9/2/2019 How to Install OSSEC HIDS on Ubuntu 18.04 / 16.04 / Debian 9 - Computing for Geeks How to Install OSSEC HIDS on Ubuntu 18.04 / 16.04 / Debian 9 By Josphat Mutai - November 23, 2018

(Last Updated On: December 12, 2018) This guide will help you to Install OSSEC HIDS on Ubuntu 18.04 / 16.04 / Debian 9. OSSEC is an open source host-based intrusion detection system (HIDS) that runs on , OpenBSD, Solaris, FreeBSD, Windows, and other systems. OSSEC works in a server/client model. The OSSEC client performs log analysis, policy monitoring, le integrity checking, real-time alerting, detection and active response.

OSSEC has the aspects of HIDS (host-based intrusion detection), log monitoring and SIM/SIEM as a simple solution with Web UI management.

Step 1: Install OSSEC Dependencies

OSSEC requires PHP, gcc, libc and Apache Web Server. Install them by running the commands below:

sudo apt install -y wget unzip make gcc build-essential sudo apt install -y php php-cli php-common libapache2-mod-php apache2-uti

Step 2: Install OSSEC HIDS on Ubuntu 18.04 / 16.04 / Debian 9

Once the dependencies have been installed, the next installation is for OSSEC HIDS. The source code for OSSEC is available on Github.

Check for the latest release before downloading. As of this writing, the latest is 3.1.0

export VER="3.1.0" wget https://github.com/ossec/ossec-hids/archive/${VER}.tar.gz

Once downloaded, extract the le with the following command:

tar -xvzf ${VER}.tar.gz

This extraction will create a folder, change to this folder and run the install script.

cd ossec-hids-${VER} sudo sh install.sh

1. Set language

(en/br/cn/de/el/es/fr/hu/it/jp/nl/pl/ru/sr/tr) [en]: en

2. Press to continue

https://computingforgeeks.com/how-to-install-ossec-hids-on-ubuntu-18-04-16-04-debian-9/ 1/6 9/2/2019 How to Install OSSEC HIDS on Ubuntu 18.04 / 16.04 / Debian 9 - Computing for Geeks

OSSEC HIDS v3.1.0 Installation Script - http://www.ossec.net

You are about to start the installation process of the OSSEC HIDS. You must have a C compiler pre-installed in your system.

- System: Linux deb9 4.9.0-8-amd64 - User: root - Host: deb9

-- Press ENTER to continue or Ctrl-C to abort. --

3. Choose local installation type

What kind of installation do you want (server, agent, local, hybrid or he

With the local installation, you will be able to do everything the server does, except receiving remote messages from the agents or external syslog devices.

4. Choose where to install the OSSEC HIDS [/var/ossec], press enter to use /var/ossec

Installation will be made at /var/ossec .

5. Conguring the OSSEC HIDS

3.1- Do you want e-mail notification? (y/n) [y]: y - What's your e-mail address? [email protected] - What's your SMTP server ip/host? localhost

3.2- Do you want to run the integrity check daemon? (y/n) [y]: y

- Running syscheck (integrity check daemon).

3.3- Do you want to run the rootkit detection engine? (y/n) [y]: y

- Running rootcheck (rootkit detection).

3.4- Active response allows you to execute a specific command based on the events received. For example, you can block an IP address or disable access for a specific user. More information at: http://www.ossec.net/en/manual.html#active-response

- Do you want to enable active response? (y/n) [y]: y

- Active response enabled.

- By default, we can enable the host-deny and the https://computingforgeeks.com/how-to-install-ossec-hids-on-ubuntu-18-04-16-04-debian-9/ 2/6 9/2/2019 How to Install OSSEC HIDS on Ubuntu 18.04 / 16.04 / Debian 9 - Computing for Geeks

firewall-drop responses. The first one will add a host to the /etc/hosts.deny and the second one will block the host on iptables (if linux) or on ipfilter (if Solaris, FreeBSD or NetBSD). - They can be used to stop SSHD brute force scans, portscans and some other forms of attacks. You can also add them to block on snort events, for example.

- Do you want to enable the firewall-drop response? (y/n) [y]: y

- firewall-drop enabled (local) for levels >= 6

- Default white list for the active response: - 192.168.121.1

- Do you want to add more IPs to the white list? (y/n)? [n]:

3.6- Setting the configuration to analyze the following logs: -- /var/log/messages -- /var/log/auth.log -- /var/log/syslog -- /var/log/mail.info -- /var/log/dpkg.log -- /var/log/apache2/error.log (apache log) -- /var/log/apache2/access.log (apache log)

- If you want to monitor any other file, just change the ossec.conf and add a new localfile entry. Any questions about the configuration can be answered by visiting us online at http://www.ossec.net .

