Index.
27-Mar-2012: initial release. 18-Jan-2013: adjusted for Slackware 19-Apr-2015: adjusted for LXC.
Introduction.
OSSEC is an Open Source Host-based Intrusion Detection System. It performs log analysis, file integrity checking, policy monitoring, rootkit detection, real-time alerting and active response. On our home server project a server package will be installed on the host, and client packages on the virtual servers. When an intrusion attempt is detected by the server, commands are sent to the virtual gateway to close the firewall for the offending IP address for a certain time. Because we are monitoring all our servers, it doesn’t matter which of our servers is being attacked, all information is processed and analyzed on our main server.
The official web site has all the documentation, you should really take a look at it to see how it works and how to adjust it to your own situation.
Installation.
There are three different packages available from this site:
- ossec-local
- ossec-server
- ossec-agent
The ossec-local package is for standalone systems, that is the one we will use. The other packages were build for networked systems that I don’t use anymore, in the future these will not be build again. We can do with just one instance of ossec because it can see all the file systems and so it can read every logfile you have.
Configuration.
All the configuration files are located under /var/ossec/etc. To parse all kinds of log files and messages, ossec uses rules files. These rules files are located under /var/ossec/rules. The only rule file that is not touched during a package upgrade is /var/ossec/rules/local_rules.xml so you should only make changes in that file.
The configuration file is /var/ossec/etc/ossec.conf, the diff should be something like this:
--- ossec.conf.new 2015-04-13 20:05:47.000000000 +0200 +++ ossec.conf 2015-04-13 22:07:08.215722966 +0200 @@ -1,6 +1,9 @@ <ossec_config> <global> - <email_notification>no</email_notification> + <email_notification>yes</email_notification> + <email_to>admin@wpl.uk</email_to> + <smtp_server>mail.wpl.ym</smtp_server> + <email_from>ossec@wpl.uk</email_from> </global> <rules> @@ -72,37 +75,32 @@ <frequency>79200</frequency> <!-- Directories to check (perform all possible verifications) --> - <directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories> - <directories check_all="yes">/bin,/sbin</directories> + <directories check_all="yes">/etc</directories> <!-- Files/directories to ignore --> <ignore>/etc/mtab</ignore> <ignore>/etc/mnttab</ignore> <ignore>/etc/hosts.deny</ignore> <ignore>/etc/mail/statistics</ignore> + <ignore>/etc/ntp/ntp.drift</ignore> <ignore>/etc/random-seed</ignore> <ignore>/etc/adjtime</ignore> <ignore>/etc/httpd/logs</ignore> <ignore>/etc/utmpx</ignore> <ignore>/etc/wtmpx</ignore> <ignore>/etc/cups/certs</ignore> + <ignore>/etc/cups/subscriptions.conf</ignore> + <ignore>/etc/cups/subscriptions.conf.0</ignore> + <ignore>/etc/cups/printers.conf</ignore> + <ignore>/etc/cups/printers.conf.0</ignore> + <ignore>/etc/cups/classes.conf</ignore> + <ignore>/etc/cups/classes.conf.0</ignore> + <ignore>/etc/printcap</ignore> <ignore>/etc/dumpdates</ignore> + <ignore>/etc/amanda/example</ignore> + <ignore>/etc/amanda/mbse/changer</ignore> <ignore>/etc/svc/volatile</ignore> - - <!