HOST-BASED INTRUSION DETECTION USING OSSEC

What is Ossec :

It claims to be the world’s most widely used open-source host-based intrusion detection system. In short, we can call it HIDS. It performs log analysis, integrity checking, Windows registry monitoring, rootkit detection, time-based alerting, and active response. This is made up of two parts: Ossec server and Ossec agent. The Ossec server is used to monitor other servers that we call Ossec agents. At any time, an agent can be added to the Ossec server for its monitoring and can be removed. For that, server and agent connections need to be established, which we will be discussing. It also provides a Web interface for showing all alerts, logs, and agent information.

Possible scenarios that you might face of Intrusion on your servers:

1) Attacker launched a brute force attack against your machine. Now you need to track him. For that, you need his IP address. First, on your Ossec server, do:

cat/var/ossec/logs/alerts/alerts.log

Where you find Source IP against the alert of SSH insecure connection attempt rule. Secondly, we can get it from a UI-based alert.

2) Attacker has uploaded a script to the server and executed it as the root user. For this, we have a sys check, in which we define all the directories and files to monitor for any kind of changes. In this case, you will receive an alert of integrity checksum change for that file, showing what content has actually changed and by which user the script was executed.

3) Suppose the attacker has changed your system file like /etc/group or /etc/password. In this case, you will receive an alert of the Integrity checksum changed for that system file.

Like this, there can be many possible scenarios where you should use Ossec against any kind of intrusion detection.

Ossec Installation :

Manual Installation of Server/Agent:

A) Install Ossec dependencies:

sudo yum install unzip
sudo yum install gcc-c++ make -y
sudo yum install wget
sudo yum install -y php-cli php-common sendmail inotify-tools

B) Choose Ossec version, download tar file and then untar it:

cd /opt
export VERSION=”3.1.0"
sudo wget https://github.com/ossec/ossec-hids/archive/${VERSION}.tar.gz
sudo tar -xvzf /opt/${VERSION}.tar.gz

C) Execute the script:

sudo sh ossec-hids-${VERSION}/install.sh
a) Select Language: en
b) Press <ENTER> to continue or Ctrl+C to abort
c) Select what kind of installation do you want (server, agent, local, hybrid or help)?: Sever/Agent
d) Choose Installation location /var/ossec: /var/ossec
e) Do you want e-mail notification? (y/n) [y]: y/n
f) Do you want to run the integrity check daemon? (y/n) [y]: y/n
g) Do you want to run the rootkit detection engine? (y/n) [y]: y/n
h) Do you want to enable the firewall-drop response? (y/n) [y]: y/n
i) Press Enter, that’s it you are done with Ossec Server/Agent Installation.

Installation of agent using Bash script(Just to avoid this real time interface):

#!/bin/bash
ossecAgent() {
sudo yum install unzip
sudo yum install gcc-c++ make -y
sudo yum install wget
sudo yum install -y php-cli php-common sendmail inotify-tools
cd /opt
ossec_server_ip=”1.1.1.1"
export VER=”3.1.0"
sudo wget https://github.com/ossec/ossec-hids/archive/${VER}.tar.gz
sudo tar -xvzf /opt/${VER}.tar.gz
cd /opt/ossec-hids-${VER}
sudo sed -i ‘2 i USER_LANGUAGE=$1’ install.sh
sudo sed -i ‘2 i USER_INSTALL_TYPE=$2’ install.sh
sudo sed -i ‘2 i USER_DIR=$3’ install.sh
sudo sed -i ‘2 i USER_AGENT_SERVER_IP=$4’ install.sh
sudo sed -i ‘2 i USER_ENABLE_SYSCHECK=$5’ install.sh
sudo sed -i ‘2 i USER_ENABLE_ROOTCHECK=$6’ install.sh
sudo sed -i ‘2 i USER_ENABLE_ACTIVE_RESPONSE=$7’ install.sh
sudo sed -i ‘2 i USER_ENABLE_SYSLOG=$8’ install.sh
sudo echo -ne ‘\n’ | sudo sh install.sh en agent /var/ossec ${ossec_server_ip} y y y y
sudo sed -i ‘12d’ /var/ossec/etc/ossec.conf
sudo sed -i ‘12d’ /var/ossec/etc/ossec.conf
sudo sed -i ’12 i <directories report_changes=”yes” check_all=”yes” realtime=”yes”>/etc,/usr,/var/log/</directories>’ /var/ossec/etc/ossec.conf
sudo sed -i ’13 i <directories report_changes=”yes” check_all=”yes” realtime=”yes”>/bin,/sbin,/proc,/dev</directories>’ /var/ossec/etc/ossec.conf
}
echo “Installing Ossec Agent”
ossecAgent

