6- Setting the configuration to analyze the following logs:
    -- /var/log/messages
    -- /var/log/secure
    -- /var/log/maillog
    -- /var/log/httpd/error_log (apache log)
    -- /var/log/httpd/access_log (apache log)
    -- /etc/httpd/logs/access_log (apache log)
    -- /etc/httpd/logs/error_log (apache log)

 - If you want to monitor any other file, just change
   the ossec.conf and add a new localfile entry.
   Any questions about the configuration can be answered
   by visiting us online at http://www.ossec.net .
  
  
   --- Press ENTER to continue ---
                           
cd /usr/local/scripts/

vi ossec.sh


#!/bin/sh
case “$1” in
start)
/var/ossec/bin/ossec-control start
;;
stop)
/var/ossec/bin/ossec-control stop
;;
restart)
$0 stop && sleep 3
$0 start
;;
reload)
$0 stop
$0 start
;;
*)
echo “Usage: $0 {start|stop|restart|reload}”
exit 1
esac


Install (agent)

wget http://www.ossec.net/files/ossec-hids-1.4.tar.gz

tar xvfzp ossec-hids-1.4.tar.gz

cd ossec-hids-1.4

./install.sh

1- What kind of installation do you want (server, agent, local or help)? agent

  - Agent(client) installation chosen.

2- Setting up the installation environment.

 - Choose where to install the OSSEC HIDS [/var/ossec]:

    - Installation will be made at  /var/ossec .

3- Configuring the OSSEC HIDS.

  3.1- What's the IP Address of the OSSEC HIDS server?: 192.168.100.228

   - Adding Server IP 192.168.100.228

  3.2- Do you want to run the integrity check daemon? (y/n) [y]:

   - Running syscheck (integrity check daemon).

  3.3- Do you want to run the rootkit detection engine? (y/n) [y]:

   - Running rootcheck (rootkit detection).

  3.4 - Do you want to enable active response? (y/n) [y]:


  3.5- Setting the configuration to analyze the following logs:
    -- /var/log/messages
    -- /var/log/secure
    -- /var/log/maillog

 - If you want to monitor any other file, just change
   the ossec.conf and add a new localfile entry.
   Any questions about the configuration can be answered
   by visiting us online at http://www.ossec.net .
  
  
   --- Press ENTER to continue ---
                           


5- Installing the system
 - Running the Makefile


Install (GUI)

wget http://www.ossec.net/files/ui/ossec-wui-0.3.tar.gz

tar xvfzp ossec-wui-0.3.tar.gz

cd ossec-wui-0.3

mv ossec-wui-0.3 /var/www/html/ossec-wui

cd /var/www/html/ossec-wui

./setup.sh

vi /etc/group

from:   ossec:x:1341:
to  :   ossec:x:1341:apache

chmod 770 tmp/

chgrp www tmp/

/etc/rc.d/init.d/httpd restart



'오래전 이야기/Open Tools'의 다른글

  • 현재글osseu install

관련글

댓글

티스토리툴바