--- Press ENTER to continue ---

Press Enter to start the installation

The init script for managing OSSEC HIDS is /var/ossec/bin/ossec-control

To start the service, use:

$ sudo /var/ossec/bin/ossec-control start Starting OSSEC HIDS v3.1.0 (by Trend Micro Inc.)... Started ossec-maild... Started ossec-execd... Started ossec-analysisd... Started ossec-logcollector... Started ossec-syscheckd...

https://computingforgeeks.com/how-to-install-ossec-hids-on-ubuntu-18-04-16-04-debian-9/ 3/6 9/2/2019 How to Install OSSEC HIDS on Ubuntu 18.04 / 16.04 / Debian 9 - Computing for Geeks

Started ossec-monitord... Completed.

And stop it by running

sudo /var/ossec/bin/ossec-control stop

You can further congure OSSEC HIDS by editing the conguration le:

sudo vim /var/ossec/etc/ossec.conf

The rules are located under the directory /var/ossec/rules/ . The rules for local system les are set on the le /var/ossec/rules/local_rules.xml

Check OSSEC Documentation for conguration options.

Don’t forget to restart OSSEC HIDS whenever you make a change

sudo /var/ossec/bin/ossec-control restart

Step 3: Install OSSEC Web UI

OSSEC HIDS has a simple web interface, but it needs to be installed.

git clone https://github.com/ossec/ossec-wui.git sudo mv ossec-wui /srv cd /srv/ossec-wui sudo ./setup.sh

Set Dashboard admin username/password and web server username

trap: SIGHUP: bad trap Setting up ossec ui...

Username: admin New password: Re-type new password: Adding password for user admin Enter your web server user name (e.g. apache, www, nobody, www-data, ... www-data You must restart your web server after this setup is done.

Setup completed successfully.

Create an Apache VirtualHost conguration le

sudo vim /etc/apache2/sites-enabled/ossec-wui.conf

Put the contents below into the le https://computingforgeeks.com/how-to-install-ossec-hids-on-ubuntu-18-04-16-04-debian-9/ 4/6 9/2/2019 How to Install OSSEC HIDS on Ubuntu 18.04 / 16.04 / Debian 9 - Computing for Geeks

DocumentRoot /srv/ossec-wui/ ServerName ossec.example.com ServerAlias www.ossec.example.com ServerAdmin [email protected]

Options +FollowSymlinks AllowOverride All Require all granted

ErrorLog /var/log/apache2/moodle-error.log CustomLog /var/log/apache2/moodle-access.log combined

Replace example.com with your domain name, save the le and exit.

Enable the Apache rewrite module

sudo a2enmod rewrite sudo systemctl restart apache2

$ sudo systemctl status apache2.service ● apache2.service - The Apache HTTP Server Loaded: loaded (/lib/systemd/system/apache2.service; enabled; vendor p Active: active (running) since Fri 2018-11-23 09:05:56 UTC; 16s ago Process: 9504 ExecStop=/usr/sbin/apachectl stop (code=exited, status=0/ Process: 9511 ExecStart=/usr/sbin/apachectl start (code=exited, status= Main PID: 9516 (apache2) Tasks: 6 (limit: 4915) CGroup: /system.slice/apache2.service ├─9516 /usr/sbin/apache2 -k start ├─9517 /usr/sbin/apache2 -k start ├─9518 /usr/sbin/apache2 -k start ├─9519 /usr/sbin/apache2 -k start ├─9520 /usr/sbin/apache2 -k start └─9521 /usr/sbin/apache2 -k start

Nov 23 09:05:56 deb9 systemd[1]: Starting The Apache HTTP Server...

Open http://ossec.example.com in your web browser and authenticate to the dashboard.

https://computingforgeeks.com/how-to-install-ossec-hids-on-ubuntu-18-04-16-04-debian-9/ 5/6 9/2/2019 How to Install OSSEC HIDS on Ubuntu 18.04 / 16.04 / Debian 9 - Computing for Geeks

On Login. you should get a page like below:

This marks the end of install OSSEC HIDS on Ubuntu 18.04 / 16.04 / Debian 9 article.

References:

OSSEC Manual/Documentation

Josphat Mutai

https://computingforgeeks.com/

Founder of Computingforgeeks. Expertise in Virtualization, Cloud Computing, Linux/UNIX systems, Programming,Storage systems,HA, Server Clustering e.t.c.

https://computingforgeeks.com/how-to-install-ossec-hids-on-ubuntu-18-04-16-04-debian-9/ 6/6