OSSEC Host intrusion in Ubuntu 16.04
Introduction
In this tutorial we will be installing OSSEC Host Intrusion detection. OSSEC is a free, open-source host intrusion detection system. The client is compatible with almost all of the mayor operating systems, including Linux, OpenBSD, FreeBSD, OS X, Solaris and Windows. In this tutorial we will be installing the OSSEC centralized management server and i will show you how to add a Windows 10 agent to be monitored and managed.
OSSEC capabilities and features that can perform :
- Log analysis
- Integrity checking
- Windows registry monitoring
- Rootkit detection
- Time based alerting
- Active response.
Strengths and weaknesses of the OSSEC IPS :
Positives:
- Very powerful log analysing engine
- Monitor Multi OS environments with easy
- OSSEC supports agent less as well as agent based monitoring
- Can monitor all user activities which is not possible in a network based system
- It can identify attacks that originate from inside the host.
- Ability to monitor encrypted traffic.
- No extra hardware since software is installed on the hosts
- Cost effective for a small scale network having a few hosts.
Negatives:
- By default, OSSEC restricts the number of agents to 256 per manager (to change this default behaviour OSSEC needs to be compiled from source with some additional options).
- Limited number of alerts per hour.
- Transitioning to newer versions of can be difficult, previously defined rules are overwritten by default values upon upgrading.
You can find more info on OSSEC here or on their GitHub site here
System Requirements
- Static IP address
Installation
Connect to your server as the admin user via SSH.
ssh [email protected]
Set a static IP
sudo nano /etc/network/interfaces
Replace
...
auto eth0
iface eth0 inet dhcp
...
with thee following
(choose your IP from a non dhcp range in your network,and the DNS of your choosing i used Google DNS)
...
auto eth0
iface eth0 inet static
address 192.168.1.8
gateway 192.168.1.1
netmask 255.255.255.0
dns-nameservers 8.8.8.8 8.8.4.4
...
Save and close
Reboot
sudo shutdown -r now
Connect to your server on the new IP via SSH.
ssh [email protected]
Download and install OSSEC
# Add Apt sources.lst
wget -q -O - https://updates.atomicorp.com/installers/atomic | sudo bash
# Update sources
sudo apt-get update && sudo apt-get upgrade -y
# Server
sudo apt-get install ossec-hids-server unzip apache2 libapache2-mod-php7.0 php7.0 php7.0-cli php7.0-common apache2-utils
Enable email notifications
Choose the emails where the alerts will be sent to
Choose the from email address
localhost or 127.0.0.1
(i had some issues setting it to localhost here so please use 127.0.0.1 instead)
Add the IP from your PC to the whitelist so OSSEC will allow ssh connections from your PC by editing the OSSEC config file
sudo nano /var/ossec/etc/ossec.conf
In my case 192.168.1.120 you can also add multiple IP's as necessary
...
<global>
<white_list>127.0.0.1</white_list>
<white_list>::1</white_list>
<white_list>192.168.1.120</white_list>
</global>
...
By default, OSSEC sends 12 emails per hour, we will modify the following setting to decrease the default. You can increase or decrease that value by adding the following section:
<email_maxperhour>5</email_maxperhour>
Should look like this:
...
<global>
<email_notification>yes</email_notification>
<email_to>[email protected]</email_to>
<smtp_server>127.0.0.1</smtp_server>
<email_from>[email protected]</email_from>
<email_maxperhour>5</email_maxperhour>
</global>
...
Installing the OSSEC Web Interface
sudo mkdir -p /var/www/html/
cd /var/www/
sudo wget https://github.com/ossec/ossec-wui/archive/master.zip
sudo unzip master.zip -d /var/www/html/
sudo rm master.zip
sudo mv /var/www/html/ossec-wui-master/* /var/www/html/
sudo rm -rf /var/www/html/ossec-wui-master/
cd /var/www/html/
sudo bash setup.sh
Enter your username, Password and choose www-data as your WebServer username
Setting up ossec ui...
Username: admin
New password:
Re-type new password:
Adding password for user admin
Enter your web server user name (e.g. apache, www, nobody, www-data, ...)
www-data
You must restart your web server after this setup is done.
Setup completed successfully.
