Installing OSSEC 2.8.3 on CentOS 7 Client Server mode

In this how to we will be installing OSSEC Host based intrusion detection system on CentOS 7. We will be using clinet/server deployment which is recomended way to deploy OSSEC on the network where more then one system will be monitored.


Canada colocation

  • Server IP = 192.168.10.10 – OSSEC-SRV
  • Client IP = 192.168.10.5 – OSSEC-Client

Prerequisites

firewall-cmd --permanent --zone=public --add-port=1514/udp
 firewall-cmd --reload

Server Installation

yum install mysql-devel postgresql-devel gcc
wget -U ossec https://bintray.com/artifact/download/ossec/ossec-hids/ossec-hids-2.8.3.tar.gz 
tar -zxvf ossec-hids-2.8.3.tar.gz 
cd ossec-hids-2.8.3 cd ossec-hids-2.8.3 
./install.sh
  ** Para instalação em português, escolha [br].
  ** 要使用中文进行安装, 请选择 [cn].
  ** Fur eine deutsche Installation wohlen Sie [de].
  ** Για εγκατάσταση στα Ελληνικά, επιλέξτε [el].
  ** For installation in English, choose [en].
  ** Para instalar en Español , eliga [es].
  ** Pour une installation en français, choisissez [fr]
  ** A Magyar nyelvű telepítéshez válassza [hu].
  ** Per l'installazione in Italiano, scegli [it].
  ** 日本語でインストールします.選択して下さい.[jp].
  ** Voor installatie in het Nederlands, kies [nl].
  ** Aby instalować w języku Polskim, wybierz [pl].
  ** Для инструкций по установке на русском ,введите [ru].
  ** Za instalaciju na srpskom, izaberi [sr].
  ** Türkçe kurulum için seçin [tr].
  (en/br/cn/de/el/es/fr/hu/it/jp/nl/pl/ru/sr/tr) [en]: 
which: no host in (/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/root/bin)


 OSSEC HIDS v2.8.3 Installation Script - http://www.ossec.net
 
 You are about to start the installation process of the OSSEC HIDS.
 You must have a C compiler pre-installed in your system.
 If you have any questions or comments, please send an e-mail
 to dcid@ossec.net (or daniel.cid@gmail.com).
 
  - System: Linux h2 3.10.0-123.el7.x86_64
  - User: root
  - Host: h2


  -- Press ENTER to continue or Ctrl-C to abort. --


1- What kind of installation do you want (server, agent, local, hybrid or help)? server 

  - Server installation chosen.

2- Setting up the installation environment.

 - Choose where to install the OSSEC HIDS [/var/ossec]: 

    - Installation will be made at  /var/ossec .

3- Configuring the OSSEC HIDS.

  3.1- Do you want e-mail notification? (y/n) [y]: 
   - What's your e-mail address? alerts@prolinuxhub.com
   - What's your SMTP server ip/host? 192.168.10.10 (or name of your SMTP relay)

  3.2- Do you want to run the integrity check daemon? (y/n) [y]: 

   - Running syscheck (integrity check daemon).

  3.3- Do you want to run the rootkit detection engine? (y/n) [y]: 

   - Running rootcheck (rootkit detection).

  3.4- Active response allows you to execute a specific 
       command based on the events received. For example,
       you can block an IP address or disable access for
       a specific user.  
       More information at:
       http://www.ossec.net/en/manual.html#active-response
       
   - Do you want to enable active response? (y/n) [y]: y

     - Active response enabled.
   
   - By default, we can enable the host-deny and the 
     firewall-drop responses. The first one will add
     a host to the /etc/hosts.deny and the second one
     will block the host on iptables (if linux) or on
     ipfilter (if Solaris, FreeBSD or NetBSD).
   - They can be used to stop SSHD brute force scans, 
     portscans and some other forms of attacks. You can 
     also add them to block on snort events, for example.

   - Do you want to enable the firewall-drop response? (y/n) [y]: y

     - firewall-drop enabled (local) for levels >= 6

   - Default white list for the active response:
      - 8.8.8.8

   - Do you want to add more IPs to the white list? (y/n)? [n]: 

  3.5- Do you want to enable remote syslog (port 514 udp)? (y/n) [y]: 

   - Remote syslog enabled.

  3.6- Setting the configuration to analyze the following logs:
    -- /var/log/messages
    -- /var/log/secure
    -- /var/log/maillog

 - If you want to monitor any other file, just change 
   the ossec.conf and add a new localfile entry.
   Any questions about the configuration can be answered
   by visiting us online at http://www.ossec.net .

At this point your server side install is done.

