9/2/2019 How to Install OSSEC HIDS on Ubuntu 18.04 / 16.04 / Debian 9 - Computing for Geeks How to Install OSSEC HIDS on Ubuntu 18.04 / 16.04 / Debian 9 By Josphat Mutai - November 23, 2018
(Last Updated On: December 12, 2018) This guide will help you to Install OSSEC HIDS on Ubuntu 18.04 / 16.04 / Debian 9. OSSEC is an open source host-based intrusion detection system (HIDS) that runs on Linux, OpenBSD, Solaris, FreeBSD, Windows, and other systems. OSSEC works in a server/client model. The OSSEC client performs log analysis, policy monitoring, �le integrity checking, real-time alerting, rootkit detection and active response.
OSSEC has the aspects of HIDS (host-based intrusion detection), log monitoring and SIM/SIEM as a simple solution with Web UI management.
Step 1: Install OSSEC Dependencies
OSSEC requires PHP, gcc, libc and Apache Web Server. Install them by running the commands below:
sudo apt install -y wget unzip make gcc build-essential sudo apt install -y php php-cli php-common libapache2-mod-php apache2-uti
Step 2: Install OSSEC HIDS on Ubuntu 18.04 / 16.04 / Debian 9
Once the dependencies have been installed, the next installation is for OSSEC HIDS. The source code for OSSEC is available on Github.
Check for the latest release before downloading. As of this writing, the latest is 3.1.0
export VER="3.1.0" wget https://github.com/ossec/ossec-hids/archive/${VER}.tar.gz
Once downloaded, extract the �le with the following command:
tar -xvzf ${VER}.tar.gz
This extraction will create a folder, change to this folder and run the install script.
cd ossec-hids-${VER} sudo sh install.sh
1. Set language
(en/br/cn/de/el/es/fr/hu/it/jp/nl/pl/ru/sr/tr) [en]: en
2. Press
https://computingforgeeks.com/how-to-install-ossec-hids-on-ubuntu-18-04-16-04-debian-9/ 1/6 9/2/2019 How to Install OSSEC HIDS on Ubuntu 18.04 / 16.04 / Debian 9 - Computing for Geeks
OSSEC HIDS v3.1.0 Installation Script - http://www.ossec.net
You are about to start the installation process of the OSSEC HIDS. You must have a C compiler pre-installed in your system.
- System: Linux deb9 4.9.0-8-amd64 - User: root - Host: deb9
-- Press ENTER to continue or Ctrl-C to abort. --
3. Choose local installation type
What kind of installation do you want (server, agent, local, hybrid or he
With the local installation, you will be able to do everything the server does, except receiving remote messages from the agents or external syslog devices.
4. Choose where to install the OSSEC HIDS [/var/ossec], press enter to use /var/ossec
Installation will be made at /var/ossec .
5. Con�guring the OSSEC HIDS
3.1- Do you want e-mail notification? (y/n) [y]: y - What's your e-mail address? [email protected] - What's your SMTP server ip/host? localhost
3.2- Do you want to run the integrity check daemon? (y/n) [y]: y
- Running syscheck (integrity check daemon).
3.3- Do you want to run the rootkit detection engine? (y/n) [y]: y
- Running rootcheck (rootkit detection).
3.4- Active response allows you to execute a specific command based on the events received. For example, you can block an IP address or disable access for a specific user. More information at: http://www.ossec.net/en/manual.html#active-response
- Do you want to enable active response? (y/n) [y]: y
- Active response enabled.
- By default, we can enable the host-deny and the https://computingforgeeks.com/how-to-install-ossec-hids-on-ubuntu-18-04-16-04-debian-9/ 2/6 9/2/2019 How to Install OSSEC HIDS on Ubuntu 18.04 / 16.04 / Debian 9 - Computing for Geeks
firewall-drop responses. The first one will add a host to the /etc/hosts.deny and the second one will block the host on iptables (if linux) or on ipfilter (if Solaris, FreeBSD or NetBSD). - They can be used to stop SSHD brute force scans, portscans and some other forms of attacks. You can also add them to block on snort events, for example.
- Do you want to enable the firewall-drop response? (y/n) [y]: y
- firewall-drop enabled (local) for levels >= 6
- Default white list for the active response: - 192.168.121.1
- Do you want to add more IPs to the white list? (y/n)? [n]:
3.6- Setting the configuration to analyze the following logs: -- /var/log/messages -- /var/log/auth.log -- /var/log/syslog -- /var/log/mail.info -- /var/log/dpkg.log -- /var/log/apache2/error.log (apache log) -- /var/log/apache2/access.log (apache log)
- If you want to monitor any other file, just change the ossec.conf and add a new localfile entry. Any questions about the configuration can be answered by visiting us online at http://www.ossec.net .
