入侵检测程序Ossec HIDS

OSSEC是一款开源的入侵检测系统,包括了日志分析,全面检测,rook-kit检测。作为一款HIDS,OSSEC应该被安装在一台实施监控的 系统中。另外有时候不需要安装完全版本得OSSEC,如果有多台电脑都安装了OSSEC,那么就可以采用客户端/服务器模式来运行。客户机通过客户端程序 将数据发回到服务器端进行分析。在一台电脑上对多个系统进行监控对于企业或者家庭用户来说都是相当经济实用的。—-《开源中国》

官网:http://www.ossec.net/
下载:http://www.ossec.net/files/ossec-hids-2.6.tar.gz
windows的客户端: http://www.ossec.net/files/ossec-agent-win32-2.6.exe
Ossec web界面:http://www.ossec.net/files/ui/ossec-wui-0.3.tar.gz
参考:http://www.ossec.net/wiki/index.php/OSSECWUI:Install

安装之前:

1、ossec的工作模式有server,agent,local三种,既服务端,代理端,本地模式;
2、本地模式安装时选择local,其他与server安装相同;
3、server服务器一般只有一台,其余全部作为agent安装即可;<!--more-->
4、一台server默认可有代理256台,最多支持2048台,需先执行sysctl -w kern.maxfiles=2048
再在src目录下执行make setmaxagents命令,之后在/etc/security/limits.conf文件末尾加入如下:
ossec soft nofile 2048
ossec hard nofile 2048
ossecr soft nofile 2048
ossecr hard nofile 2048
5、如果需要将数据写入mysql,在安装之前需要在server服务器上的src目录执行make setdb;
$ cd ossec-hids-2.6
$ cd src; make setdb; cd ..
$ ./install.sh
$ /var/ossec/bin/ossec-control enable database
# mysql -u root -p
mysql&gt; create database ossec;
mysql&gt; grant INSERT,SELECT,UPDATE,CREATE,DELETE,EXECUTE on ossec.* to ossecuser@;
Query OK, 0 rows affected (0.00 sec)
mysql&gt; set password for ossecuser@=PASSWORD('ossecpass');
Query OK, 0 rows affected (0.00 sec)
mysql&gt; flush privileges;
Query OK, 0 rows affected (0.00 sec)
mysql&gt; quit
[root@mail contrib]# pwd
/opt/ossec-hids-2.6/contrib
更改成你的账户密码信息
[root@mail contrib]# cat ossec2mysql.conf
# PARAMS USED BY OSSEC2BASED
dbhost=localhost
database=ossec
debug=5
dbport=3306
dbpasswd=ossecpass
dbuser=ossec
daemonize=0
sensor=centralserver
hids_interface=ossec
resolve=1
[root@mail contrib]#
# mysql -u root -p ossec &lt; /path/to/ossec-hids-2.6/contrib/ossec2mysql.sql


Edit /var/ossec/etc/ossec.conf
<ossec_config>
  <database_output>
    <hostname>localhost</hostname>
    <username>ossec</username>
    <password>ossecpass</password>
    <database>ossec</database>
    <type>mysql</type>
  </database_output>
</ossec_config>
<span style="color: #ff00ff;">一、server安装:</span>
[root@mail opt]# tar xzvf ossec-hids-2.6.tar.gz
[root@mail opt]# cd ossec-hids-2.6
[root@mail ossec-hids-2.6]# ls
active-response BUGS CONFIG contrib CONTRIBUTORS doc etc INSTALL install.sh LICENSE README src
[root@mailossec-hids-2.6]# ./install.sh

** Para instalação em português, escolha [br].
** 要使用中文进行安装, 请选择 [cn].
** Fur eine deutsche Installation wohlen Sie [de].
** Για εγκατάσταση στα Ελληνικά, επιλέξτε [el].
** For installation in English, choose [en].
** Para instalar en Español , eliga [es].
** Pour une installation en français, choisissez [fr]
** Per l'installazione in Italiano, scegli [it].
** 日本語でインストールします.選択して下さい.[jp].
** Voor installatie in het Nederlands, kies [nl].
** Aby instalować w języku Polskim, wybierz .
** Для инструкций по установке на русском ,введите [ru].
** Za instalaciju na srpskom, izaberi [sr].
** Türkçe kurulum için seçin [tr].
(en/br/cn/de/el/es/fr/it/jp/nl/pl/ru/sr/tr) [en]:

OSSECHIDS v2.6 Installation Script - http://www.ossec.net

You are about to start the installation process of the OSSECHIDS.
You must have a C compiler pre-installed in your system.
If you have any questions or comments, please send an e-mail
to dcid@ossec.net (or daniel.cid@gmail.com).

