The I.T Massive!

This guide covers OSSEC version 1.4

Written by: Graham Mead

Abstract
This guide covers installing OSSEC as a Client/Server model with alerts from the Agents being sent to the central server. The Guide is split into these segments:
• Downloading OSSEC
• Installing the Server, information relating to setting up the server.
• Initial Set up for the Agents, information relating to the Pre Clients/Agents install stage.
• Installation of Agents, information relating to setting up the server Clients/Agents.
• OSSEC Web UI, optional stage relating to install an interface for the server.
• Testing, optional stage relating to testing active responses (Possible legal issues).

Downloading OSSEC
You can download the OSSEC tar archive and checksums from ossec.net. It's also important to check the integrity of the files by comparing the checksums.
$ mkdir ~/ossec
$ cd ~/ossec
$ wget http://www.ossec.net/files/ossec-hids-latest.tar.gz
$ wget http://www.ossec.net/files/ossec-hids-latest_sum.txt
$ cat ossec-hids-latest_sum.txt
MD5 (ossec-hids-1.4.tar.gz) = f877f7afc225ba835bf697c026c77aa9
SHA1 (ossec-hids-1.4.tar.gz) = 80e6fc46ff592e369bc9f81707e753285e09f01f
MD5 (ossec-agent-win32-1.4.exe) = a2e56933e5084c3dc871eb9aec1cbdac
SHA1 (ossec-agent-win32-1.4.exe) = 64cf017d7ebd4f356a7c58b270b791cacb0ef8de
$ md5sum ossec-hids-latest.tar.gz
f877f7afc225ba835bf697c026c77aa9 ossec-hids-latest.tar.gz
$ sha1sum ossec-hids-latest.tar.gz
80e6fc46ff592e369bc9f81707e753285e09f01f ossec-hids-latest.tar.gz

Installing the Server
These commands will extract the archive and begin the install process. Root access (via sudo or otherwise) to the box is required for installation.
$ tar -zxvf ossec-hids-latest.tar.gz
$ cd ossec-hids-*
$ sudo ./install.sh
You will be asked a few question by the install script. First it will ask for your language and since the default is English (this is an example of a [Deafult-value]) you can just press enter. If you have OSSEC Installed already you will be asked if you want to perform an update, answering no does a clean install overwriting current files.
** Para instalação em português, escolha [br].
** 要使用中文进行安装, 请选择 [cn].
** Fur eine deutsche Installation wohlen Sie [de].
** For installation in English, choose [en].
** Para instalar en Español , eliga [es].
** Pour une installation en français, choisissez [fr]
** Per l'installazione in Italiano, scegli [it].
** 日本語でインストールします．選択して下さい．[jp].
** Aby instalować w języku Polskim, wybierz [pl].
** Для инструкций по установке на русском ,введите [ru].
** Za instalaciju na srpskom, izaberi [sr].
** Türkçe kurulum için seçin [tr].
(en/br/cn/de/es/fr/it/jp/pl/ru/sr/tr) [en]: <Press Enter Key>


OSSEC HIDS v1.4 Installation Script - http://www.ossec.net

You are about to start the installation process of the OSSEC HIDS.
You must have a C compiler pre-installed in your system.
If you have any questions or comments, please send an e-mail
to dcid@ossec.net (or daniel.cid@gmail.com).

- System: Linux ab**** 2.6.*****-generic
- User: root
- Host: ab*******


-- Press ENTER to continue or Ctrl-C to abort. --


- You already have OSSEC installed. Do you want to update it? (y/n): n
Now you can select what kind of install you would like. Most people would want to install 'local' for monitoring of just the local system. Server and agent are used to monitor more than one system. The server receives alerts from the agents and vice versa. In this example I'm using the server/agent method to monitor two systems, a Linux system (the server), a Windows agent and a Linux agent.
1- What kind of installation do you want (server, agent, local or help)? server

- Server installation chosen.
Set the install directory, the default is fine for most people. If you have OSSEC installed it will ask you if you want to delete the directory, so it will be a clean install.
2- Setting up the installation environment.

