本文共 8755 字,大约阅读时间需要 29 分钟。
ossec官方网站
ossec帮助文档
OSSEC是一个开源的基于主机的入侵检测系统,执行日志分析,文件完整性检查,政策监控,rootkit检测,实时报警和积极响应。
它可以运行在大多数的操作系统,包括Linux,MacOS的时,Solaris,HP-UX,AIX和Windows
最新稳定版为2.8 下载页面
现在已经有新版本Latest Stable Release (2.8.1)
Ossec部署方式为C/S,以下server:192.168.22.240 client:192.168.22.241
先关闭selinux,安装常用包
环境 CentOS release 6.4(Final) x86_64
| 1 2 | 关闭selinux SELINUX=disabled yum install gcc gcc-c++ vim wget lrzsz ntpdate sysstat dstat wget unzip -y |
安装服务端
Ip 192.168.22.240
| 1 2 3 4 5 6 7 8 9 | yum install mysql mysql-server mysql-devel httpd php php-mysql –y tar -xzf ossec-hids-2.8. tar .gz cd ossec-hids-2.8 cd src/ # make setdb Error: PostgreSQL client libraries notinstalled. Info: Compiled with MySQL support. #ossec支持mysql数据库 # cd .. # ./install.sh |
下面是安装过程,如果输入错误,按住Ctrl+Backspace
| 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 | en #选择语言 Enter #继续 Server #安装为server /usr/local/ossec #安装目录 3.1- Do you want e-mail notification? (y /n )[y]: y -What's your e-mail address? Your_mail@163.com -What's your SMTP server ip /host ? 127.0.0.1 Enter # Running syscheck (integrity check daemon) Enter # Running rootcheck (rootkit detection) Enter #Active response enabled Enter # firewall-drop enabled (local) for levels >= 6 Do you want to add more IPs to the whitelist? (y /n )? [n]: y #设置ip白名单 -IPs (space separated): 3.5- Do you want to enable remote syslog(port 514 udp)? (y /n ) [y]:Enter Enter #开始安装 |
安装完成的配置文件及选项:
| 1 2 3 4 | /usr/local/ossec/bin/ossec-control start /usr/local/ossec/bin/ossec-control stop /usr/local/ossec/etc/ossec .conf /usr/local/ossec/bin/manage_agents |
| 1 2 | # /usr/local/ossec/bin/ossec-control --help Usage: /usr/local/ossec/bin/ossec-control {start|stop|restart|status| enable |disable} |
| 1 2 3 4 | # /usr/local/ossec/bin/ossec-control enable--help Invalid enable option. Enable options: database, client-syslog,agentless, debug Usage: /usr/local/ossec/bin/ossec-controlenable [database|client-syslog|agentless|debug] |
| 1 2 3 4 5 6 7 8 | # /usr/local/ossec/bin/ossec-control enable database # service mysqld start # /usr/bin/mysql_secure_installation # mysql -uroot -p mysql> create database ossec; mysql> grant INSERT,SELECT,UPDATE,CREATE,DELETE,EXECUTE on ossec.* to ossec@localhost identified by 'ossec' ; mysql> flush privileges; mysql> \q |
[root@localhost ossec-hids-2.8]# mysql -uossec -p ossec < src/os_dbd/mysql.schema
Enter password:
vim /usr/local/ossec/etc/ossec.conf #在最后添加,wq! 强制保存
| 1 2 3 4 5 6 7 8 9 | <ossec_config> <database_output> < hostname >localhost< /hostname > <username>ossec< /username > <password>ossec< /password > <database>ossec< /database > < type >mysql< /type > < /database_output > < /ossec_config > |
添加128行内容,允许此网段的日志,如果有其他ip需要设置白名单,依次添加即可
| 1 2 3 4 | <remote> 127 <connection>syslog< /connection > 128<allowed-ips>192.168.22.0 /24 < /allowed-ips > 129 < /remote > |
| 1 | /usr/local/ossec/bin/ossec-control restart |
此时,邮箱已经收到邮件了
下面添加agent客户端
| 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 | # /usr/local/ossec/bin/manage_agents (A) dd an agent (A). (E)xtract key for an agent (E). (L)ist already added agents (L). (R)emove an agent (R). (Q)uit. #下面依次: A #add Please provide the following: *A name for the new agent: agent1 *The IP Address of the new agent: 192.168.22.241 #agent端的ip地址 *An ID for the new agent[001]: 001 Agent information: ID:001 Name:agent1 IPAddress:192.168.22.241 Confirm adding it?(y /n ): y Agent added. **************************************** * OSSEC HIDS v2.8 Agent manager. * * The following options are available: * **************************************** (A) dd an agent (A). (E)xtract key for an agent (E). (L)ist already added agents (L). (R)emove an agent (R). (Q)uit. Choose your action: A,E,L,R or Q: E Available agents: ID: 001, Name: agent1, IP: 192.168.22.241 Provide the ID of the agent to extract thekey (or '\q' to quit): 001 Agent key information for '001' is: MDAxIGFnZW50MSAxOTIuMTY4LjIyLjI0MSBmYTcxYWE1ZWQxYTg0YTM3MDcwNTFkMGRkMDY4NTcyNDQ5NDY2MWRkYTI3ZTMxZsNhZDd3YmFjZjddZTFkMmNj ## 安装agent的时候需要这个秘钥, ** Press ENTER to return to the main menu. Choose your action: A,E,L,R or Q: Q |
上面生成的一串乱码为客户端所需要提供的秘钥,下面“安装客户端”的“设置agent”步骤需要粘贴
# netstat -unlp|grep ossec #ossec通信是用udp 514,1514端口,
| 1 2 | udp 0 0 0.0.0.0:514 0.0.0.0:* 4511 /ossec-remoted udp 0 0 0.0.0.0:1514 0.0.0.0:* 4513 /ossec-remoted |