- System: Linux mygod.com 2.6.18-164.el5
- User: root
- Host: mygod.com

-- Press ENTER to continue or Ctrl-C to abort. --

1- What kind of installation do you want (server, agent, local or help)? <span style="color: #ff00ff;">server</span>

- Server installation chosen.

2- Setting up the installation environment.

- Choose where to install theOSSECHIDS [/var/ossec]:

- Installation will be made at /var/ossec.

3- Configuring theOSSECHIDS.

3.1- Do you want e-mail notification? (y/n) [y]:
- What's your e-mail address? <span style="color: #ff00ff;">monit@mygod.com</span>
- What's your SMTP server ip/host? <span style="color: #ff00ff;">mail.mygod.com</span>

3.2- Do you want to run the integrity check daemon? (y/n) [y]:

- Running syscheck (integrity check daemon).

3.3- Do you want to run the rootkit detection engine? (y/n) [y]:

- Running rootcheck (rootkit detection).

3.4- Active response allows you to execute a specific
command based on the events received. For example,
you can block an IP address or disable access for
a specific user.
More information at:
http://www.ossec.net/en/manual.html#active-response

- Do you want to enable active response? (y/n) [y]:

- Active response enabled.

- By default, we can enable the host-deny and the
firewall-drop responses. The first one will add
a host to the /etc/hosts.deny and the second one
will block the host on iptables (if linux) or on
ipfilter (if Solaris, FreeBSD or NetBSD).
- They can be used to stop SSHD brute force scans,
portscans and some other forms of attacks. You can
also add them to block on snort events, for example.

- Do you want to enable the firewall-drop response? (y/n) [y]:

- firewall-drop enabled (local) for levels &gt;= 6

- Default white list for the active response:
- 192.168.1.1
- 192.168.1.2

- Do you want to add more IPs to the white list? (y/n)? [n]:<span style="color: #ff00ff;">y</span>

- IPs (space separated): <span style="color: #ff00ff;">192.168.1.0/24</span>

3.5- Do you want to enable remote syslog (port 514 udp)? (y/n) [y]:

- Remote syslog enabled.

3.6- Setting the configuration to analyze the following logs:
-- /var/log/messages
-- /var/log/secure
-- /var/log/maillog
-- /var/log/httpd/error_log (apache log)
-- /var/log/httpd/access_log (apache log)

- If you want to monitor any other file, just change
the ossec.conf and add a new localfile entry.
Any questions about the configuration can be answered
by visiting us online at http://www.ossec.net .

--- Press ENTER to continue ---
回车继续安装即可。

<span style="color: #ff00ff;">二、agent安装:</span>
[root@mail opt]# tar xzvf ossec-hids-2.6.tar.gz
[root@mail opt]# cd ossec-hids-2.6
[root@mail ossec-hids-2.6]# ls
active-response BUGS CONFIG contrib CONTRIBUTORS doc etc INSTALL install.sh LICENSE README src
[root@mail ossec-hids-2.6]# ./install.sh

** Para instalação em português, escolha [br].
** 要使用中文进行安装, 请选择 [cn].
** Fur eine deutsche Installation wohlen Sie [de].
** Για εγκατάσταση στα Ελληνικά, επιλέξτε [el].
** For installation in English, choose [en].
** Para instalar en Español , eliga [es].
** Pour une installation en français, choisissez [fr]
** Per l'installazione in Italiano, scegli [it].
** 日本語でインストールします.選択して下さい.[jp].
** Voor installatie in het Nederlands, kies [nl].
** Aby instalować w języku Polskim, wybierz .
** Для инструкций по установке на русском ,введите [ru].
** Za instalaciju na srpskom, izaberi [sr].
** Türkçe kurulum için seçin [tr].
(en/br/cn/de/el/es/fr/it/jp/nl/pl/ru/sr/tr) [en]:

OSSEC HIDS v2.6 Installation Script - http://www.ossec.net

You are about to start the installation process of the OSSEC HIDS.
You must have a C compiler pre-installed in your system.
If you have any questions or comments, please send an e-mail
to dcid@ossec.net (or daniel.cid@gmail.com).

