ossec的配置及批量安装
来源:互联网 发布:c语言 sleep 1 编辑:程序博客网 时间:2024/05/20 02:30
简介
写在前面的话,网上能够找到一些关于ossec方面的资料,虽然很少,但是总比没有强,不过在实际的使用过程中还是会碰到许多稀奇古怪的问题。整理整理我的使用过程,就当做一篇笔记吧。本文基础环境与lamp的安装将不做介绍;
环境:
服务端:192.168.1.19
客户端: 192.168.1.21 192.168.1.22 192.168.1.23
准备工作
1、启动mysql并创建相关账户和权限;
shell> mysql -uroot -pmysql> create database ossec;mysql> grant INSERT,SELECT,UPDATE,CREATE,DELETE,EXECUTE on ossec.* to ossec@localhost;mysql> set password for ossec@localhost=PASSWORD('ossec');mysql> flush privileges;mysql> exit
开始安装
1、下载ossec最新安装包,并进行数据库配置和支持;
shell> wget https://bintray.com/artifact/download/ossec/ossec-hids/ossec-hids-2.8.3.tar.gzshell> tar zxf ossec-hids-2.8.3.tar.gzshell> cd src; make setdb; cd ..
当出现如下提示信息即表示可以支持mysql数据库
Info: Compiled with MySQL support.
2、开始执行安装,根据自己需求来填充相关参数或选项
root@qs-mysql:/opt/ossec-hids-2.8.3# ./install.sh ** Para instala莽茫o em portugu锚s, escolha [br]. ** 瑕浣跨涓杩瀹, 璇烽[cn]. ** Fur eine deutsche Installation wohlen Sie [de]. ** 喂伪 蔚纬魏伪维伪畏 伪 位位畏谓喂魏维, 蔚喂位苇尉蔚 [el]. ** For installation in English, choose [en]. ** Para instalar en Espa帽ol , eliga [es]. ** Pour une installation en fran莽ais, choisissez [fr] ** A Magyar nyelv疟 telep铆t茅shez v谩lassza [hu]. ** Per l'installazione in Italiano, scegli [it]. ** ユ瑾сゃ广笺俱告︿[jp]. ** Voor installatie in het Nederlands, kies [nl]. ** Aby instalowa w jzyku Polskim, wybierz [pl]. ** 谢 懈薪泻懈泄 锌芯 邪薪芯胁泻械 薪邪 泻芯屑 ,胁胁械写懈械 [ru]. ** Za instalaciju na srpskom, izaberi [sr]. ** T眉rk莽e kurulum i莽in se莽in [tr]. (en/br/cn/de/el/es/fr/hu/it/jp/nl/pl/ru/sr/tr) [en]: en OSSEC HIDS v2.8.3 Installation Script - http://www.ossec.net You are about to start the installation process of the OSSEC HIDS. You must have a C compiler pre-installed in your system. If you have any questions or comments, please send an e-mail to dcid@ossec.net (or daniel.cid@gmail.com). - System: Linux qs-mysql 3.13.0-66-generic - User: root - Host: qs-mysql -- Press ENTER to continue or Ctrl-C to abort. --1- What kind of installation do you want (server, agent, local, hybrid or help)? server - Server installation chosen.2- Setting up the installation environment. - Choose where to install the OSSEC HIDS [/var/ossec]: /ops/ossec - Installation will be made at /ops/ossec .3- Configuring the OSSEC HIDS. 3.1- Do you want e-mail notification? (y/n) [y]: y - What's your e-mail address? yingcaiye@163.com - What's your SMTP server ip/host? localhost 3.2- Do you want to run the integrity check daemon? (y/n) [y]: y - Running syscheck (integrity check daemon). 3.3- Do you want to run the rootkit detection engine? (y/n) [y]: y - Running rootcheck (rootkit detection). 3.4- Active response allows you to execute a specific command based on the events received. For example, you can block an IP address or disable access for a specific user. More information at: http://www.ossec.net/en/manual.html#active-response - Do you want to enable active response? (y/n) [y]: y - Active response enabled. - By default, we can enable the host-deny and the firewall-drop responses. The first one will add a host to the /etc/hosts.deny and the second one will block the host on iptables (if linux) or on ipfilter (if Solaris, FreeBSD or NetBSD). - They can be used to stop SSHD brute force scans, portscans and some other forms of attacks. You can also add them to block on snort events, for example. - Do you want to enable the firewall-drop response? (y/n) [y]: y - firewall-drop enabled (local) for levels >= 6 - Default white list for the active response: - 8.8.8.8 - 8.8.4.4 - Do you want to add more IPs to the white list? (y/n)? [n]: 192.168.1.19 - IPs (space separated): 192.168.1.19 3.5- Do you want to enable remote syslog (port 514 udp)? (y/n) [y]: - Remote syslog enabled. 3.6- Setting the configuration to analyze the following logs: -- /var/log/auth.log -- /var/log/syslog -- /var/log/dpkg.log -- /var/log/nginx/access.log (apache log) -- /var/log/nginx/error.log (apache log) - If you want to monitor any other file, just change the ossec.conf and add a new localfile entry. Any questions about the configuration can be answered by visiting us online at http://www.ossec.net .
