Home Server OSSEC

Index.

• Introduction.
• Installation.
• Configuration.
• Firewall.
• Add gateway server.
• Add web server.
• Download.

27-Mar-2012: initial release.18-Jan-2013: adjusted for Slackware

 

 

Introduction.

OSSEC is an Open Source Host-based Intrusion Detection System. It performs log analysis, file integrity checking, policy monitoring, rootkit detection, real-time alerting and active response. On our home server project a server package will be installed on the host, and client packages on the virtual servers. When an intrusion attempt is detected by the server, commands are sent to the virtual gateway to close the firewall for the offending IP address for a certain time. Because we are monitoring all our servers, it doesn’t matter which of our servers is being attacked, all information is processed and analyzed on our main server.

The official web site has all the documentation, you should really take a look at it to see how it works and how to adjust it to your own situation.

 

Installation.

There are three different packages available from this site:

• ossec-local
• ossec-server
• ossec-agent

The ossec-local package is for standalone systems. For the Home Server use the ossec-server package. The ossec-agent package will be used on the gateway and web server.

 

 

Configuration.

All the configuration files are located under /var/ossec/etc. To parse all kinds of log files and messages, ossec uses rules files. These rules files are located under /var/ossec/rules. The only rule file that is not touched during a package upgrade is /var/ossec/rules/local_rules.xml so you should only make changes in that file.

The configuration file is /var/ossec/etc/ossec.conf, the diff should be something like this:

--- ossec.conf.orig     2012-03-27 16:27:59.838622480 +0200+++ ossec.conf  2012-03-27 16:46:25.121402635 +0200@@ -1,6 +1,9 @@ <ossec_config>   <global>-    <email_notification>no</email_notification>+    <email_notification>yes</email_notification>+    <email_to>admin@wpl.uk</email_to>+    <smtp_server>mail.wpl.ym</smtp_server>+    <email_from>ossec@wpl.uk</email_from>   </global>   <rules>@@ -72,8 +75,7 @@     <frequency>79200</frequency>     <!-- Directories to check  (perform all possible verifications) -->-    <directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories>-    <directories check_all="yes">/bin,/sbin</directories>+    <directories check_all="yes">/etc</directories>     <!-- Files/directories to ignore -->     <ignore>/etc/mtab</ignore>@@ -86,23 +88,16 @@     <ignore>/etc/utmpx</ignore>     <ignore>/etc/wtmpx</ignore>     <ignore>/etc/cups/certs</ignore>+    <ignore>/etc/cups/subscriptions.conf</ignore>+    <ignore>/etc/cups/subscriptions.conf.0</ignore>+    <ignore>/etc/cups/printers.conf</ignore>+    <ignore>/etc/cups/printers.conf.0</ignore>+    <ignore>/etc/cups/classes.conf</ignore>+    <ignore>/etc/cups/classes.conf.0</ignore>+    <ignore>/etc/printcap</ignore>     <ignore>/etc/dumpdates</ignore>     <ignore>/etc/svc/volatile</ignore>--    <!-- Windows files to ignore -->-    <ignore>C:\WINDOWS/System32/LogFiles</ignore>-    <ignore>C:\WINDOWS/Debug</ignore>-    <ignore>C:\WINDOWS/WindowsUpdate.log</ignore>-    <ignore>C:\WINDOWS/iis6.log</ignore>-    <ignore>C:\WINDOWS/system32/wbem/Logs</ignore>-    <ignore>C:\WINDOWS/system32/wbem/Repository</ignore>-    <ignore>C:\WINDOWS/Prefetch</ignore>-    <ignore>C:\WINDOWS/PCHEALTH/HELPCTR/DataColl</ignore>-    <ignore>C:\WINDOWS/SoftwareDistribution</ignore>-    <ignore>C:\WINDOWS/Temp</ignore>-    <ignore>C:\WINDOWS/system32/config</ignore>-    <ignore>C:\WINDOWS/system32/spool</ignore>-    <ignore>C:\WINDOWS/system32/CatRoot</ignore>+    <ignore>/etc/amanda/example</ignore>   </syscheck>   <rootcheck>@@ -117,15 +112,14 @@   <global>     <white_list>127.0.0.1</white_list>     <white_list>^localhost.localdomain$</white_list>-    <white_list>2001:1af8:feb8:f0fc::100</white_list>+    <white_list>10.126.160.0/24</white_list>+    <white_list>10.126.161.0/24</white_list>   </global>   <remote>-    <connection>syslog</connection>-  </remote>--  <remote>     <connection>secure</connection>+    <allowed-ips>10.126.164.0/24</allowed-ips>+    <local_ip>10.126.164.1</local_ip>   </remote>   <alerts>@@ -167,29 +161,17 @@     <timeout_allowed>yes</timeout_allowed>   </command>--  <!-- Active Response Config -->-  <active-response>-    <!-- This response is going to execute the host-deny-       - command for every event that fires a rule with-       - level (severity) >= 6.-       - The IP is going to be blocked for  600 seconds.-      -->-    <command>host-deny</command>-    <location>local</location>-    <level>6</level>-    <timeout>600</timeout>-  </active-response>-   <active-response>+    <disabled>no</disabled>     <!-- Firewall Drop response. Block the IP for-       - 600 seconds on the firewall (iptables,+       - 1800 seconds on the firewall (iptables,        - ipfilter, etc).       -->     <command>firewall-drop</command>-    <location>local</location>+    <location>defined-agent</location>+    <agent_id>002</agent_id>     <level>6</level>-    <timeout>600</timeout>    +    <timeout>1800</timeout>       </active-response>     <!-- Files to monitor (localfiles) -->@@ -200,7 +182,27 @@   </localfile>   <localfile>-    <log_format>snort-fast</log_format>-    <location>/var/log/snort/alert</location>+    <log_format>syslog</log_format>+    <location>/var/log/messages</location>+  </localfile>++  <localfile>+    <log_format>syslog</log_format>+    <location>/var/log/maillog</location>+  </localfile>++  <localfile>+    <log_format>squid</log_format>+    <location>/var/log/squid/access.log</location>+  </localfile>++  <localfile>+    <log_format>mysql_log</log_format>+    <location>/var/lib/mysql/homsrv.err</location>+  </localfile>++  <localfile>+    <log_format>apache</log_format>+    <location>/var/log/nginx/*access.log</location>   </localfile> </ossec_config>

