OSSEC Host intrusion in Ubuntu 16.04

Introduction

In this tutorial we will be installing OSSEC Host Intrusion detection. OSSEC is a free, open-source host intrusion detection system. The client is compatible with almost all of the mayor operating systems, including Linux, OpenBSD, FreeBSD, OS X, Solaris and Windows. In this tutorial we will be installing the OSSEC centralized management server and i will show you how to add a Windows 10 agent to be monitored and managed.

OSSEC capabilities and features that can perform :

  • Log analysis
  • Integrity checking
  • Windows registry monitoring
  • Rootkit detection
  • Time based alerting
  • Active response.

Strengths and weaknesses of the OSSEC IPS :

Positives:

  • Very powerful log analysing engine
  • Monitor Multi OS environments with easy
  • OSSEC supports agent less as well as agent based monitoring
  • Can monitor all user activities which is not possible in a network based system
  • It can identify attacks that originate from inside the host.
  • Ability to monitor encrypted traffic.
  • No extra hardware since software is installed on the hosts
  • Cost effective for a small scale network having a few hosts.

Negatives:

  • By default, OSSEC restricts the number of agents to 256 per manager (to change this default behaviour OSSEC needs to be compiled from source with some additional options).
  • Limited number of alerts per hour.
  • Transitioning to newer versions of can be difficult, previously defined rules are overwritten by default values upon upgrading.

You can find more info on OSSEC here or on their GitHub site here

System Requirements

  • Static IP address

Installation

Connect to your server as the admin user via SSH.

ssh [email protected]

Set a static IP

sudo nano /etc/network/interfaces

Replace

...
auto eth0
iface eth0 inet dhcp
...

with thee following
(choose your IP from a non dhcp range in your network,and the DNS of your choosing i used Google DNS)

...
auto eth0
iface eth0 inet static
address 192.168.1.8
gateway 192.168.1.1
netmask 255.255.255.0
dns-nameservers 8.8.8.8 8.8.4.4
...

Save and close

Reboot

sudo shutdown -r now

Connect to your server on the new IP via SSH.

ssh [email protected]

Download and install OSSEC

# Add Apt sources.lst
wget -q -O - https://updates.atomicorp.com/installers/atomic | sudo bash

# Update sources
sudo apt-get update && sudo apt-get upgrade -y

# Server
sudo apt-get install ossec-hids-server unzip apache2 libapache2-mod-php7.0 php7.0 php7.0-cli php7.0-common apache2-utils

Enable email notifications

ossec

Choose the emails where the alerts will be sent to

ossec2

Choose the from email address

ossec3

localhost or 127.0.0.1
(i had some issues setting it to localhost here so please use 127.0.0.1 instead)

ossec4

Add the IP from your PC to the whitelist so OSSEC will allow ssh connections from your PC by editing the OSSEC config file

sudo nano /var/ossec/etc/ossec.conf

In my case 192.168.1.120 you can also add multiple IP's as necessary

...
  <global>
    <white_list>127.0.0.1</white_list>
    <white_list>::1</white_list>
    <white_list>192.168.1.120</white_list>
  </global>
...

By default, OSSEC sends 12 emails per hour, we will modify the following setting to decrease the default. You can increase or decrease that value by adding the following section:

<email_maxperhour>5</email_maxperhour>

Should look like this:

...
  <global>
    <email_notification>yes</email_notification>
    <email_to>[email protected]</email_to>
    <smtp_server>127.0.0.1</smtp_server>
    <email_from>[email protected]</email_from>
    <email_maxperhour>5</email_maxperhour>
  </global>
...

Installing the OSSEC Web Interface

sudo mkdir -p /var/www/html/

cd /var/www/

sudo wget https://github.com/ossec/ossec-wui/archive/master.zip

sudo unzip master.zip -d /var/www/html/

sudo rm master.zip

sudo mv /var/www/html/ossec-wui-master/* /var/www/html/

sudo rm -rf /var/www/html/ossec-wui-master/

cd /var/www/html/

sudo bash setup.sh

Enter your username, Password and choose www-data as your WebServer username

Setting up ossec ui...
 
Username: admin
New password: 
Re-type new password: 
Adding password for user admin
Enter your web server user name (e.g. apache, www, nobody, www-data, ...)
www-data
You must restart your web server after this setup is done.
 
Setup completed successfully.

