Founded by the El Cid of HIDS, Daniel Cid, OSSEC is more than a mere log manager, important as that is. It's active response functionality blocks badness and, by way of a tidy aside, OSSEC routs rootkits.
What's more, this Host-based Intrusion Detection System (HIDS) reports back to us by e-mail or by parsing data to a GUI so we can home in on problems with efficiency. We'll setup OSSEC but, maybe first, take a peek:
Get and verify OSSEC's source files
Rather than being installed from package repositories, OSSEC must be compiled. Really, this is no big deal but you may need some compilation tool or other. Even if you already have this, here's a command that won't hurt:
Now head to OSSEC's downloads page, right-clicking and noting the link location for the latest Unix/Linux version. Assuming root superuser privileges we'll change to a suitable download location and, swapping your noted OSSEC version for this one, get the file:
How to install OSSEC
Here's the command:
You'll be prompted with some questions. First, select a language code or just hit Return for English, then Return again to confirm your system details.
What kind of installation (server, agent, local, or help)?
If you've got just the one server to monitor then you need a local installation. If you've got a bunch of boxes then you can set up each as an agent to report to a central server from where you can centrally manage the lot. Cool huh? This guide assumes you've got just the one machine, in which case type local.
Choose where to install the OSSEC HIDS [/var/ossec]
Plumb for the default here.
Configure the OSSEC HIDS
Having asked for an e-mail address to report to, which you should give, this section sets up modules. Say yes to all with one possible exception …
Do you want to add more IPs to the white list?
OSSEC whitelists localhost and your nameservers off the bat. You can add to this list now if you like, else choose no and, if later you have a change of heart, crack open the configuration file and add an IP or IP block (in CIDR notation) to the relevant section:
Set the configuration to analyze the following logs
The script spits out a list of logs it will analyze. Pay attention to that as you continue to follow this tutorial.
Hit Enter and the installation happens, followed by a confirmation worth reading.
How to use OSSEC
Start OSSEC (and say exit from the root superuser). To start, stop, or restart the program, respectively, do this:
Gauge your settings in /var/ossec/etc/ossec.conf, spewed out in easy-read XML. Having edited it, you'll have to restart the app. The main thing is to ensure that all your key log files are being tracked usefully by OSSEC while weeding out false positive alerts.
How to update OSSEC
Good point. Download OSSEC's latest version and install the thing just as you did previously. The script recognizes your current release and prompts you to update both the application and your rules-base.
Easing analysis with a GUI
The realtime power of OSSEC lies with the e-mail alerts it throws out. Don't turn this off! The thing is, for many of us at least, we don't want to be tied to yet another ruddy interface and it's relatively easy to scan e-mails, paying attention to a higher rated alert.
Then again, GUI's are useful, as much as anything for learning the hackscape, and not least about your system, but also for slicing-dicing potential attack routes to shore up.
So have one. You've got options.
OSSEC's web user interface extension is feather-weight on resource but limited on reports. It doesn't have built-in authentication – that login thing – so you'll need to harden the installation using techniques such as htaccess and auth_digest, both of which we got bored of in our Password Protect Directories guide:
Many say Splunk is overkill and, if you're happy with alerts and skimming logs in plain text, maybe it is. Then again, for most of us, and I suspect especially for us WordPress types that tend to be magpie-like about shiny apps and plugins, Splunk is the bee's knees:
Splunk is free for limited use and, aside from its standard features, the cool thing about it is its third party apps which, WordPress-like, can be installed from its dashboard. Those include, notably, one to parse OSSEC's log stream and another for Snort, although the Snorby GUI that we'll be installing for Snort is arguably best of breed for deep analysis:
While wading through the mire of documents takes longer, they're fairly comprehensive and installation itself is, as they promise, a five-minute affair, which sounds familiar. Having registered at the site and once the application's set up you'll have to open its port, 8000, in your firewall and, logging in, should immediately change the default password. Then, head into the Manager, to System Settings and into General Settings to say Yes to Enable SSL (HTTPS) and, while you're there, change the port, closing 8000 and opening a non-default instead. We did this firewall stuff, by the way, in wpCop's iptables firewall guide and, for GUI-types, in the ConfigServer firewall how-to.