Restart the Web Server and allow required ports trough the firewall
sudo ufw allow http
sudo ufw allow 1514/udp
sudo systemctl restart apache2
Test your Web Interface at
http://your.server.ip
sudo /var/ossec/bin/manage_agents
Setting up email alerts using Postfix trough MailGun
For additional info on setting up a domain on MailGun:
Setting up a domain with Mailgun
Install postfix
sudo debconf-set-selections <<< "postfix postfix/main_mailer_type select Satellite system"
sudo debconf-set-selections <<< "postfix postfix/mailname string $HOSTNAME"
sudo debconf-set-selections <<< "postfix postfix/relayhost string [smtp.mailgun.org]:587"
sudo apt -y install postfix
Edit the config file and set the credentials file:
sudo nano /etc/postfix/sasl_passwd
And add the following
[smtp.mailgun.org]:587 [email protected]_subdomain_for_mailgun:your_mailgun_smtp_password
Secure your password file, and use the postmap command to update Postfix's lookup tables to use this new file:
sudo chmod 600 /etc/postfix/sasl_passwd
sudo postmap /etc/postfix/sasl_passwd
Edit the Postfix config file
sudo nano /etc/postfix/main.cf
and add these lines to the end of the file:
...
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous
Now restart Postfix to load the new configuration:
sudo systemctl restart postfix
If you need to send email using an external host allow firewall ports (If you are using this only for OSSEC this is not required):
sudo ufw allow 25/tcp
sudo ufw allow 465/tcp
sudo ufw allow 587/tcp
Setting up Domain Mapping
sudo nano /etc/postfix/generic
Insert any mapping from local users to external
[email protected]_hostname [email protected]_subdomain_for_mailgun
Now add this file to Postfix by using the postmap command:
sudo postmap /etc/postfix/generic
Then edit your Postfix configuration file to add the mapping file:
sudo nano /etc/postfix/main.cf
Finally, restart Postfix:
sudo systemctl restart postfix
Testing Your Mail Relay
sudo apt -y install mailutils
Sending a test email.
mail -s "Test mail" [email protected] <<< "A test message using Mailgun"
Adding an Agent on the OSSEC server
Adding the Agent to the server
Choose A to add an Agent
****************************************
* OSSEC HIDS v2.9.2 Agent manager. *
* The following options are available: *
****************************************
(A)dd an agent (A).
(E)xtract key for an agent (E).
(L)ist already added agents (L).
(R)emove an agent (R).
(Q)uit.
Choose your action: A,E,L,R or Q: A
Set the name, IP, and ID for your agent
- Adding a new agent (use '\q' to return to the main menu).
Please provide the following:
* A name for the new agent: Laptop
* The IP Address of the new agent: 192.168.1.120
* An ID for the new agent[001]: 001
Agent information:
ID:001
Name:Laptop
IP Address:192.168.1.120
Confirm adding it?(y/n): y
Extract the key for your agent
sudo /var/ossec/bin/manage_agents
Choose E to extract the key, then your agent id and copy the agent key for later use in the client
****************************************
* OSSEC HIDS v2.9.2 Agent manager. *
* The following options are available: *
****************************************
(A)dd an agent (A).
(E)xtract key for an agent (E).
(L)ist already added agents (L).
(R)emove an agent (R).
(Q)uit.
Choose your action: A,E,L,R or Q: E
Available agents:
ID: 001, Name: Laptop, IP: 192.168.1.120
Provide the ID of the agent to extract the key (or '\q' to quit): 001
Agent key information for '001' is:
MAAxIExhcHRvcCAxOTIuMTY4LjEuMTIwIGE1NWM3YjhkNzBhNTdlYzlkZmU4YWZlZDRkZmZmOTcwZTFlZmE0MGQzMzZiMTg5NmYwM2MyNmFkODI5M2FjY2M=
Installing OSSEC agent in a Windows 10
Installing the Windows client from https://ossec.github.io/downloads.html
the current client at the time of writing this was version 2.9.2 pick the version that matches your server
https://updates.atomicorp.com/channels/atomic/windows/ossec-agent-win32-2.9.2-2154.exe
Launch the installer
Uncheck Scan and monitor IIS logs unless you are running IIS
Choose to run OSSEC agent manager
Enter your server IP and the key copied earlier and click save
Start the OSSEC agent
View and manage alerts on the Web Interface
That is it you should have a working host intrusion detection system at this point with email alerts enables, and a web interface to view and search alerts.
Open the web interface on your servers IP to view all alerts
http://your.server.ip
Here are some useful links about setting up alerts and cutomizing OSSEC.
OSSEC Documentation
http://ossec-docs.readthedocs.io/en/latest/
Customizing File Integrity
https://perezbox.com/2013/07/ossec-detecting-new-files-understanding-how-it-works/
https://www.immutablesecurity.com/index.php/2009/10/26/week-of-ossec-day-2-detecting-new-files/
Create Custom decoder and rules
http://ossec-docs.readthedocs.io/en/latest/manual/rules-decoders/create-custom.html
https://documentation.wazuh.com/2.0/user-manual/ruleset/custom.html
https://sevenminuteserver.com/post/2017-05-04-ossec-for-openvpn/
https://akmalhisyam.my/blog/ossec-creating-custom-rules
Windows Policy Monitoring
https://blog.wazuh.com/file-integrity-monitoring-windows-user-groups/