--- Press ENTER to continue ---
Press Enter to start the installation
The init script for managing OSSEC HIDS is /var/ossec/bin/ossec-control
To start the service, use:
$ sudo /var/ossec/bin/ossec-control start Starting OSSEC HIDS v3.1.0 (by Trend Micro Inc.)... Started ossec-maild... Started ossec-execd... Started ossec-analysisd... Started ossec-logcollector... Started ossec-syscheckd...
https://computingforgeeks.com/how-to-install-ossec-hids-on-ubuntu-18-04-16-04-debian-9/ 3/6 9/2/2019 How to Install OSSEC HIDS on Ubuntu 18.04 / 16.04 / Debian 9 - Computing for Geeks
Started ossec-monitord... Completed.
And stop it by running
sudo /var/ossec/bin/ossec-control stop
You can further con�gure OSSEC HIDS by editing the con�guration �le:
sudo vim /var/ossec/etc/ossec.conf
The rules are located under the directory /var/ossec/rules/ . The rules for local system �les are set on the �le /var/ossec/rules/local_rules.xml
Check OSSEC Documentation for con�guration options.
Don’t forget to restart OSSEC HIDS whenever you make a change
sudo /var/ossec/bin/ossec-control restart
Step 3: Install OSSEC Web UI
OSSEC HIDS has a simple web interface, but it needs to be installed.
git clone https://github.com/ossec/ossec-wui.git sudo mv ossec-wui /srv cd /srv/ossec-wui sudo ./setup.sh
Set Dashboard admin username/password and web server username
trap: SIGHUP: bad trap Setting up ossec ui...
Username: admin New password:
Setup completed successfully.
Create an Apache VirtualHost con�guration �le
sudo vim /etc/apache2/sites-enabled/ossec-wui.conf
Put the contents below into the �le https://computingforgeeks.com/how-to-install-ossec-hids-on-ubuntu-18-04-16-04-debian-9/ 4/6 9/2/2019 How to Install OSSEC HIDS on Ubuntu 18.04 / 16.04 / Debian 9 - Computing for Geeks
ErrorLog /var/log/apache2/moodle-error.log CustomLog /var/log/apache2/moodle-access.log combined
Replace example.com with your domain name, save the �le and exit.
Enable the Apache rewrite module
sudo a2enmod rewrite sudo systemctl restart apache2
$ sudo systemctl status apache2.service ● apache2.service - The Apache HTTP Server Loaded: loaded (/lib/systemd/system/apache2.service; enabled; vendor p Active: active (running) since Fri 2018-11-23 09:05:56 UTC; 16s ago Process: 9504 ExecStop=/usr/sbin/apachectl stop (code=exited, status=0/ Process: 9511 ExecStart=/usr/sbin/apachectl start (code=exited, status= Main PID: 9516 (apache2) Tasks: 6 (limit: 4915) CGroup: /system.slice/apache2.service ├─9516 /usr/sbin/apache2 -k start ├─9517 /usr/sbin/apache2 -k start ├─9518 /usr/sbin/apache2 -k start ├─9519 /usr/sbin/apache2 -k start ├─9520 /usr/sbin/apache2 -k start └─9521 /usr/sbin/apache2 -k start
Nov 23 09:05:56 deb9 systemd[1]: Starting The Apache HTTP Server...
Open http://ossec.example.com in your web browser and authenticate to the dashboard.
https://computingforgeeks.com/how-to-install-ossec-hids-on-ubuntu-18-04-16-04-debian-9/ 5/6 9/2/2019 How to Install OSSEC HIDS on Ubuntu 18.04 / 16.04 / Debian 9 - Computing for Geeks
On Login. you should get a page like below:
This marks the end of install OSSEC HIDS on Ubuntu 18.04 / 16.04 / Debian 9 article.
References:
OSSEC Manual/Documentation
Josphat Mutai
https://computingforgeeks.com/
Founder of Computingforgeeks. Expertise in Virtualization, Cloud Computing, Linux/UNIX systems, Programming,Storage systems,HA, Server Clustering e.t.c.
https://computingforgeeks.com/how-to-install-ossec-hids-on-ubuntu-18-04-16-04-debian-9/ 6/6