-- Windows files to ignore --> - <ignore>C:\WINDOWS/System32/LogFiles</ignore> - <ignore>C:\WINDOWS/Debug</ignore> - <ignore>C:\WINDOWS/WindowsUpdate.log</ignore> - <ignore>C:\WINDOWS/iis6.log</ignore> - <ignore>C:\WINDOWS/system32/wbem/Logs</ignore> - <ignore>C:\WINDOWS/system32/wbem/Repository</ignore> - <ignore>C:\WINDOWS/Prefetch</ignore> - <ignore>C:\WINDOWS/PCHEALTH/HELPCTR/DataColl</ignore> - <ignore>C:\WINDOWS/SoftwareDistribution</ignore> - <ignore>C:\WINDOWS/Temp</ignore> - <ignore>C:\WINDOWS/system32/config</ignore> - <ignore>C:\WINDOWS/system32/spool</ignore> - <ignore>C:\WINDOWS/system32/CatRoot</ignore> + <ignore>/etc/amanda/example</ignore> </syscheck> <rootcheck> @@ -117,16 +115,17 @@ <global> <white_list>127.0.0.1</white_list> <white_list>^localhost.localdomain$</white_list> - <white_list>10.126.151.231</white_list> + <white_list>10.126.160.0/24</white_list> + <white_list>10.126.161.0/24</white_list> + <white_list>10.126.162.0/24</white_list> + <white_list>10.126.163.0/24</white_list> </global> - <remote> - <connection>syslog</connection> - </remote> - - <remote> + <!-- <remote> <connection>secure</connection> - </remote> + <allowed-ips>10.126.164.0/24</allowed-ips> + <local_ip>10.126.164.1</local_ip> + </remote> --> <alerts> <log_alert_level>1</log_alert_level> @@ -147,6 +146,13 @@ </command> <command> + <name>ipset-drop</name> + <executable>ipset.sh</executable> + <expect>srcip</expect> + <timeout_allowed>yes</timeout_allowed> + </command> + + <command> <name>disable-account</name> <executable>disable-account.sh</executable> <expect>user</expect> @@ -167,75 +173,54 @@ <timeout_allowed>yes</timeout_allowed> </command> - - <!-- Active Response Config --> - <active-response> - <!-- This response is going to execute the host-deny - - command for every event that fires a rule with - - level (severity) >= 6. - - The IP is going to be blocked for 600 seconds. - --> - <command>host-deny</command> - <location>local</location> - <level>6</level> - <timeout>600</timeout> - </active-response> - <active-response> + <disabled>no</disabled> <!-- Firewall Drop response. Block the IP for - - 600 seconds on the firewall (iptables, + - 1800 seconds on the firewall (iptables, - ipfilter, etc). --> - <command>firewall-drop</command> + <command>ipset-drop</command> <location>local</location> <level>6</level> - <timeout>600</timeout> + <timeout>1800</timeout> </active-response> <!-- Files to monitor (localfiles) --> <localfile> <log_format>syslog</log_format> - <location>/var/log/messages</location> - </localfile> - <!-- Files to monitor (localfiles) --> <localfile> <log_format>syslog</log_format> - <location>/var/log/messages</location> - </localfile> - - <localfile> - <log_format>syslog</log_format> <location>/var/log/secure</location> </localfile> - <localfile> <log_format>syslog</log_format> - <location>/var/log/syslog</location> + <location>/var/lib/lxc/*/rootfs/var/log/secure</location> </localfile> <localfile> <log_format>syslog</log_format> - <location>/var/adm/syslog</location> + <location>/var/log/messages</location> </localfile> - <localfile> <log_format>syslog</log_format> - <location>/var/adm/messages</location> + <location>/var/lib/lxc/*/rootfs/var/log/messages</location> </localfile> <localfile> <log_format>syslog</log_format> <location>/var/log/maillog</location> </localfile> - <localfile> - <log_format>command</log_format> - <command>df -h</command> + <log_format>syslog</log_format> + <location>/var/lib/lxc/*/rootfs/var/log/maillog</location> </localfile> <localfile> - <log_format>full_command</log_format> - <command>netstat -tan |grep LISTEN |grep -v 127.0.0.1 | sort</command> + <log_format>mysql_log</log_format> + <location>/var/lib/mysql/homsrv.err</location> </localfile> <localfile> - <log_format>full_command</log_format> - <command>last -n 5</command> + <log_format>apache</log_format> + <location>/var/lib/lxc/11-nginx/rootfs/var/log/nginx/*access.log</location> </localfile> </ossec_config>
The most changes you need are logfile names and locations. To change an existing rule, copy that rule to local_rules.xml and add a overwrite=”yes” statement and make the desired change to the rule. Use for example the following /var/ossec/rules/local_rules.xml:
<!-- /var/ossec/rules/local_rules.xml at homsrv --> <!-- Modify it at your will. --> <group name="local,syslog,"> <!-- Frequency was 6, but only allow 2 bad names - Timeframe from 120 to 600 for slow scanners --> <rule id="5712" level="10" frequency="2" timeframe="600" ignore="60" overwrite="yes"> <if_matched_sid>5710</if_matched_sid> <description>SSHD brute force trying to get access to </description> <description>the system.</description> <same_source_ip /> <group>authentication_failures,</group> </rule> <!-- Frequency was 6, but only allow 2 bad passwords --> <rule id="5720" level="10" frequency="2" overwrite="yes"> <if_matched_sid>5716</if_matched_sid> <same_source_ip /> <description>Multiple SSHD authentication failures.</description> <group>authentication_failures,</group> </rule> <rule id="100201" level="0"> <if_sid>1002</if_sid> <program_name>^transmission-daemon</program_name> <description>Ignored transmission-daemon event.</description> </rule> <rule id="100202" level="0"> <if_sid>1002</if_sid> <program_name>^nagios</program_name> <description>Ignored nagios event.</description> </rule> <rule id="100301" level="2"> <if_sid>1002</if_sid> <program_name>^smartd</program_name> <description>SMART event, please finish this rule.</description> </rule> <rule id="100401" level="2"> <if_sid>1002</if_sid> <program_name>^aiccu</program_name> <description>AICCU event, please finish this rule.</description> </rule> <rule id="100402" level="0"> <if_sid>1002</if_sid> <regex>\Serror</regex> <description>Ignore error in a word.</description> </rule> <rule id="100501" level="0"> <if_sid>1002</if_sid> <program_name>^sshd</program_name> <regex>open failed: administratively prohibited</regex> <description>Ignore sshd error.</description> </rule> <rule id="100601" level="0"> <if_sid>1002</if_sid> <program_name>^dbus</program_name> <regex>Failed to activate service 'org.freedesktop.Avahi': timed out</regex> <description>Ignore dbus error starting inactive avahi.</description> </rule> <!-- Override existing rules --> <rule id="31102" level="0" overwrite="yes"> <if_sid>31101</if_sid> <url>.jpg$|.gif$|favicon.ico$|.png$|robots.txt$</url> <compiled_rule>is_simple_http_request</compiled_rule> <description>Ignored extensions on 400 error codes.</description> </rule> <rule id="31151" level="10" frequency="5" timeframe="120" overwrite="yes"> <if_matched_sid>31101</if_matched_sid> <same_source_ip /> <description>Mutiple web server 400 error codes </description> <description>from same source ip.</description> <group>web_scan,recon,</group> </rule> <rule id="31153" level="10" frequency="4" timeframe="120" overwrite="yes"> <if_matched_sid>31104</if_matched_sid> <same_source_ip /> <description>Multiple common web attacks from same souce ip.</description> <group>attack,</group> </rule> </group> <!-- SYSLOG,LOCAL --> <group name="syslog,postfix,"> <rule id="3357" level="10" frequency="3" timeframe="120" overwrite="yes"> <if_matched_sid>3332</if_matched_sid> <same_source_ip /> <description>Multiple SASL authentication failures.</description> <group>authentication_failures,attack,</group> </rule> </group> <!-- SYSLOG,POSTFIX --> <!-- EOF -->
After this start ossec and check it:
root@homsrv:~# /etc/rc.d/init.d/ossec start Starting OSSEC-HIDS root@homsrv:~# /etc/rc.d/init.d/ossec status ossec-monitord is running... ossec-logcollector is running... ossec-remoted is running... ossec-syscheckd is running... ossec-analysisd is running... ossec-maild is running... ossec-execd is running... root@homsrv:~#
Firewall.
When an intruders or other bad system is detected, ossec runs the script /var/ossec/active-response/bin/ipset.sh. This script is not part of the package but it is written to block systems in the firewall at the gateway server. It does this by adding and removing the offending systems in the ipset table global-blk4 or global-blk6. You will find this script in the download package.
Download.
See the download page for the script and configuration files.