- Choose where to install the OSSEC HIDS [/var/ossec]: <Press Enter Key>

- Installation will be made at /var/ossec .

- The installation directory already exists. Should I delete it? (y/n) [y]: <Press Enter Key>

This part is the main configuration part of installing OSSEC. First it asks if you want to be informed by email of alerts, which will not be implemented because of lack of an internal mail system. If you answer yes it will ask you to enter your email details.
Next it ask if you want to run file system integrity checks and rootkit detection, these should be both used unless you have a good reason not too.
3- Configuring the OSSEC HIDS.

3.1- Do you want e-mail notification? (y/n) [y]: n

--- Email notification disabled.

3.2- Do you want to run the integrity check daemon? (y/n) [y]: <Press Enter Key>

- Running syscheck (integrity check daemon).

3.3- Do you want to run the rootkit detection engine? (y/n) [y]: <Press Enter Key>

- Running rootcheck (rootkit detection).

3.4- Active response allows you to execute a specific
command based on the events received. For example,
you can block an IP address or disable access for
a specific user.
More information at:
http://www.ossec.net/en/manual.html#active-response

Active responses can be configured to trigger on alerts over a certain level. The default is to add a rule to the systems firewall to temporally drop (default 600 seconds) connections from an attacker, this is enough for most people. A good example of the flexibility of active responses is OSSEC at the Defcon “Own the Box” competition. (http://www.ossec.net/dcid/?p=105) Active response will add an element of self defending to your systems and should be enabled unless there is good reason.

- Do you want to enable active response? (y/n) [y]: <Press Enter Key>

- Active response enabled.

- By default, we can enable the host-deny and the
firewall-drop responses. The first one will add
a host to the /etc/hosts.deny and the second one
will block the host on iptables (if linux) or on
ipfilter (if Solaris, FreeBSD or NetBSD).
- They can be used to stop SSHD brute force scans,
portscans and some other forms of attacks. You can
also add them to block on snort events, for example.

- Do you want to enable the firewall-drop response? (y/n) [y]: <Press Enter Key>

- firewall-drop enabled (local) for levels >= 6

- Default white list for the active response:
- <IP of default route/DNS>

- Do you want to add more IPs to the white list? (y/n)? [n]: <Press Enter Key>

This feature could be used for receiving syslog alerts from for example Cisco devices or any other device that an OSSEC agent cannot be installed. Logging from the cisco devices on the network is not required but more information can be found at the ossec wiki if they are required at a later date. http://www.ossec.net/wiki/index.php/PIX_and_IOS_Syslog_Config_examples
3.5- Do you want to enable remote syslog (port 514 udp)? (y/n) [y]: n

--- Remote syslog disabled.
This section informs you on which log files are going to be monitored. I have the Snort IDS and the Apache2 Web server installed on the system in this example.
3.6- Setting the configuration to analyze the following logs:
-- /var/log/messages
-- /var/log/auth.log
-- /var/log/syslog
-- /var/log/mail.info
-- /var/log/snort/alert (snort-fast file)
-- /var/log/apache2/error.log (apache log)
-- /var/log/apache2/access.log (apache log)

- If you want to monitor any other file, just change
the ossec.conf and add a new localfile entry.
Any questions about the configuration can be answered
by visiting us online at http://www.ossec.net .


--- Press ENTER to continue ---

After you have finished answering all the questions that OSSEC asks, its finally time to get down to installing. Program compilers and other building utilities need to be installed for this to work. On Ubuntu this programs can be installed by running this command.
sudo apt-get install build-essential
OSSEC runs the compiling and installing the actual OSSEC program files.
5- Installing the system
- Running the Makefile

<The Compiling bit>


- System is Debian (Ubuntu or derivative).
- Init script modified to start OSSEC HIDS during boot.

- Configuration finished properly.