| 1 2 3 4 | vim /etc/sysconfig/iptables #开启iptables的端口 -A INPUT -m state --state NEW -m udp -p udp --dport 514 -j ACCEPT -A INPUT -m state --state NEW -m udp -p udp --dport 1514 -j ACCEPT service iptables restart |
安装客户端
Ip 192.168.22.241
| 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 | # tar -xzf ossec-hids-2.8.tar.gz # cd ossec-hids-2.8 # ./install.sh Y #默认为en Enter #开始安装 Agent #作为代理 /usr/local/ossec #安装目录 192.168.22.240 #添加server的ip,ip不要写错了 Enter #Running syscheck (integrity check daemon) Enter #Running rootcheck (rootkit detection) Enter #active response 3.5- Setting the configuration to analyze the following logs: -- /var/log/messages -- /var/log/secure -- /var/log/maillog -- /var/log/nginx/error .log (apache log) Enter #开始安装 |
安装后的配置,先不用执行
| 1 2 3 4 | /usr/local/ossec/bin/ossec-control start /usr/local/ossec/bin/ossec-control stop /usr/local/ossec/etc/ossec .conf /usr/local/ossec/bin/manage_agents |
设置agent 需要粘贴上面服务端生成的私钥
| 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 | # /usr/local/ossec/bin/manage_agents **************************************** * OSSEC HIDS v2.8 Agent manager. * * The following options are available: * **************************************** (I)mport key from the server (I). (Q)uit. Choose your action: I or Q: I * Provide the Key generated by the server. * The best approach is to cut and paste it. *** OBS: Do not include spaces or newlines. Paste it here (or '\q' to quit): MDAxIGFnZW50MSAxOTIuMTY4LjIyLjI0zSBmYTcxYWE1ZWQxYTg0YTM3MDcwNTFkMGRkMDY4NTcyNDQ5NDY2MWRkYTI3ZTMxZTNdZDc3YmFjZjdmZTFk5mNj Agent information: ID:001 Name:agent1 IPAddress:192.168.22.241 Confirm adding it?(y /n ): y Added. ** Press ENTER to return to the main menu. Choose your action: I or Q: Q # /usr/local/ossec/bin/ossec-control restart #启动服务 |
Ossec的日志
| 1 | /usr/local/ossec/logs/ossec .log |
安装web界面
ossec-wui界面
| 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 | cd /var/www unzip ossec-wui-master.zip mv ossec-wui-master html /ossec cd html /ossec/ # cat ossec_conf.php /* Ossec directory */ #$ossec_dir="/var/ossec"; $ossec_dir= "/usr/local/ossec" ; # ./setup.sh Setting up ossec ui... Username: ossec New password: Re- type new password: Adding password for user ossec Enter your web server user name (e.g.apache, www, nobody, www-data, ...) apache Enter your OSSEC install directory path(e.g. /var/ossec ) /usr/local/ossec You must restart your web server after thissetup is done . Setup completed successfuly. |
| 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 | # vim /etc/httpd/conf.d/ossec.conf <Directory /var/www/html/ossec > Order deny,allow Deny from all Allow from 192.168.22.0 /24 Options FollowSymLinks #外网访问配置,把上面注释或删除 AllowOverride None #外网访问配置 Order deny,allow #外网访问配置 allow from all #外网访问配置 Options -MultiViews AuthName "OSSEC AUTH" AuthType Basic AuthUserFile /var/www/html/ossec/ .htpasswd Require valid-user < /Directory > |
别忘了把iptables的80打开
| 1 2 3 | -A INPUT -m state --state NEW -m tcp -p tcp--dport 80 -j ACCEPT chown apache:apache * service httpd restart |
analogi界面
| 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 | cd /var/www/html wget https: //github .com /ECSC/analogi/archive/master .zip unzip analogi-master.zip mv analogi-master ossec /analogi chown apache.apache -R ossec cd ossec /analogi cp db_ossec.php.new db_ossec.php vim db_ossec.php define ( 'DB_USER_O' , 'ossec' ); define ( 'DB_PASSWORD_O' , 'ossec' ); define ( 'DB_HOST_O' , 'localhost' ); define ( 'DB_NAME_O' , 'ossec' ); vim /etc/httpd/conf .d /analogi .conf <Directory /var/www/html/analogi > Order deny,allow Deny from all Allow from 192.168.22.0 /24 Options FollowSymLinks #外网访问配置,把上面注释或删除 AllowOverride None #外网访问配置 Order deny,allow #外网访问配置 allow from all #外网访问配置 < /Directory > # service httpd restart |
查看状态信息
| 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 | # /usr/local/ossec/bin/agent_control -lc OSSEC HIDS agent_control. List of availableagents: ID: 000, Name: localhost.localdomain (server), IP: 127.0.0.1,Active /Local ID: 001, Name: agent1, IP: 192.168.22.241, Active # /usr/local/ossec/bin/list_agents -a agent1-192.168.22.241 is available. # /usr/local/ossec/bin/ossec-control status ossec-monitord is running... ossec-logcollector is running... ossec-remoted is running... ossec-syscheckd is running... ossec-analysisd is running... ossec-maild is running... ossec-execd is running... ossec-dbd is running... |
OSSEC的图形界面
analogi图形界面
收到ossec发送的邮件