 

Under remote I use the maintenance network that was created for the amanda backups. That network will be used to communicate with the remote agents, It’s possible to use the regular network too.

The most other changes you need are logfile names and locations. To change an existing rule, copy that rule tolocal_rules.xml and add a overwrite=”yes” statement and make the desired change to the rule. Use for example the following /var/ossec/rules/local_rules.xml:

<!-- /var/ossec/rules/local_rules.xml at homsrv --><!-- Modify it at your will. --><group name="local,syslog,">  <!-- Frequency was 6, but only allow 2 bad names    -  Timeframe from 120 to 600 for slow scanners    -->  <rule id="5712" level="10" frequency="2" timeframe="600" ignore="60" overwrite="yes">    <if_matched_sid>5710</if_matched_sid>    <description>SSHD brute force trying to get access to </description>    <description>the system.</description>    <same_source_ip />    <group>authentication_failures,</group>  </rule>  <!-- Frequency was 6, but only allow 2 bad passwords    -->  <rule id="5720" level="10" frequency="2" overwrite="yes">    <if_matched_sid>5716</if_matched_sid>    <same_source_ip />    <description>Multiple SSHD authentication failures.</description>    <group>authentication_failures,</group>  </rule>  <rule id="100201" level="0">    <if_sid>1002</if_sid>    <program_name>^transmission-daemon</program_name>    <description>Ignored transmission-daemon event.</description>  </rule>  <rule id="100202" level="0">    <if_sid>1002</if_sid>    <program_name>^nagios</program_name>    <description>Ignored nagios event.</description>  </rule>  <rule id="100301" level="2">    <if_sid>1002</if_sid>    <program_name>^smartd</program_name>    <description>SMART event, please finish this rule.</description>  </rule>  <rule id="100401" level="2">    <if_sid>1002</if_sid>    <program_name>^aiccu</program_name>    <description>AICCU event, please finish this rule.</description>  </rule>  <rule id="100402" level="0">    <if_sid>1002</if_sid>    <regex>\Serror</regex>    <description>Ignore error in a word.</description>  </rule>  <rule id="100501" level="0">    <if_sid>1002</if_sid>    <program_name>^sshd</program_name>    <regex>open failed: administratively prohibited</regex>    <description>Ignore sshd error.</description>  </rule>  <rule id="100601" level="0">    <if_sid>1002</if_sid>    <program_name>^dbus</program_name>    <regex>Failed to activate service 'org.freedesktop.Avahi': timed out</regex>    <description>Ignore dbus error starting inactive avahi.</description>  </rule>  <!-- Override existing rules -->  <rule id="31102" level="0" overwrite="yes">    <if_sid>31101</if_sid>    <url>.jpg$|.gif$|favicon.ico$|.png$|robots.txt$</url>    <compiled_rule>is_simple_http_request</compiled_rule>    <description>Ignored extensions on 400 error codes.</description>  </rule>  <rule id="31151" level="10" frequency="5" timeframe="120" overwrite="yes">    <if_matched_sid>31101</if_matched_sid>    <same_source_ip />    <description>Mutiple web server 400 error codes </description>    <description>from same source ip.