- System: Linux web.mygod.com 2.6.18-164.el5
- User: root
- Host: web.mygod.com

-- Press ENTER to continue or Ctrl-C to abort. --

1- What kind of installation do you want (server, agent, local or help)?<span style="color: #ff00ff;"> agent</span>

- Agent(client) installation chosen.

2- Setting up the installation environment.

- Choose where to install the OSSEC HIDS [/var/ossec]:

- Installation will be made at /var/ossec .

3- Configuring the OSSEC HIDS.

3.1- What's the IP Address of the OSSEC HIDS server?: <span style="color: #ff00ff;">192.168.1.3   服务器地址</span>

- Adding Server IP 192.168.1.3

3.2- Do you want to run the integrity check daemon? (y/n) [y]:

- Running syscheck (integrity check daemon).

3.3- Do you want to run the rootkit detection engine? (y/n) [y]:

- Running rootcheck (rootkit detection).

3.4 - Do you want to enable active response? (y/n) [y]:

3.5- Setting the configuration to analyze the following logs:
-- /var/log/messages
-- /var/log/secure
-- /var/log/maillog
-- /var/log/httpd/error_log (apache log)
-- /var/log/httpd/access_log (apache log)

- If you want to monitor any other file, just change
the ossec.conf and add a new localfile entry.
Any questions about the configuration can be answered
by visiting us online at http://www.ossec.net .

--- Press ENTER to continue ---
回车安装即可。

<span style="color: #ff00ff;">server和agent的配置应用:</span>
服务器端:[root@sucai ~]# /var/ossec/bin/manage_agents

****************************************
* OSSEC HIDS v2.6 Agent manager. *
* The following options are available: *
****************************************
(A)dd an agent (A).
(E)xtract key for an agent (E).
(L)ist already added agents (L).
(R)emove an agent (R).
(Q)uit.
Choose your action: A,E,L,R or Q:<span style="color: #ff00ff;"> a</span>

- Adding a new agent (use '\q' to return to the main menu).
Please provide the following:
* A name for the new agent:<span style="color: #ff00ff;"> 192.168.1.1</span>
* The IP Address of the new agent: <span style="color: #ff00ff;">192.168.1.4</span>
* An ID for the new agent[234]:
Agent information:
ID:234
Name:192.168.1.4
IP Address:192.168.1.4

Confirm adding it?(y/n): y
Agent added.

****************************************
* OSSEC HIDS v2.6 Agent manager. *
* The following options are available: *
****************************************
(A)dd an agent (A).
(E)xtract key for an agent (E).
(L)ist already added agents (L).
(R)emove an agent (R).
(Q)uit.
Choose your action: A,E,L,R or Q: e

Available agents:

<span style="color: #ff00ff;"> ID: 234</span>, Name: 192.168.1.4, IP: 192.168.1.4
Provide the ID of the agent to extract the key (or '\q' to quit):<span style="color: #ff00ff;"> 234</span>

Agent key information for '234' is:
<span style="color: #ff00ff;">MjM0IDE5Mi4xNjguMS4xIDE5Mi4xNjguMS4xIGExNzQ2MDY0NDg2ZTNkYjhhNDk5ODZkZTM4MzA0YTRiNmU2ZDQ4M2VlZDQ5NDJhMDlmZTRjNDM2MmY2NjBiYjY=</span>

** Press ENTER to return to the main menu.

****************************************
* OSSEC HIDS v2.6 Agent manager.     *
* The following options are available: *
****************************************
(A)dd an agent (A).
(E)xtract key for an agent (E).
(L)ist already added agents (L).
(R)emove an agent (R).
(Q)uit.
Choose your action: A,E,L,R or Q: q

** You must restart the server for your changes to have effect.

manage_agents: Exiting ..
代理端:
[root@localhost tool]# /var/ossec/bin/manage_agents

****************************************
* OSSEC HIDS v2.6 Agent manager. *
* The following options are available: *
****************************************
(I)mport key from the server (I).
(Q)uit.
Choose your action: I or Q: i

粘贴服务端生产的:MjM0IDE5Mi4xNjguMS4xIDE5Mi4xNjguMS4xIGExNzQ2MDY0NDg2ZTNkYjhhNDk5ODZkZTM4MzA0YTRiNmU2ZDQ4M2VlZDQ5NDJhMDlmZTRjNDM2MmY2NjBiYjY=

