Install OSSEC



Product Name: OSSEC
Product Version: 2.3
Homepage: http://www.ossec.net/
Description: OSSEC is an Open Source Host-based intrusion detection system. It performs log analysis, integrity checking, Windows registry monitoring, rootkit detection, time-based alerting and active response. It runs on most operating systems, including Linux, OpenBSD, FreeBSD, Mac OS, Solaris and Windows. It has a centralized, cross-platform architecture allowing multiple systems to be easily monitored and managed. It was written by Daniel B. Cid and made public in 2004.

This tool will autosense your system, and send you mails when something is strange or really fishy.

It sends you mail from LEVEL 1 to LEVEL 10, so if you get LEVEL 10 mails you need to read them :)

Step 1: Installing OSSEC from Source

cd /usr/local/src
wget http://www.ossec.net/files/ossec-hids-2.3.tar.gz
tar -zxf ossec-hids-2.3.tar.gz
cd ossec-hids-2.3
./install.sh

Step 2: Now the config, my choices are marked with RED text

./install.sh

Choice 1:
(en/br/cn/de/el/es/fr/it/jp/pl/ru/sr/tr) [en]: <-- Enter
Choice 2:
1- What kind of installation do you want (server, agent, local or help)? <-- Local
Choice 3:
- Choose where to install the OSSEC HIDS [/var/ossec]: <-- Enter
Choice 4:
3.1- Do you want e-mail notification? (y/n) [y]: <-- Enter
Choice 4.1:
- What’s your e-mail address? <-- Fill in the email you want the alerts to
Choice 4.2: Installer will try to find you smtp server that belongs to your email. Choose NO and use localhost if you have sendmail running on your server.
- Do you want to use it? (y/n) [n]: <-- Press Y
Choice 4.3:
- What’s your SMTP server ip/host? <-- Choose whats recommended, if it doesnt work, you need to change config later on.
Choice 5:
3.2- Do you want to run the integrity check daemon? (y/n) [y]: <-- Enter
Choice 6:
3.3- Do you want to run the rootkit detection engine? (y/n) [y]: <-- Enter
Choice 7:
- Do you want to enable active response? (y/n) [y]: <-- Press Enter
Choice 8:
- Do you want to enable the firewall-drop response? (y/n) [y]: <-- Press Enter
Choice 9: Choose Yes if you want to add more IPs to the whitelist. Else NO to continue
- Do you want to add more IPs to the white list? (y/n)? [y]: <-- Press Y, Add your client ip, just in case.

Step 3: Installer made OSSEC start at boot.
Step 3.1: To start the OSSEC

/var/ossec/bin/ossec-control start

Step 3.2: To stop the OSSEC

/var/ossec/bin/ossec-control stop

Step 4: For futher settings, edit of the config file

nano -w /var/ossec/etc/ossec.conf

Optional Config: Add this lines in /var/ossec/etc/ossec.conf to get rid of some unnessecary mails from OSSEC

Configure OSSEC for CSF Firewall frontend


Configure OSSEC for APF Firewall frontend


Configure OSSEC for Directadmin Hosting CP




Step 5: Restart OSSEC when your done editing

/var/ossec/bin/ossec-control restart

You will get alot of mails from OSSEC if your active installing, creating new users etc. so you might need to tune it after a while to get rid of “non-important” mail

Share and Enjoy:
  • Print
  • Digg
  • Sphinn
  • del.icio.us
  • Facebook
  • Mixx
  • Google Bookmarks
  • email
  • PDF
  • StumbleUpon
  • Technorati
Comment (RSS)  |  Trackback

One Comment

  1. Charles Durando says:
    2010/04/26 at 15:20

    Thanks for making that so easy!! Do you have any suggestions if you are running the regular iptables firewall?

    Charles Durando

Leave a Reply