</description>    <group>web_scan,recon,</group>  </rule>  <rule id="31153" level="10" frequency="4" timeframe="120" overwrite="yes">    <if_matched_sid>31104</if_matched_sid>    <same_source_ip />    <description>Multiple common web attacks from same souce ip.</description>    <group>attack,</group>  </rule></group> <!-- SYSLOG,LOCAL --><group name="syslog,postfix,">  <rule id="3357" level="10" frequency="3" timeframe="120" overwrite="yes">    <if_matched_sid>3332</if_matched_sid>    <same_source_ip />    <description>Multiple SASL authentication failures.</description>    <group>authentication_failures,attack,</group>  </rule></group> <!-- SYSLOG,POSTFIX --><!-- EOF -->

 

After this start ossec and check it:

root@homsrv:~# /etc/rc.d/init.d/ossec startStarting OSSEC-HIDS root@homsrv:~# /etc/rc.d/init.d/ossec statusossec-monitord is running...ossec-logcollector is running...ossec-remoted is running...ossec-syscheckd is running...ossec-analysisd is running...ossec-maild is running...ossec-execd is running...root@homsrv:~#

 

 

Firewall.

I let the ossec server communicate with the remote agents via the maintenance network. Because that network is restricted for all normal traffic you need to open UDP port 1514 on all these interfaces on all servers.

 

 

Add gateway server.

On the remote virtual servers we can install ossec-agent, this is much smaller then the server package. This package will collect logs and send them to the server over a secured network connection. The agent will also receive iptables commands from the server to block and unblock IP addresses.

Then configure the agent, here is the complete /var/ossec/etc/ossec.conf:

<ossec_config>  <client>    <server-ip>10.126.164.1</server-ip>  </client>  <syscheck>    <!-- Frequency that syscheck is executed - default to every 22 hours -->    <frequency>79200</frequency>    <!-- Directories to check  (perform all possible verifications) -->    <directories check_all="yes">/etc</directories>    <!-- Files/directories to ignore -->    <ignore>/etc/mtab</ignore>    <ignore>/etc/mnttab</ignore>    <ignore>/etc/hosts.deny</ignore>    <ignore>/etc/mail/statistics</ignore>    <ignore>/etc/random-seed</ignore>    <ignore>/etc/adjtime</ignore>    <ignore>/etc/httpd/logs</ignore>    <ignore>/etc/utmpx</ignore>    <ignore>/etc/wtmpx</ignore>    <ignore>/etc/cups/certs</ignore>    <ignore>/etc/dumpdates</ignore>    <ignore>/etc/svc/volatile</ignore>    <ignore>/etc/amanda/example</ignore>    <ignore>/etc/dumpdates</ignore>  </syscheck>  <rootcheck>    <rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files>    <rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans>    <system_audit>/var/ossec/etc/shared/system_audit_rcl.txt</system_audit>    <system_audit>/var/ossec/etc/shared/cis_debian_linux_rcl.txt</system_audit>    <system_audit>/var/ossec/etc/shared/cis_rhel_linux_rcl.txt</system_audit>    <system_audit>/var/ossec/etc/shared/cis_rhel5_linux_rcl.txt</system_audit>  </rootcheck>  <!-- Files to monitor (localfiles) -->  <localfile>    <log_format>syslog</log_format>    <location>/var/log/secure</location>  </localfile>  <localfile>    <log_format>syslog</log_format>    <location>/var/log/messages</location>  </localfile>  <localfile>    <log_format>syslog</log_format>    <location>/var/log/maillog</location>  </localfile></ossec_config>