3、开启数据库支持
shell> /opt/ossec/bin/ossec-control enable database
4、倒入mysql表结构
shell> mysql -uossec -p ossec < ./src/os_dbd/mysql.schema
5、修改文件权限,避免启动出错
shell> chmod u+w /opt/ossec/etc/ossec.conf
6、编辑ossec.conf配置文件,添加数据库配置内容
<ossec_config> <database_output> <hostname>192.168.1.19</hostname> <username>ossec</username> <password>ossec</password> <database>ossec</database> <type>mysql</type> </database_output></ossec_config>
7、在ossec.conf配置文件中添加网段配置
<remote> <connection>syslog</connection> <allowed-ips>192.168.0.0/16</allowed-ips> </remote>
截止到此,server端的配置已经完成,下边开始做client端的批量安装和相关准备工作!
1、在某一目录下创建IP列表以及key生产脚本,我这里的目录使用为/tmp
ip.txt内容如下:
test1-host:192.168.1.21test2-host:192.168.1.22test3-host:192.168.1.23.......
key生成脚本key-gen.py内容如下:
#!/usr/bin/pythonimport os if __name__ == '__main__': save_keys_path = "keys.logs" f = open("ip.txt") lines = f.read().splitlines()f.close()shell_path ="/opt/ossec-hids-2.8.3/contrib/ossec-batch-manager.pl"for line in lines: arr = line.split(":") host_name = arr[0] ip = arr[1] cmd = "%s -a --ip %s --name %s" % (shell_path,ip,host_name) os.system(cmd) cmd = "%s -e %s >> %s" % (shell_path,ip,save_keys_path) os.system(cmd)
默认生产的key存放在/var/ossec/etc/client.keys ;生成后,把key文件拷贝到实际的ossec环境的etc目录下即可;
2、修改/opt/ossec-hids-2.8.3/etc/preloaded-vars.conf 文件:
# preloaded-vars.conf, Daniel B. Cid (dcid @ ossec.net).## Use this file to customize your installations.# It will make the install.sh script pre-load some# specific options to make it run automatically# or with less questions.# PLEASE NOTE:# When we use "n" or "y" in here, it should be changed# to "n" or "y" in the language your are doing the# installation. For example, in portuguese it would# be "s" or "n".# USER_LANGUAGE defines to language to be used.# It can be "en", "br", "tr", "it", "de" or "pl".# In case of an invalid language, it will default# to English "en" USER_LANGUAGE="en" # For english#USER_LANGUAGE="br" # For portuguese# If USER_NO_STOP is set to anything, the confirmation# messages are not going to be asked.USER_NO_STOP="y"# USER_INSTALL_TYPE defines the installation type to# be used during install. It can only be "local",# "agent" or "server".#USER_INSTALL_TYPE="local"USER_INSTALL_TYPE="agent"#USER_INSTALL_TYPE="server"# USER_DIR defines the location to install ossecUSER_DIR="/opt/ossec"# If USER_DELETE_DIR is set to "y", the directory# to install OSSEC will be removed if present.#USER_DELETE_DIR="y"# If USER_ENABLE_ACTIVE_RESPONSE is set to "n",# active response will be disabled.USER_ENABLE_ACTIVE_RESPONSE="y"# If USER_ENABLE_SYSCHECK is set to "y", # syscheck will be enabled. Set to "n" to# disable it.USER_ENABLE_SYSCHECK="y"# If USER_ENABLE_ROOTCHECK is set to "y",# rootcheck will be enabled. Set to "n" to# disable it.USER_ENABLE_ROOTCHECK="y"# If USER_UPDATE is set to anything, the update# installation will be done.USER_UPDATE="y"# If USER_UPDATE_RULES is set to anything, the# rules will also be updated.USER_UPDATE_RULES="y"# If USER_BINARYINSTALL is set, the installation# is not going to compile the code, but use the# binaries from ./bin/#USER_BINARYINSTALL="x"### Agent Installation variables. #### Specifies the IP address or hostname of the# ossec server. Only used on agent installations.# Choose only one, not both.USER_AGENT_SERVER_IP="172.17.0.5"# USER_AGENT_SERVER_NAME# USER_AGENT_CONFIG_PROFILE specifies the agent's config profile# name. This is used to create agent.conf configuration profiles# for this particular profile name. Only used on agent installations.