- To start OSSEC HIDS:
/var/ossec/bin/ossec-control start

- To stop OSSEC HIDS:
/var/ossec/bin/ossec-control stop

- The configuration can be viewed or modified at /var/ossec/etc/ossec.conf


Thanks for using the OSSEC HIDS.
If you have any question, suggestion or if you find any bug,
contact us at contact@ossec.net or using our public maillist at
ossec-list@ossec.net
( http://www.ossec.net/main/support/ ).

More information can be found at http://www.ossec.net

--- Press ENTER to finish (maybe more information below). ---



- In order to connect agent and server, you need to add each agent to the server.
Run the 'manage_agents' to add or remove them:

/var/ossec/bin/manage_agents

More information at:
http://www.ossec.net/en/manual.html#ma

Initial Set up for the Agents

Before the agents can be installed, the agents need to be configured on the server. This stage is necessary because be encryption key used by each agent need to be generated. This part can be accessed from the menu driven utility below and it consists of three parts.
$ sudo /var/ossec/bin/manage_agents

First you need to add the agent to the agent manager, An ID Number, Name (normally the host name) and an IP address must be entered at this stage.
****************************************
* OSSEC HIDS v1.4 Agent manager. *
* The following options are available: *
****************************************
(A)dd an agent (A).
(E)xtract key for an agent (E).
(L)ist already added agents (L).
(R)emove an agent (R).
(Q)uit.
Choose your action: A,E,L,R or Q: a

- Adding a new agent (use '\q' to return to the main menu).
Please provide the following:
* A name for the new agent: ca***
* The IP Address of the new agent: 192.168.1.15
* An ID for the new agent[002]:
Agent information:
ID:002
Name:ca***
IP Address:192.168.1.15

Confirm adding it?(y/n): y
Agent added.
Secondly you must get the encryption key that the agent will use for it communication with the server. Copy and paste recommended
****************************************
* OSSEC HIDS v1.4 Agent manager. *
* The following options are available: *
****************************************
(A)dd an agent (A).
(E)xtract key for an agent (E).
(L)ist already added agents (L).
(R)emove an agent (R).
(Q)uit.
Choose your action: A,E,L,R or Q: e

Available agents:
ID: 001, Name: Ba**, IP: 192.168.1.100
ID: 002, Name: Ca**, IP: 192.168.1.15
Provide the ID of the agent to extract the key (or '\q' to quit): 002

Agent key information for '002' is:
MTHISKEYISNOTREAL11bYgjkZGMxNTA2MmU5NDhjMzJkY2YzN2QyMjRmYTQ2ODA2ZTFjNDYxMWMz

** Press ENTER to return to the main menu.
Finally you should check that the agent configuration has actually been stored in the database.
****************************************
* OSSEC HIDS v1.4 Agent manager. *
* The following options are available: *
****************************************
(A)dd an agent (A).
(E)xtract key for an agent (E).
(L)ist already added agents (L).
(R)emove an agent (R).
(Q)uit.
Choose your action: A,E,L,R or Q: L

Available agents:
ID: 001, Name: Ca**, IP: 192.168.1.15

** Press ENTER to return to the main menu.



****************************************
* OSSEC HIDS v1.4 Agent manager. *
* The following options are available: *
****************************************
(A)dd an agent (A).
(E)xtract key for an agent (E).
(L)ist already added agents (L).
(R)emove an agent (R).
(Q)uit.
Choose your action: A,E,L,R or Q: q

** You must restart the server for your changes to have effect.

manage_agents: Exiting ..
Then you must Start/Restart the server.
$ sudo /var/ossec/bin/ossec-control status
ossec-monitord not running...
ossec-logcollector not running...
ossec-remoted not running...
ossec-syscheckd not running...
ossec-analysisd not running...
ossec-maild not running...
ossec-execd not running...

$ sudo /var/ossec/bin/ossec-control start
Starting OSSEC HIDS v1.4 (by Daniel B. Cid)...
2008/03/11 20:08:00 ossec-maild: E-Mail notification disabled. Clean Exit.
Started ossec-maild...
Started ossec-execd...
Started ossec-analysisd...
Started ossec-logcollector...
Started ossec-syscheckd...
Started ossec-monitord...
Completed.