Restart the Web Server and allow required ports trough the firewall

sudo ufw allow http

sudo ufw allow 1514/udp

sudo systemctl restart apache2

Test your Web Interface at

http://your.server.ip

sudo /var/ossec/bin/manage_agents

Setting up email alerts using Postfix trough MailGun

For additional info on setting up a domain on MailGun:
Setting up a domain with Mailgun

Install postfix

sudo debconf-set-selections <<< "postfix postfix/main_mailer_type select Satellite system"

sudo debconf-set-selections <<< "postfix postfix/mailname string $HOSTNAME"

sudo debconf-set-selections <<< "postfix postfix/relayhost string [smtp.mailgun.org]:587"

sudo apt -y install postfix

Edit the config file and set the credentials file:

sudo nano /etc/postfix/sasl_passwd

And add the following

[smtp.mailgun.org]:587 [email protected]_subdomain_for_mailgun:your_mailgun_smtp_password

Secure your password file, and use the postmap command to update Postfix's lookup tables to use this new file:

sudo chmod 600 /etc/postfix/sasl_passwd
sudo postmap /etc/postfix/sasl_passwd

Edit the Postfix config file

sudo nano /etc/postfix/main.cf

and add these lines to the end of the file:

...
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous

Now restart Postfix to load the new configuration:

sudo systemctl restart postfix

If you need to send email using an external host allow firewall ports (If you are using this only for OSSEC this is not required):

sudo ufw allow 25/tcp
sudo ufw allow 465/tcp
sudo ufw allow 587/tcp

Setting up Domain Mapping

sudo nano /etc/postfix/generic

Insert any mapping from local users to external

[email protected]_hostname [email protected]_subdomain_for_mailgun

Now add this file to Postfix by using the postmap command:

sudo postmap /etc/postfix/generic

Then edit your Postfix configuration file to add the mapping file:

sudo nano /etc/postfix/main.cf

Finally, restart Postfix:

sudo systemctl restart postfix

Testing Your Mail Relay

sudo apt -y install mailutils

Sending a test email.

mail -s "Test mail" [email protected] <<< "A test message using Mailgun"

Adding an Agent on the OSSEC server

Adding the Agent to the server

Choose A to add an Agent

****************************************
* OSSEC HIDS v2.9.2 Agent manager.     *
* The following options are available: *
****************************************
   (A)dd an agent (A).
   (E)xtract key for an agent (E).
   (L)ist already added agents (L).
   (R)emove an agent (R).
   (Q)uit.
Choose your action: A,E,L,R or Q: A

Set the name, IP, and ID for your agent

- Adding a new agent (use '\q' to return to the main menu).
  Please provide the following:
   * A name for the new agent: Laptop
   * The IP Address of the new agent: 192.168.1.120
   * An ID for the new agent[001]: 001
Agent information:
   ID:001
   Name:Laptop
   IP Address:192.168.1.120

Confirm adding it?(y/n): y

Extract the key for your agent

sudo /var/ossec/bin/manage_agents

Choose E to extract the key, then your agent id and copy the agent key for later use in the client

****************************************
* OSSEC HIDS v2.9.2 Agent manager.     *
* The following options are available: *
****************************************
   (A)dd an agent (A).
   (E)xtract key for an agent (E).
   (L)ist already added agents (L).
   (R)emove an agent (R).
   (Q)uit.
Choose your action: A,E,L,R or Q: E

Available agents:
   ID: 001, Name: Laptop, IP: 192.168.1.120
Provide the ID of the agent to extract the key (or '\q' to quit): 001

Agent key information for '001' is:
MAAxIExhcHRvcCAxOTIuMTY4LjEuMTIwIGE1NWM3YjhkNzBhNTdlYzlkZmU4YWZlZDRkZmZmOTcwZTFlZmE0MGQzMzZiMTg5NmYwM2MyNmFkODI5M2FjY2M=

Installing OSSEC agent in a Windows 10

Installing the Windows client from https://ossec.github.io/downloads.html

the current client at the time of writing this was version 2.9.2 pick the version that matches your server

https://updates.atomicorp.com/channels/atomic/windows/ossec-agent-win32-2.9.2-2154.exe

Launch the installer
agent

Uncheck Scan and monitor IIS logs unless you are running IIS

agent2

Choose to run OSSEC agent manager

agent4

Enter your server IP and the key copied earlier and click save

agent5

Start the OSSEC agent

agent6

View and manage alerts on the Web Interface

That is it you should have a working host intrusion detection system at this point with email alerts enables, and a web interface to view and search alerts.

Open the web interface on your servers IP to view all alerts

http://your.server.ip

web-1

Here are some useful links about setting up alerts and cutomizing OSSEC.

OSSEC Documentation

https://ossec.github.io/docs/

http://ossec-docs.readthedocs.io/en/latest/

Customizing File Integrity

https://perezbox.com/2013/07/ossec-detecting-new-files-understanding-how-it-works/

https://www.immutablesecurity.com/index.php/2009/10/26/week-of-ossec-day-2-detecting-new-files/

Create Custom decoder and rules

http://ossec-docs.readthedocs.io/en/latest/manual/rules-decoders/create-custom.html

https://documentation.wazuh.com/2.0/user-manual/ruleset/custom.html

https://sevenminuteserver.com/post/2017-05-04-ossec-for-openvpn/

https://akmalhisyam.my/blog/ossec-creating-custom-rules

Windows Policy Monitoring

https://blog.wazuh.com/file-integrity-monitoring-windows-user-groups/