# Can be any string. E.g. LinuxDBServer or WindowsDomainController#USER_AGENT_CONFIG_PROFILE="generic"### Server/Local Installation variables. #### USER_ENABLE_EMAIL enables or disables email alerting.#USER_ENABLE_EMAIL="y"# USER_EMAIL_ADDRESS defines the destination e-mail of the alerts.#USER_EMAIL_ADDRESS="dcid@test.ossec.net"# USER_EMAIL_SMTP defines the SMTP server to send the e-mails.#USER_EMAIL_SMTP="test.ossec.net"# USER_ENABLE_SYSLOG enables or disables remote syslog.#USER_ENABLE_SYSLOG="y"# USER_ENABLE_FIREWALL_RESPONSE enables or disables# the firewall response.#USER_ENABLE_FIREWALL_RESPONSE="y"# Enable PF firewall (OpenBSD, FreeBSD and Darwin only)#USER_ENABLE_PF="y"# PF table to use (OpenBSD, FreeBSD and Darwin only).#USER_PF_TABLE="ossec_fwtable"# USER_WHITE_LIST is a list of IPs or networks# that are going to be set to never be blocked.#USER_WHITE_LIST="192.168.2.1 192.168.1.0/24"#### exit ? ###
以上文件为安装时的应答文件,可以避免出现手动交互输入的问题;从而实现批量安装;
3、将以上修改过的文件:ossec.conf、preloaded-vars.conf、client.keys以及ossec安装ossec-hids-2.8.3.tar.gz 放在Apache的默认访问目录下即可(这里为/var/www/html)
ls /var/ww/htmlclient.keys ossec-hids-2.8.3.tar.gz ossec.conf preloaded-vars.conf
4、在需要安装的客户端机器上创建部署脚本ossec_agent_install.sh
#!/bin/bash cd /optwget http://192.168.1.19/ossec-hids-2.8.3.tar.gztar -zxvf ossec-hids-2.8.3.tar.gz cd ossec-hids-2.8.3 cd etc mv preloaded-vars.conf preloaded-vars.conf.bak #从服务端下载预配置文件,基于顺序安装,不基于对话交互模式wget http://192.168.1.19/preloaded-vars.conf#װ../install.sh cd /opt/ossec/etc #下载server端生成的key文件wget http://192.168.1.42/client.keys ip1=`/sbin/ifconfig eth0|sed -n '2p' |awk -F: '{print $2}'|awk '{print$1}'`#ip2=`/sbin/ifconfig eth1|sed -n '2p' |awk -F: '{print $2}'|awk '{print$1}'`#这个主要是根据实际的网卡情况,是eth0还是eth1 sed -i '/'$ip1'/!'d /opt/ossec/etc/client.keys rm -rf ossec.conf#下载统一配置文件wget http://192.168.1.42/ossec.conf#启动客户端程序 /opt/ossec/bin/ossec-control start
将此脚本存放在/opt目录下执行,脚本执行完成后client端即安装完成,查看进程确认启动无误即可;
web部分查看配置
1、上面我们安装了ossec的服务端,并且为ossec添加了一个客户端,非常简单的一个环境,环境是搭建好了,可是目前这个环境如果我们要分析ossec的报警信息就太麻烦了,所以我们安装第三方的 web界面用来显示报警信息
shell> wget https://github.com/ECSC/analogi/archive/master.zipshell> unzip mastershell> mv analogi-master/ /var/www/html/analogishell> cd /var/www/html/shell> chown -R apache.apache analogi/shell> cd analogi/shell> cp db_ossec.php.new db_ossec.php
2、修改db_ossec.php里的数据库配置:
define ('DB_USER_O', 'ossec');define ('DB_PASSWORD_O', 'ossec');define ('DB_HOST_O', '127.0.0.1');define ('DB_NAME_O', 'ossec');
3、在Apache中增加相关配置:
vim /etc/httpd/conf.d/analogi.conf
内容如下:
Alias /analogi /var/www/html/analogi<Directory /var/www/html/analogi> Order deny,allow Deny from all Allow from 192.168.0.0/16</Directory>
4、重新启动Apache,并访问即可
shell> /etc/init.d/httpd restart
http://192.168.1.19/analogi
- ossec的配置及批量安装
- ossec及analogi安装与使用
- OSSEC安装
- OSSEC主要功能及原理+详细配置+日志文件分析
- ossec开源入侵检测系统安装配置
- ossec开源入侵检测系统安装配置
- OHID OSSEC 安装指南
- Linux下安装ossec
- OSSEC的rules语法
- OSSEC的decoder语法
- ossec是干什么的?
- OSSEC
- ossec
- OSSEC的正则表达式语法
- OSSEC-编写自己的DECODE
- Linux环境下安装OSSEC相关小结
- Ubuntu 16.04 下如何安装Ossec
- weblogic7的安装及配置
- 黑马程序员----IO流学习笔记
- 搜索引擎—网络爬虫抓取策略
- Android浏览器应用搜索输入框被输入法遮挡问题
- 【Java基础】泛型方法
- 单链表的基础操作java实现
- ossec的配置及批量安装
- CATALINA_HOME和CATALINA_BASE
- C语言基础——指针
- CodeTyphon32中自带例子源码:5行代码取得所有进程列表。
- 命令行退出python方法
- UICollection布局
- 深入剖析scala的App特质
- xp下搭建FTP服务器过程中遇到的问题
- eclipse在Linux下的安装配置maven