Automated NMAP Scanning
We would use this to detect unauthorised servers on the network. This step can be omitted if not needed.
First we would add the following to the OSSEC configuration file.
<ossec_config>
<localfile>
<log_format>nmapg</log_format>
<location>/var/log/nmap-out.log</location>
</localfile>
</ossec_config>

Then we would run these commands to create the baseline that OSSEC will compare against.
$ sudo touch /var/log/nmap-out.log
$ sudo nmap --append_output -sU -sT -oG /var/log/nmap-out.log 192.168.2.0-255
$ sudo /var/ossec/bin/ossec-control restart

After this OSSEC will be scanning the network periodicity and report any changes it finds. More information can be found on the OSSEC wiki.


Installation of Agents
The Windows Agent is installed on a windows system (in this case Windows XP) but first we download and checksum the binary on Linux. It is much simpler to checksum on Linux than running the checksum on windows because this can be complicated.
$ wget http://www.ossec.net/files/ossec-agent-win32-1.4.exe

$ cat ossec-hids-latest_sum.txt

$ sha1sum ossec-agent-win32-1.4.exe

$ md5sum ossec-agent-win32-1.4.exe

The windows agent install is started by double clicking the file you just downloaded on the windows computer. The installer will guide you though the installation. The windows agent is installed as a windows service so no further steps need to be taken to ensure that it starts automatically.
Windows XP was used in this install but its the same for other versions of Windows.
The windows OSSEC agent screen should look something like this. You will need to enter the IP address and the Encryption key from the previous stage. You also must ensure that there is not a firewall (allow udp port 1514) sitting between the server and the agent.

Linux Agent
The installation of the Linux agent is very similar to the server installation performed earlier. First we run the install script as root and select the language.
$ sudo ./install.sh

** Para instalação em português, escolha [br].
** 要使用中文进行安装, 请选择 [cn].
** Fur eine deutsche Installation wohlen Sie [de].
** For installation in English, choose [en].
** Para instalar en Español , eliga [es].
** Pour une installation en français, choisissez [fr]
** Per l'installazione in Italiano, scegli [it].
** 日本語でインストールします．選択して下さい．[jp].
** Aby instalować w języku Polskim, wybierz [pl].
** Для инструкций по установке на русском ,введите [ru].
** Za instalaciju na srpskom, izaberi [sr].
** Türkçe kurulum için seçin [tr].
(en/br/cn/de/es/fr/it/jp/pl/ru/sr/tr) [en]: <Press Enter Key>


OSSEC HIDS v1.4 Installation Script - http://www.ossec.net

You are about to start the installation process of the OSSEC HIDS.
You must have a C compiler pre-installed in your system.
If you have any questions or comments, please send an e-mail
to dcid@ossec.net (or daniel.cid@gmail.com).

- System: Linux ca*** 2.6.22-14-generic
- User: root
- Host: ba***


-- Press ENTER to continue or Ctrl-C to abort. --


- You already have OSSEC installed. Do you want to update it? (y/n): n

We then select the agent installation type and select the installation directory.

1- What kind of installation do you want (server, agent, local or help)? agent

- Agent(client) installation chosen.

2- Setting up the installation environment.

- Choose where to install the OSSEC HIDS [/var/ossec]:

- Installation will be made at /var/ossec .

- The installation directory already exists. Should I delete it? (y/n) [y]: <Press Enter Key>

Then we enter the IP address of the OSSEC Server and select what should be run.
3- Configuring the OSSEC HIDS.

3.1- What's the IP Address of the OSSEC HIDS server?: 192.168.1.56

- Adding Server IP 192.168.1.56

3.2- Do you want to run the integrity check daemon? (y/n) [y]: <Press Enter Key>

- Running syscheck (integrity check daemon).