#Note :
Enter your Ossec Server Ip here in place of ossec_server_ip=”1.1.1.1″ in bash script.

Now start/stop your Ossec server/agent with :

sudo /var/ossec/bin/ossec-control start/stop

Installation of Ossec Web UI :

A) Clone Ossec Web UI:

cd /opt
sudo git clone https://github.com/ossec/ossec-wui.git

B) Execute Installation Script:

sudo sh ossec-wui/setup.sh
a) Enter Username
b) Enter Password
c) Enter your web server user name : Ex : apache, www, nobody, www-data or www-data

C) Create an Apache virtual host config file:

sudo vim /etc/apache2/sites-enabled/ossec-wui.conf

Place below mentioned config in this:

<VirtualHost *:80>
DocumentRoot /opt/ossec-wui/
ServerName OSSEC_SERVER_IP/ HOST_NAME
ServerAlias OSSEC_SERVER_IP/ HOST_NAME
ServerAdmin admin@admin.com
<Directory /opt/ossec-wui/>
Options +FollowSymlinks
AllowOverride All
Require all granted
</Directory>
ErrorLog /var/log/apache2/moodle-error.log
CustomLog /var/log/apache2/moodle-access.log combined
</VirtualHost>

D) Start Apache Server:

sudo a2enmod rewrite
sudo systemctl restart apache2

E) Access your Ossec Server at http://OSSEC_SERVER_IP

Connection between Agent and Server:

For this, we need to do configuration on both the server and the agent. So that they can both establish a connection between them. Make sure to allow UDP Port 1514 traffic through the firewalls or security groups for both the Ossec Server and Agent.

Server Configuration:

A) Create an Agent file containing Agent’s IP and name inside the Ossec server. You can add multiple agents here:

sudo vim /var/ossec/agents and add Agent ip and name into this file.
Ex : 172.10.2.1,Agent1
172.10.2.2,Agent2
Here added 2 agents with agent ip and name with comma separated.

B) Generating keys for agents:

sudo /var/ossec/bin/manage_agents -f /var/ossec/agents

C) Obtain the key for agents:

sudo /var/ossec/bin/manage_agents -e $(cat /var/ossec/etc/client.keys | grep “Agent1/Agent2” | awk {‘print $1’})

 Agent Configuration:

A) Add Server IP to var/ossec/etc/ossec.conf on Agent Server:

vim /var/ossec/etc/ossec.conf
update into file : <server-ip>ossec_server_ip</server-ip>

B) Import the agent keys that you extracted in server configuration step 3:

yes | /var/ossec/bin/manage_agents -i $agent_key

C) Finally restart Ossec server and Agent both with:

sudo /var/ossec/bin/ossec-control restart

D) On Ossec server, list the active agents through command or UI:

sudo /var/ossec/bin/list_agents -c
Output will be like this : agent1–1.1.1.1 is active.

Conclusion

Server security is as paramount as network security because servers often hold a great deal of an organization’s vital information. If a server is compromised, all of its contents may become available for the attacker to steal or manipulate at will. This can lead to heavy losses in business and the defamation of an organization. To ensure your servers are monitored in a dedicated manner, we need a solution, which Ossec is capable of.

Blog Pundit: Bhupender rawat and Sanjeev Pandey

Opstree is an End to End DevOps solution provider

Connect Us

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: