Automated Detection and Response to Attacks # Tar -Zxf Ossec-Hids-2.0.Tar.Gz # Cd Ossec-Hids-2.0 # ./Install.Sh

SYSADMIN Security Lessons

Automated detection and response to attacks # tar -zxf ossec-hids-2.0.tar.gz # cd ossec-hids-2.0 # ./install.sh

Now you simply choose your language, your server type, and whether you want OSSEC to run the integrity check daemon, run Learn how to monitor and block attacks without lifting a finger. the rootkit detection engine, enable active response, and enable the firewall to BY KURT SEIFRIED block attacks. If you are setting the system up as an agent, you also need to ne of the first things I learned system [2]. OSSEC uses a traditional point it to your server and paste in the about computer security was server and agent approach: You install agent key. The agent key is a long string Ologging [1]. If you don’t have the agent software on each system you used to secure communications between logs, then trying to reconstruct what want to monitor, and a central server an agent and the server, preventing fake happened when something breaks, or collects all the data and sends out alerts. messages from being injected, and so when you get broken into, is almost im- Additionally, the OSSEC project has re- on. Why is it important to prevent possible. The second thing I learned was leased a web-based interface; however, it spoofed or fake messages from being that you have to centralize your logging; is only capable of reporting. Unfortu- sent to the server? this is the only way to get a complete nately, it can’t be used to configure the picture and ensure that an attacker can’t system. Beware simply wipe the logs on a compromised If an attacker can trigger fake or spoofed host, leaving you nothing to work with. Installing OSSEC attacks and a system blocks IP addresses But none of this will alert you to an at- When installing OSSEC, you have three or users because of this, the attacker can tacker or, even more importantly, stop options. The server option allows you to easily block legitimate systems and lock an attacker from getting in. It will simply have it monitor itself and collect alerts users out. In a worst case scenario, you give you something to look at once you from other systems. The agent option might have to break into your own sys- figure out you have been broken into. simply monitors local events and fires tem if your accounts are locked out, For this, you need a human being in the anything interesting off to the server. which is why most HIDS and NIDS sup- loop, right? Well, you either need a The local option runs the monitoring lo- port whitelisting (see the “HIDS vs. human being or some smart software. cally and can send email alerts, but it NIDS” box). Administrators simply cre- Wouldn’t it be great if you could moni- does not listen for any remote agents (so ate a list of hosts and networks that are tor critical logfiles (like mail and web) if you have one server or want to test it, critical. Of course, determining which and actually have something respond to this is the option for you). Simply down- hosts are critical depends on the exact attacks, notifying you and even blocking load the OSSEC package (os- setup (DNS, email, file servers, authenti- the attacker from further access if you so sec-hids-2.0.tar.gz”) and unpack it to a cation servers, routers, etc. are all a good wished? Well you’re not the only one. directory: place to start). With OSSEC, the whitelist Daniel B. Cid is the lead developer of the is held in the ossec.conf file (by default, OSSEC project, an effort to build an open # wget http://www.ossec.net/U this is kept in /var/ossec/etc/), and you source host-based intrusion detection files/ossec-hids-2.0.tar.gz can specify individual hosts or networks:

127.0.0.1 1.2.3.4 10.0.0.0/8 192.168.0.0/16U Running OSSEC The OSSEC program comes with its own control program called ossec-control. Ad- ditionally, when installed on Red Hat Linux or CentOS, a standard set of rc.d/ init scripts will be added, allowing the OSSEC services to be control through the standard chkconfig utility. When OSSEC is running, you should see a number of programs running.

58 ISSUE 103 JUNE 2009 Security Lessons SYSADMIN

The monitoring processes generally (essentially the guts of al- need to run as root: most any system) and a large number of network USER PID COMMAND daemon logfiles (named, ossecm 17381 /var/ossec/bin/ossec-maild smbd, mysql, telnetd, etc.). root 17385 /var/ossec/bin/ossec-execd To modify which direc- ossec 17389 /var/ossec/bin/U tories are monitored or to ossec-analysisd add new rulesets for moni- root 17393 /var/ossec/bin/U toring services, you simply ossec-logcollector edit the ossec.conf file, root 17405 /var/ossec/bin/U which uses an XML-style ossec-syscheckd format that is largely self- ossec 17409 /var/ossec/bin/U explanatory. ossec-monitord OSSEC WebUI So now that you have OSSEC Agent OSSEC properly set up and Figure 1: The Main tab of the OSSEC web interface shows Once you have the server running, it’s it’s protecting your net- some information about the latest modified files and events. high time to get the rest of your herd re- work, what do you do porting to it. Simply install the OSSEC now? One feature I love about OSSEC is been updated in several years (although software on any machines you want to the reporting. For example, you can gen- one could argue it is largely a finished monitor, choosing the agent installation erate text reports on the top activity for project). option, of course. IP addresses, attempted login names, During the install, you will be asked and so on. Conclusion for the IP address of the server and stan- Of course, a text-based report is un- One of the biggest problems with secu- dard options regarding which monitor- likely to impress your boss; fortunately, rity is the amount of setup effort and ing options you want. Once you have there is a solution for this. The web user continuous maintenance it often re- finished, you will need to create and im- interface for OSSEC allows ad hoc que- quires. OSSEC provides a degree of as- port the agent key, which is done via the ries, but unfortunately, it does not sup- surance and active protection with a manage_agents program. On the server port configuration of the server or agents minimal setup cost and little mainte- you simply add the agent. (for that, you have to stick to the com- nance. OSSEC is lacking in a few fea- Once finished you can extract the key mand line). tures I would really love to see (like tell- for a particular agent, then you will need Additionally, OSSEC WebUI allows you ing me what changed within a file as op- to cut and paste it (remote login via SSH to see the state of your server and agents posed to just telling me that the file has is your best bet). Simply run manage_ at a glance (Figure 1). changed) and lacks some ease of use agents on the agent and import the key. features (like mass configuration and The process is similar for Windows, but Tripwire change management), but weighed a graphical interface has been added as Of course, I would be amiss if I failed to against the simplicity of setup and man- the default to make it easier (fortunately, mention Tripwire [3]. Tripwire is the agement I think it’s still worth it. n the command-line versions of all the granddaddy of HIDS, monitoring and re- programs are available, which allows porting on file changes on Unix systems INFO scripted management to be done re- (and now on Windows), routers, and [1] “Dive Deep” by Heike Jurzik, Linux motely via the command line). other devices. Pro Magazine, April 2008, http:// By default, OSSEC monitors all files in Tripwire is still available as an open www. linux-magazine. com/ w3/ issue/ /etc, /bin, /sbin, /usr/bin, and /usr/sbin source package; however, it has not 89/086-087_command. pdf HIDS vs. NIDS [2] OSSEC: http:// www. ossec. net/ [3] Tripwire: http:// sourceforge. net/ Host-based intrusion detection systems Network intrusion detection systems projects/ tripwire/ (HIDS) are generally defined as applica- (NIDS) typically consist of one or more tions that run on specific systems and network-based sensors deployed at net- monitor local logfiles, inbound network work choke points (such as firewalls) or at- Kurt Seifried is an activity, and other items to detect hostile tached to switches that are configured to Information Secu- behavior. The advantage of HIDS is that it replicate traffic to the sensor. The advan- rity Consultant spe- has deeper access to a system and can tage of NIDS is that you can cover large cializing in Linux correlate local events easily (e.g., a web portions of a network and network traffic and networks since application error followed by a new user with a minimal number of sensors. The being added). The disadvantage of HIDS is disadvantage of NIDS is that you could 1996. He often won- that you must install software on each miss internal attacks that don’t cross mon- ders how it is that technology works

system you want to protect and manage itored networks, and you can’t see deeply AUTHOR THE on a large scale but often fails on a many endpoints. into a system. small scale.

JUNE 2009 ISSUE 103 59