Announcement

Collapse
No announcement yet.

Ossec intrusion detection installation on centos 7

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Ossec intrusion detection installation on centos 7

    Screenshot from 2019-04-15 16-12-46.png



    OSSEC (Open Source HIDS SECurity) is an open source host-based intrusion detection system (HIDS). It performs log analysis, integrity scanning, rootkit detection, time-based alerting, and active responses to triggers. You can install it on linux, windows, and mac. It allows for both local installs as well as an agent that can be deployed out to multiple systems with a centralized logging system. It is capable of scanning logs, file intregrity monitoring, and action based responses to threats. This guide covers how to perform a basic install on CentOS. To view their official documentation and site you can visit the github project. This guide is for a installation of a local version, however, it can be deployed to thousands of servers with agents reporting into a centralized server.

    PREPARING TO INSTALL OSSEC


    Install the packages needed for installation:
    Code:
    yum install -y gcc inotify-tools bind-utils

    Change to the source directory to download ossec:
    Code:
    cd /usr/src

    Get the newest release
    Code:
    wget -O ossec.3.3.0.tar.gz https://github.com/ossec/ossec-hids/archive/3.3.0.tar.gz

    Unpack the tar file
    Code:
    tar -xvzf ossec.3.3.0.tar.gz

    Change directories:
    Code:
    cd ossec-hids-3.3.0/
    OSSEC INSTALLATION


    Start the installer:
    Code:
    ./install.sh

    Once the installer has been started, it will walk you through a series of options to install OSSEC. Unless you are planning on running agent and server on different servers, select local install

    Code:
    1- What kind of installation do you want (server, agent, local, hybrid or help)? local
    - Local installation chosen.


    You can select the default installation path or choose another one.
    Code:
    2- Setting up the installation environment.
    - Choose where to install the OSSEC HIDS [/var/ossec]:


    Determine if the OSSEC installation should send email notifications
    Code:
    3.1- Do you want e-mail notification? (y/n) [y]: y
    - What's your e-mail address? email@domain.com
    - What's your SMTP server ip/host? domain.com


    The integrity check daemon will check files against a database of md5sums for changes to files:
    Code:
    3.2- Do you want to run the integrity check daemon? (y/n) [y]: y
    
    - Running syscheck (integrity check daemon).


    The rootkit detection will check for common rootkits”
    Code:
    3.3- Do you want to run the rootkit detection engine? (y/n) [y]: y
    
    - Running rootcheck (rootkit detection).
    Code:
    Active response will allow OSSEC to response to events and execute ip blocks etc:

    Code:
    3.4- Active response allows you to execute a specific
    command based on the events received. For example,
    you can block an IP address or disable access for
    a specific user.
    More information at: http://www.ossec.net/en/manual.html#active-response
    
    - Do you want to enable active response? (y/n) [y]: n
    
    - Active response disabled.


    Code:
    3.6- Setting the configuration to analyze the following logs:
    -- /var/log/messages
    -- /var/log/secure
    -- /var/log/maillog
    
    - If you want to monitor any other file, just change
    the ossec.conf and add a new localfile entry.
    Any questions about the configuration can be answered
    by visiting us online at http://www.ossec.net .
    
    --- Press ENTER to continue ---


    Use the following commands to start or stop ossec:
    Code:
    - To start OSSEC HIDS:
    /var/ossec/bin/ossec-control start
    Code:
    - To stop OSSEC HIDS:
    /var/ossec/bin/ossec-control stop

    This completes the initial install of the application, the configuration can be viewed or modified at /var/ossec/etc/ossec.conf with more granular options for configuration of the platform.
Working...
X