 

Now you need to create a key file on the server for the agent so that they will be able talk to each other.

root@homsrv:~# /var/ossec/bin/manage_agents ***************************************** OSSEC HIDS v2.6 Agent manager.     ** The following options are available: *****************************************   (A)dd an agent (A).   (E)xtract key for an agent (E).   (L)ist already added agents (L).   (R)emove an agent (R).   (Q)uit.Choose your action: A,E,L,R or Q: A- Adding a new agent (use '\q' to return to the main menu).  Please provide the following:   * A name for the new agent: gateway   * The IP Address of the new agent: 10.126.164.2   * An ID for the new agent[001]:Agent information:   ID:001   Name:gateway   IP Address:10.126.164.2Confirm adding it?(y/n): yAgent added.***************************************** OSSEC HIDS v2.6 Agent manager.     ** The following options are available: *****************************************   (A)dd an agent (A).   (E)xtract key for an agent (E).   (L)ist already added agents (L).   (R)emove an agent (R).   (Q)uit.Choose your action: A,E,L,R or Q: EAvailable agents:   ID: 001, Name: gateway, IP: 10.126.164.2Provide the ID of the agent to extract the key (or '\q' to quit): 001Agent key information for '001' is:MDAxIGdhdGV3YXkgMTAuMTI2LjE2NC4yIDg5ODNlYzQwNzBlZGRiOWNhOTFjMDMxZmQwM2M5N2NlMzFkMGNiYTVhOTk0NTRhZTcyNzZhNzEzYTM1ZjJkYWM=** Press ENTER to return to the main menu.***************************************** OSSEC HIDS v2.6 Agent manager.     ** The following options are available: *****************************************   (A)dd an agent (A).   (E)xtract key for an agent (E).   (L)ist already added agents (L).   (R)emove an agent (R).   (Q)uit.Choose your action: A,E,L,R or Q: Q** You must restart the server for your changes to have effect.manage_agents: Exiting ..root@homsrv:~#

 

Copy the key that is shown above and log into the gateway, there run manage_agents too. After the key is imported go back to the server to restart, go to the gateway again and start the agent. Here is the complete session:

root@homsrv:~# ssh gatewayroot@gateway's password:Last login: Tue Mar 27 19:26:11 2012 from 2001:1af8:fecf:7ea1::2Welcome at gateway.wpl.ym - DISPLAY on 2001:1af8:fecf:7ea1::2:0.0Tue Mar 27 19:47:32 CEST 2012root@gateway:~# /var/ossec/bin/manage_agents ***************************************** OSSEC HIDS v2.6 Agent manager.     ** The following options are available: *****************************************   (I)mport key from the server (I).   (Q)uit.Choose your action: I or Q: I* Provide the Key generated by the server.* The best approach is to cut and paste it.*** OBS: Do not include spaces or new lines.Paste it here (or '\q' to quit): MDAxIGdhdGV3YXkgMTAuMTI2LjE2NC4yIDg5ODNlYzQwNzBlZGRiOWNhOTFjMDMxZmQwM2M5N2NlMzFkMGNiYTVhOTk0NTRhZTcyNzZhNzEzYTM1ZjJkYWM=Agent information:   ID:001   Name:gateway   IP Address:10.126.164.2Confirm adding it?(y/n): yAdded.** Press ENTER to return to the main menu.***************************************** OSSEC HIDS v2.6 Agent manager.     ** The following options are available: *****************************************   (I)mport key from the server (I).   (Q)uit.Choose your action: I or Q: q** You must restart the server for your changes to have effect.manage_agents: Exiting ..root@gateway:~# exitlogoutConnection to gateway closed.root@homsrv:~# rc.d restart ossec:: Stopping OSSEC-HIDS                                                   [DONE]:: Starting OSSEC-HIDS                                                   [DONE]root@homsrv:~# ssh gatewayroot@gateway's password:Last login: Tue Mar 27 19:47:32 2012 from 2001:1af8:fecf:7ea1::2Welcome at gateway.wpl.ym - DISPLAY on 2001:1af8:fecf:7ea1::2:0.0Tue Mar 27 19:51:57 CEST 2012root@gateway:~# /etc/rc.d/init.d/ossec startStarting OSSEC-HIDSroot@gateway:~# /etc/rc.d/init.d/ossec statusossec-logcollector is running...ossec-syscheckd is running...ossec-agentd is running...ossec-execd is running...root@gateway:~#

 

If you look in /var/ossec/logs/ossec.log you should see a message that it’s connected with the server. Don’t forget to activate ossec at boot using pkgtools setup.

 

 

Add web server.

The procedure to add the web server is the same as for the gateway server. Here is /var/ossec/etc/ossec.conf:

<ossec_config>  <client>    <server-ip>10.126.164.1</server-ip>  </client>  <syscheck>    <!-- Frequency that syscheck is executed - default to every 22 hours -->    <frequency>79200</frequency>    <!-- Directories to check  (perform all possible verifications) -->    <directories check_all="yes">/etc</directories>    <!-- Files/directories to ignore -->    <ignore>/etc/mtab</ignore>    <ignore>/etc/mnttab</ignore>    <ignore>/etc/hosts.deny</ignore>    <ignore>/etc/mail/statistics</ignore>    <ignore>/etc/random-seed</ignore>    <ignore>/etc/adjtime</ignore>    <ignore>/etc/httpd/logs</ignore>    <ignore>/etc/utmpx</ignore>    <ignore>/etc/wtmpx</ignore>    <ignore>/etc/cups/certs</ignore>    <ignore>/etc/dumpdates</ignore>    <ignore>/etc/svc/volatile</ignore>    <ignore>/etc/amanda/example</ignore>    <ignore>/etc/dumpdates</ignore>  </syscheck>  <rootcheck>    <rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files>    <rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans>    <system_audit>/var/ossec/etc/shared/system_audit_rcl.txt</system_audit>    <system_audit>/var/ossec/etc/shared/cis_debian_linux_rcl.txt</system_audit>    <system_audit>/var/ossec/etc/shared/cis_rhel_linux_rcl.txt</system_audit>    <system_audit>/var/ossec/etc/shared/cis_rhel5_linux_rcl.txt</system_audit>  </rootcheck>  <!-- Files to monitor (localfiles) -->  <localfile>    <log_format>syslog</log_format>    <location>/var/log/secure</location>  </localfile>  <localfile>    <log_format>syslog</log_format>    <location>/var/log/messages</location>  </localfile>  <localfile>    <log_format>syslog</log_format>    <location>/var/log/maillog</location>  </localfile>  <localfile>    <log_format>apache</log_format>    <location>/var/log/nginx/*access.log</location>  </localfile></ossec_config>

 

Now the whole should be complete. Check it on the home server with the following commands:

root@homsrv:~# /var/ossec/bin/list_agents -anginx-10.126.164.5 is available.gateway-10.126.164.2 is available.root@homsrv:~# /var/ossec/bin/list_agents -cnginx-10.126.164.5 is active.gateway-10.126.164.2 is active.root@homsrv:~#

 

 

Download.

See the download page for the script and configuration files.