3.3- Do you want to run the rootkit detection engine? (y/n) [y]: <Press Enter Key>

- Running rootcheck (rootkit detection).

3.4 - Do you want to enable active response? (y/n) [y]: <Press Enter Key>


3.5- Setting the configuration to analyze the following logs:
-- /var/log/messages
-- /var/log/auth.log
-- /var/log/syslog
-- /var/log/mail.info
-- /var/log/apache2/error.log (apache log)
-- /var/log/apache2/access.log (apache log)

- If you want to monitor any other file, just change
the ossec.conf and add a new localfile entry.
Any questions about the configuration can be answered
by visiting us online at http://www.ossec.net .


--- Press ENTER to continue ---


Then the program will compile the software so it can be used.
5- Installing the system
- Running the Makefile

<Compile bit>

- System is Debian (Ubuntu or derivative).
- Init script modified to start OSSEC HIDS during boot.

- Configuration finished properly.

- To start OSSEC HIDS:
/var/ossec/bin/ossec-control start

- To stop OSSEC HIDS:
/var/ossec/bin/ossec-control stop

- The configuration can be viewed or modified at /var/ossec/etc/ossec.conf


Thanks for using the OSSEC HIDS.
If you have any question, suggestion or if you find any bug,
contact us at contact@ossec.net or using our public maillist at
ossec-list@ossec.net
( http://www.ossec.net/main/support/ ).

More information can be found at http://www.ossec.net

--- Press ENTER to finish (maybe more information below). ---



- You first need to add this agent to the server so they
can communicate with each other. When you have done so,
you can run the 'manage_agents' tool to import the
authentication key from the server.

/var/ossec/bin/manage_agents

More information at:
http://www.ossec.net/en/manual.html#ma

After the software is installed we need to import the key from the server.
sudo /var/ossec/bin/manage_agents
****************************************
* OSSEC HIDS v1.4 Agent manager. *
* The following options are available: *
****************************************
(I)mport key from the server (I).
(Q)uit.
Choose your action: I or Q: I

* Provide the Key generated by the server.
* The best approach is to cut and paste it.
*** OBS: Do not include spaces or new lines.

Paste it here (or '\q' to quit): MDAyIGxpbnV4YWdlbnQgMTkyLjsfmlfsfsfsFlkdfjsofmsldmzNmFlZTk2NDlkNjIzODU5M2Y4MDIzNzRlMWI3NWM4ODA3MjczMjRmY2JiMjE1ZDk1OGEzMzU1NDc=

Agent information:
ID:002
Name:ca****
IP Address:192.168.1.15

Confirm adding it?(y/n): y
Added.
** Press ENTER to return to the main menu.

****************************************
* OSSEC HIDS v1.4 Agent manager. *
* The following options are available: *
****************************************
(I)mport key from the server (I).
(Q)uit.
Choose your action: I or Q: q

** You must restart the server for your changes to have effect.

manage_agents: Exiting ..

Debugging
Debug check to see if the ossec server is correctly getting messages from the agents. Incorrectly formatted messages are commonly a typo when entering the key.
sudo cat /var/ossec/logs/ossec.log |grep "ossec-remoted"

The Below message is example output of the above command when the key is input incorrectly.
2008/04/10 13:36:43 ossec-remoted(1403): Incorrectly formated message from '192.168.1.15'.

OSSEC Web UI
The Web Interface requires: A working OSSEC Installation and Apache (with PHP support 4.1+ or 5.0+)
Ossec Web UI
The OSSEC Web User Interface lets you see OSSEC generated alerts from your web browser making using OSSEC that much easier. It allows you to:

• See a list of latest alerts.
• Use an alert search feature, that are very helpful in writing reports.
• Shows latest modified files for all installed agents.
• Use of a stats page that breaks down each rule into a total percentage.

Two examples of the search feature are it can show all alerts over a certain level and search by source IP address. More options are available however. We need to download and verifiy that the web user interface are ok.