Install client on CentOS 7

yum install gcc
wget -U ossec https://bintray.com/artifact/download/ossec/ossec-hids/ossec-hids-2.8.3.tar.gz 
tar -zxvf ossec-hids-2.8.3.tar.gz 
cd ossec-hids-2.8.3 cd ossec-hids-2.8.3 
./install.sh
 ** Para instalação em português, escolha [br].
  ** 要使用中文进行安装, 请选择 [cn].
  ** Fur eine deutsche Installation wohlen Sie [de].
  ** Για εγκατάσταση στα Ελληνικά, επιλέξτε [el].
  ** For installation in English, choose [en].
  ** Para instalar en Español , eliga [es].
  ** Pour une installation en français, choisissez [fr]
  ** A Magyar nyelvű telepítéshez válassza [hu].
  ** Per l'installazione in Italiano, scegli [it].
  ** 日本語でインストールします.選択して下さい.[jp].
  ** Voor installatie in het Nederlands, kies [nl].
  ** Aby instalować w języku Polskim, wybierz [pl].
  ** Для инструкций по установке на русском ,введите [ru].
  ** Za instalaciju na srpskom, izaberi [sr].
  ** Türkçe kurulum için seçin [tr].
  (en/br/cn/de/el/es/fr/hu/it/jp/nl/pl/ru/sr/tr) [en]: 
which: no host in (/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/root/bin)


 OSSEC HIDS v2.8.3 Installation Script - http://www.ossec.net
 
 You are about to start the installation process of the OSSEC HIDS.
 You must have a C compiler pre-installed in your system.
 If you have any questions or comments, please send an e-mail
 to dcid@ossec.net (or daniel.cid@gmail.com).
 
  - System: Linux kvm1.tk 3.10.0-327.3.1.el7.x86_64
  - User: root
  - Host: kvm1.tk


  -- Press ENTER to continue or Ctrl-C to abort. --


1- What kind of installation do you want (server, agent, local, hybrid or help)? agent

  - Agent(client) installation chosen.

2- Setting up the installation environment.

 - Choose where to install the OSSEC HIDS [/var/ossec]: 

    - Installation will be made at  /var/ossec .

3- Configuring the OSSEC HIDS.

  3.1- What's the IP Address or hostname of the OSSEC HIDS server?: 192.168.0.10

   - Adding Server IP 192.168.0.10

  3.2- Do you want to run the integrity check daemon? (y/n) [y]: 

   - Running syscheck (integrity check daemon).

  3.3- Do you want to run the rootkit detection engine? (y/n) [y]: 

   - Running rootcheck (rootkit detection).

  3.4 - Do you want to enable active response? (y/n) [y]: 


  3.5- Setting the configuration to analyze the following logs:
    -- /var/log/messages
    -- /var/log/secure
    -- /var/log/maillog

 - If you want to monitor any other file, just change 
   the ossec.conf and add a new localfile entry.
   Any questions about the configuration can be answered
   by visiting us online at http://www.ossec.net .
   
   
   --- Press ENTER to continue ---
                            

Client side installation is done

Connecting server and client

 

On server side

Adding an agent
/var/ossec/bin/manage_agents
****************************************
* OSSEC HIDS v2.8.3 Agent manager.     *
* The following options are available: *
****************************************
   (A)dd an agent (A).
   (E)xtract key for an agent (E).
   (L)ist already added agents (L).
   (R)emove an agent (R).
   (Q)uit.
Choose your action: A,E,L,R or Q: a

- Adding a new agent (use '\q' to return to the main menu).
  Please provide the following:
   * A name for the new agent: OSSEC-Client
   * The IP Address of the new agent: 192.168.0.101
   * An ID for the new agent[001]: 
Agent information:
   ID:001
   Name:OSSEC-Client
   IP Address:192.168.0.5

Confirm adding it?(y/n): y
Extracting the key for an agent
****************************************
* OSSEC HIDS v2.8.3 Agent manager.     *
* The following options are available: *
****************************************
   (A)dd an agent (A).
   (E)xtract key for an agent (E).
   (L)ist already added agents (L).
   (R)emove an agent (R).
   (Q)uit.
Choose your action: A,E,L,R or Q: e

Available agents: 
   ID: 001, Name: OSSEC-Client, IP: 192.168.0.5
Provide the ID of the agent to extract the key (or '\q' to quit): 001

Agent key information for '001' is: 
MDAxIE9TU0VDLUNsaWVudCAxOTIuMTY4LjAuMTAxIGY0OTNiYzc5NWIwZTFiMmRlN2U4MjhlYmMxYmQxODRiNWJjMzkzNWI4NmU4MmVmNWVkZThlNTMyMWVlYWRiMTU=

** Press ENTER to return to the main menu.

Copy highlighted agent information key and we are done with server side.

On the client
 /var/ossec/bin/manage_agents
****************************************
* OSSEC HIDS v2.8.3 Agent manager.     *
* The following options are available: *
****************************************
   (I)mport key from the server (I).
   (Q)uit.
Choose your action: I or Q: i

* Provide the Key generated by the server.
* The best approach is to cut and paste it.
*** OBS: Do not include spaces or new lines.

Paste it here (or '\q' to quit): MDAxIE9TU0VDLUNsaWVudCAxOTIuMTY4LjAuMTAxIGY0OTNiYzc5NWIwZTFiMmRlN2U4MjhlYmMxYmQxODRiNWJjMzkzNWI4NmU4MmVmNWVkZThlNTMyMWVlYWRiMTU=

Agent information:
   ID:001
   Name:OSSEC-Client
   IP Address:192.168.0.5

Confirm adding it?(y/n): y
Added.
** Press ENTER to return to the main menu.

Restart ossec on server and client

/var/ossec/bin/./ossec-control restart

We are now done with install