How to Install OSSEC on Ubuntu 16.04

By Hitesh Jethva, Alibaba Cloud Community Blog author. The Blog is a community-driven platform whose aim is to demonstrate Alibaba Cloud’s technical capabilities, brand message, and thought leadership through relevant, compelling content.

OSSEC, which stands for Open Source HIDS SECurity, is a free and open-source host-based intrusion detection system that can be used to monitor anywhere from one to thousands of servers in a server/agent mode. It performs log analysis, rootkit detection, time-based alerting, integrity checking and active response, essentially allowing you to be able to centrally manage and multiple multiple systems from one area.

In this tutorial, you will learn how to install OSSEC server and OSSEC agent on Alibaba Cloud Elastic Compute Service (ECS) instances installed with Ubuntu 16.04.

Requirements

  • Two newly created ECS instances installed with Ubuntu 16.04, one for OSSEC server, and the other for OSSEC agent.
  • A static IP address 192.168.43.192 is set up for the OSSEC server instance, and the IP address 192.168.43.193 is set up for the OSSEC agent instance.
  • A root password is set up for both instance.

Procedure

To install the OSSEC server and agent on ECS instances, follow these steps:

Launch Two Alibaba Cloud ECS Instances

First, log on to your Alibaba Cloud ECS Console and create two ECS instances with Ubuntu 16.04 as the operating system and with at least 2GB RAM. Connect to your ECS instance, and log on as the root user. After you are logged on to your ECS instances installed with Ubuntu 16.04, run the following command to update your base system with the latest available packages.

Getting Started

Before starting, you will need to install some dependencies required by OSSEC. You can install all of them by running the following command:

After all the packages are installed, you can proceed to the next steps.

Install OSSEC

First, you will need to download the latest version of OSSEC from Git repository. You can download it by running the following command:

After the download is complete, extract the downloaded file with the following command:

Next, change the directory to the ossec-hids-3.1.0:

Install OSSEC by running the install.sh file:

During the installation, you will need to answer a few questions.

The following output is displayed:

Press Enter to continue. The following output will be displayed:

Choose server and press Enter. Then, the following output will be displayed:

Next, choose your installation location and press Enter. The following output is displayed:

Press Y and press Enter to get e-mail notification. The following output is displayed:

Press y and press Enter. The following output is displayed:

Press Enter for integrity check daemon. YThe following output is displayed:

Press y to enable active response. The following output is displayed:

Press y and press Enter to enable the firewall-drop response. The following output is displayed:

Press n and press enter. The following output is displayed:

Press Enter to enable remote syslog. The following output is displayed:

Finally, press Enter to start the installation. After the installation is complete, you will see the following output:

Next, start OSSEC control service with the following command:

You should see the following output:

Configure OSSEC

The default OSSEC configuration file is located at /var/ossec/etc/ossec.conf. By default, OSSEC does not send an e-mail alert when a new file is added to the server. You can do this by editing the ossec.conf file:

Find the following lines:

And replace them with these following lines:

By default, OSSEC does not send real-time alerts. To enable this setting, find the following lines:

And replace them with these following lines:

When finished, save and close the file. Next, you will need to edit the rules file local_rules.xml and add a rules for new file added to the system.

Add the following rules between the … section:

Save the file. Then, restart OSSEC control service to apply all the changes:

Test OSSEC

You will need to modify the files in /etc/ directory and check whether OSSEC gives an email alert or not. To do so, open /etc/rc.local file:

Add the following lines:

Save and close the file. Then, after a minute or so (following the system to process the file), check your mail with the following command:

You should receive an e-mail alert saying that something changed to your system:

Install OSSEC Web Interface

You will need to download the OSSEC web UI source from the Git repository. You can download it by running the following command:

After the download is complete, extract the downloaded file with the following command:

Next, copy the extracted directory to the Apache web root directory:

Next, change the directory to the ossec one by installing OSSEC UI with the following command:

The output is as follows:

Next, restart the Apache service to apply all the changes:

Now, open your web browser and type the URL http://your-server-ip/ossec. You will be redirected to OSSEC web interface in the following image:

Install OSSEC Agent

Now that OSSEC server is now running, it’s time install OSSEC agent and add it to the OSSEC server. First, log on the OSSEC agent instance and install required dependencies with the following command:

Next, download OSSEC source from the Git repository by running the following command:

Next, extract the downloaded file with the following command:

Change the directory to ossec-hids-3.1.0:

Next, install OSSEC client by running the install.sh file:

During the installation, you will need to answer some questions.

The following output is displayed:

Next, press Enter to continue. You will see the following output:

Choose agent and press Enter. The following output is displayed:

Next, choose your installation location and press Enter. You should see the following output:

Next, provide your OSSEC server IP address and press Enter. You should see the following output:

Press Enter for integrity check daemon. You should see the following output:

Press Enter for the rootkit detection engine. You should see the following output:

Press y to enable active response. You should see the following output:

Add Ossec Agent to the OSSEC Server

You will need to add OSSEC agent on the OSSES Server. First, log on to your OSSEC server instance and run the following command:

The following output is displayed:

Select A and press Enter to add a new agent. You should see the following output:

Next, provide IP address of Agent and press Enter. You will see the following output:

Press Y to confirm adding agent. You will see the following output:

Next, select E to Extract key for an agent and press Enter. You will see the following output:

Next, press Q to quit.

Import Key from OSSEC Server

Next, you will need to import the agent’s key extracted on the server to the OSSEC agent machine. First, log on to the OSSEC agent instance and run the following command:

You should see the following output:

Select I to import the key from the server. You will see the following output:

Paste the key generated on the server and press Enter. The following output is displayed:

Press y and press Enter to confirm key. After this, your OSSEC server and agent is now configured to communicate with each other. Next, restart OSSEC service on both instance to effect the changes:

On the OSSEC server instance, you can list the active agents by running the following command:

You should see the following output:

Now, open your web browser and type the URL http://your-server-ip/ossec. You will be redirected to the OSSEC web interface in the following page:

Original Source

Follow me to keep abreast with the latest technology news, industry insights, and developer trends.