之后退出。
如上要是一下有个几十几百台,岂不是累死么,所以ossec提供了简单快速的办法。
1、使用下面的脚本生成所需要的代理认证key,服务器端操作

#!/bin/bash
#批量加入代理,代理的名字用ip,all.txt文件是agent的IP地址;
for i in `cat all.txt`;do /opt/ossec-hids-2.6/contrib/ossec-batch-manager.pl -a --ip $i -n $i;done
#批量生成验证key
for i in `cat all.txt`;do /opt/ossec-hids-2.6/contrib/ossec-batch-manager.pl -e $i &gt;&gt; key.log;done

2、清除ossec-wui界面已经失效的代理,删除/var/ossec/queue/agent-info下相应的信息;
#上面这一步主要是用在已经工作的服务端的,更改代理地址后,需要重新添加,加之前清楚旧信息。

3、第一步生成的文件在服务器端/var/ossec/etc/目录的client.keys中

4、找一个配置添加完成的代理ossec.conf配置文件放到ftp服务器上;

5、将服务器端生成的client.keys文件放到ftp服务器上;

6、使用下面的脚本下载配置好的ossec.conf以及每个代理独立的client.keys(根据服务器端生成的修改)
#!/bin/bash
#chkconfig --level 3 ossec on
#/var/ossec/bin/ossec-control restart

cd /var/ossec/etc/
rm -rf ./ossec.conf
rm -rf ./client.keys
wget --http-user=soft --http-password=soft http://ftp.mygod.com/soft/conf/ossec.conf
wget --http-user=soft --http-password=soft http://ftp.mygod.com/soft/conf/client.keys
ip1=`/sbin/ifconfig eth0|sed -n '2p' |awk -F: '{print $2}'|awk '{print$1}'`
#ip2=`/sbin/ifconfig eth1|sed -n '2p' |awk -F: '{print $2}'|awk '{print$1}'`
#主要针对服务器网卡是eth0还是eth1不同操作
sed -i '/'$ip1'/!'d /var/ossec/etc/client.keys
#sed -i '/'$ip2'/!'d /var/ossec/etc/client.keys
#主要针对服务器网卡是eth0还是eth1不同操作
/var/ossec/bin/ossec-control restart

7、重启所有的ossec程序,查看ossec-wui界面,已有添加的代理

8、/var/ossec/bin/list_agents -a |wc -l 查看添加的数量是否有遗漏,如有失败,重新添加

三、ossec-web安装:

1- 下载安装包:
$ wget http://www.ossec.net/files/ui/ossec-wui-0.3.tar.gz
2- 验证安装包 :
$ wget http://www.ossec.net/files/ui/ossec-wui-0.3-checksum.txt
$ wget http://www.ossec.net/files/ui/ossec-wui-0.3.tar.gz.sig
$ md5 ossec-wui-0.3.tar.gz
MD5 (ossec-wui-0.3.tar.gz) = c79fa486e9a20fb06a517541033af304
$ sha1 ossec-wui-0.3.tar.gz
SHA1 (ossec-wui-0.3.tar.gz) = e00bff680721982ee55295a5292eb4e2a638b820
$ gpg --verify ossec-wui-0.3.tar.gz.sig ossec-wui-0.3.tar.gz
gpg: Signature made Tue Mar 04 14:27:59 2008 AST using RSA key ID 6B30327E
gpg: Good signature from "Daniel B. Cid (Ossec development) "
Primary key fingerprint: 86C6 D33B C52E 19BF DDAE 57EB 4E57 14E2 6B30 327E
3- 解压缩,并挪至你的web目录:
$ tar -zxvf ossec-wui-0.3.tar.gz
# mv ossec-wui-0.3 /var/www/htdocs/ossec-wui
4- 运行安装脚本
# cd /var/www/htdocs/ossec-wui
# ./setup.sh
...
5- 增加你的web程序账户到ossec用户组,如:apache,web,nobody.
# vi /etc/group
..
From:
ossec:x:1002:
To (if your web server user is apache):
ossec:x:1002:apache
6- 确认权限
# chmod 770 tmp/
# chgrp apache tmp/
# apachectl restart
7- 修改php.ini,确认如下选项的参数;
max_execution_time = 180
max_input_time = 180
memory_limit = 30M
8- 登陆web界面,可以看到一些代理和日志信息;
http ://IP/ossec-wui/

One Reply to “入侵检测程序Ossec HIDS”

发表评论

电子邮件地址不会被公开。 必填项已用*标注