Performing local installation

By Rory Bray, Daniel Cid and Andrew Hay

Service provider takeaway: Open source security (OSSEC) is a commonly used host-based intrusion detection software that detects unauthorized activity on any particular computer. This section of the chapter excerpt from the book OSSEC Host-Based Intrusion Detection Guide covers peforming local installations of the OSSEC HIDS.

Download the .pdf of the chapter here.

Local installations can only be done on Linux- and BSD-based operating systems, including

Mac OS X. Start by choosing local installation in step 1 and then a directory location in step 2. The defaults are shown in square braces and can be accepted by pressing Enter or customized as in the case where we have chosen /opt/ossec instead of /var/ossec.

1- What kind of installation do you want (server, agent, local or help)? local

- Local installation chosen.

2- Setting up the installation environment.

- Choose where to install the OSSEC HIDS [/var/ossec]: /var/ossec

Installation will be made at /var/ossec .

Step 3, and the corresponding substeps, deal with notifications and alerts. At this point, you must decide which features you want to enable. You can alter any of the choices later in the ossec.conf file or by reinstalling the OSSEC HIDS.

The OSSEC HIDS communicates alert conditions that require your attention through email. You should specify an email address you check frequently. The sooner you are aware of a new threat, the sooner you can respond before it becomes a major problem.

3- Configuring the OSSEC HIDS.

3.1- Do you want e-mail notification? (y/n) [y]: y

- What's your e-mail address? earth@localhost

- We found your SMTP server as: 127.0.0.1

- Do you want to use it? (y/n) [y]: y

--- Using SMTP server: 127.0.0.1

The integrity check daemon is responsible for monitoring and reporting changes in system files. The rootkit detection engine regularly performs tests looking for evidence of an installed rootkit. Careful configuration of both services provides granular protection or notification of illicit file modifications, hidden network port activity, and other evidence of intrusion. The details of configuration and rule-tuning are addressed in later chapters. These features are very important for most HIDS solutions and should be enabled.

3.2- Do you want to run the integrity check daemon? (y/n) [y]: y

- Running syscheck (integrity check daemon).

3.3- Do you want to run the rootkit detection engine? (y/n) [y]: y

- Running rootcheck (rootkit detection).

Active response is a very powerful tool for taking automated actions to prevent intrusion or to reduce the extent of an intrusion. Often, an active response will block invasive activity much more quickly than you or your attacker can respond. If misconfigured, however, the active response can also lock you out of your system or interrupt vital services. By default, the OSSEC HIDS active response is quite safe and we recommend enabling it. Be sure, however, to have at least one or two well-trusted IP addresses in the white list so you can always access the system.

3.4- Active response allows you to execute a specific command based on the events received. For example, you can block an IP address or disable access for a specific user.

More information at:

http://www.ossec.net/en/manual.html#active-response

- Do you want to enable active response? (y/n) [y]: y

- Active response enabled.

- By default, we can enable the host-deny and the firewall-drop responses. The first one will add a host to the /etc/hosts.deny and the second one will block the host on iptables (if linux) or on ipfilter (if Solaris, FreeBSD or NetBSD).

- They can be used to stop SSHD brute force scans, portscans and some other forms of attacks. You can also add them to block on snort events, for example.

- Do you want to enable the firewall-drop response? (y/n) [y]: y

- firewall-drop enabled (local) for levels >= 6

- Default white list for the active response:

- 192.168.65.2

- Do you want to add more IPs to the white list? (y/n)? [n]: n

3.6- Setting the configuration to analyze the following logs:

-- /var/log/messages

-- /var/log/auth.log

-- /var/log/syslog

-- /var/log/mail.info

- If you want to monitor any other file, just change the ossec.conf and add a new localfile entry.

Any questions about the configuration can be answered by visiting us online at http://www.ossec.net .

--- Press ENTER to continue ---

After you press Enter, the OSSEC HIDS is compiled, installed, and configured with the options you specified. When the installation is complete, the installer script provides you with some final information. You should make note of the information and take any recommended actions. Typically, any platform-specific steps needed to make the OSSEC HIDS operate fully are provided. For example, for the OSSEC HIDS to use the OpenBSD pf firewall, some lines must be added to the /etc/pf.conf script. The lines and instructions are provided in the final information.

Now that the install is complete, we can start the OSSEC HIDS service by running the following command:

# /opt/ossec/bin/ossec-control start

Of course, with the initial configuration created by the installation script, the OSSEC HIDS might not do much for you just yet. In the next chapter, we cover altering the configuration to better suit your environment. With just a little more work, the OSSEC HIDS will become a powerful defensive tool against the invading hordes.

About the book

OSSEC Host-Based Intrusion Detection Guide is specifically devoted to Open Source Security (OSSEC) and is a comprehensive and exhaustive guide to the often complicated procedures of installing and implementing such an intrustion detection software. Purchase the book from Syngress Publishing.

Printed with permission from Syngress, a division of Elsevier. Copyright 2008. "OSSEC Host-Based Intrusion Detection Guide" by Rory Bray, Daniel Cid and Andrew Hay. For more information about this title and other similar books, please visit www.elsevierdirect.com.