$ wget http://www.ossec.net/files/ui/ossec-wui-0.3-checksum.txt
$ wget http://www.ossec.net/files/ui/ossec-wui-0.3.tar.gz.sig
$ cat ossec-wui-0.3-checksum.txt
$ md5sum ossec-wui-0.3.tar.gz
MD5 (ossec-wui-0.3.tar.gz) = c79fa486e9a20fb06a517541033af304
$ sha1sum ossec-wui-0.3.tar.gz
SHA1 (ossec-wui-0.3.tar.gz) = e00bff680721982ee55295a5292eb4e2a638b820
$ gpg --verify ossec-wui-0.3.tar.gz.sig ossec-wui-0.3.tar.gz

We then need to extract the archive, move the files to the web server directory and then run the install script.
$ tar -zxvf ossec-wui-0.3.tar.gz
$ sudo mv ossec-wui-0.3 /var/www/ossec-wui
$ sudo /var/www/ossec-wui/setup.sh

Then we add the web server user(www-data) to the ossec group by adding the web server username to the end of the line, as shown below.
$ sudo nano /etc/group
ossec:x:1002:www-data
Finally we must make sure that the web server user can write to the tmp directory.
$ cd /var/www/ossec-wui/
$ sudo chmod 770 tmp/
$ sudo chgrp www-data tmp/

The Web Interface should now be available in a web browser by going to:
http://ipaddress/ossec-wui/

Securing the script.
First we create a password file for the Apache authentication. Its important not to include the -c switch if the file is already created because it will wipe the file and start a new file.
htpasswd -c /etc/apache2/htpasswd ossecuser
Then we add the following to the apache configuration
<Directory /ossec-wui>
Options FollowSymLinks
AllowOverride None
</Directory>

<Directory “/var/www/ossec-wui/”>
AuthType Basic
AuthName "Protected Area"
AuthUserFile /etc/apache2/htpasswd
Require user ossecuser
</Directory>

This stage will protect the application against unauthorised access.

Testing
Disclaimer: You are responsible for your own actions. Testing of any security settings should only be done on your own equipment in your own lab, unless you have written permission from your employer. If you are unsure don't do it, its not worth going to jail over.
Using these tools in an ethical manner can help you test that your installation would really help against an attacker. The following attack was performed from another one of my own systems by using GTK Hydra (Available: Backtrack Live CD) to simulate an SSH Brute force attack. OSSEC would then activate the active response because of the high level of alert (by default it uses level 6 and above to activate an active response).

2008 Mar 27 18:41:57 Rule Id: 5720 level: 10
Location: ab***** ->/var/log/auth.log
Src IP: 192.168.1.15
Multiple SSHD authentication failures.
Mar 27 18:41:56 ab***** sshd[12409]: Failed password for user from 192.168.1.15 port 59948 ssh2
Mar 27 18:41:56 ab***** sshd[12407]: Failed password for user from 192.168.1.15 port 59947 ssh2
Mar 27 18:41:56 ab***** sshd[12401]: Failed password for user from 192.168.1.15 port 59944 ssh2
Mar 27 18:41:56 ab***** sshd[12405]: Failed password for user from 192.168.1.15 port 59946 ssh2
Mar 27 18:41:56 ab***** sshd[12403]: Failed password for user from 192.168.1.15 port 59945 ssh2
Mar 27 18:41:56 ab***** sshd[12399]: Failed password for user from 192.168.1.15 port 59943 ssh2
Mar 27 18:41:56 ab***** sshd[12397]: Failed password for user from 192.168.1.15 port 59942 ssh2

As we can see from the output of the command below, the source address of the attack as been added to the Linux firewall as a DROP rule. Further attempts from this address will be dropped while the timeout from OSSEC is in place.
$ sudo iptables -L
...
Chain INPUT (policy DROP)
target prot opt source destination
DROP 0 -- 192.168.1.100 anywhere
.....
More Information: on alerts and log samples can be found at the OSSEC.net wiki.

Update on Friday, February 27, 2009 at 3:48AM by Graham

Updated