ossec开源入侵检测系统安装配置，文档对server/agent模式进行详细介绍，如果只有一台服务器，可以用local模式，这种方式安装更为简单。

 

OSSEC简要介绍： 
OSSEC 是一款开源的入侵检测系统，包括了日志分析，全面检测，rook-kit检测。作为一款HIDS，OSSEC应该被安装在一台实施监控的系统中。另外有时 候不需要安装完全版本的OSSEC，如果有多台电脑都安装了OSSEC，那么就可以采用客户端/服务器模式来运行。客户机通过客户端程序将数据发回到服务 器端进行分析。在一台电脑上对多个系统进行监控对于企业或者家庭用户来说都是相当经济实用的。

环境： 
server: fedora 16 x86_64 10.64.68.169

agent: centos 5.4 x86_64 10.64.68.168

ossec_version: 2.4.1

下载地址

wget http://www.ossec.net/files/ossec-hids-2.4.1.tar.gz

一、ossec server安装

1.解压安装

tar xvzf ossec-hids-2.4.1.tar.gz
cd ossec-hids-2.4.1

./install.sh

** Para instala??o em português, escolha [br].

** 要使用中文进行安装, 请选择 [cn].

** Fur eine deutsche Installation wohlen Sie [de].

** Για εγκατ?σταση στα Ελληνικ?, επιλ?ξτε [el].

** For installation in English, choose [en].

** Para instalar en Espa?ol , eliga [es].

** Pour une installation en fran?ais, choisissez [fr]

** Per l’installazione in Italiano, scegli [it].

** 日本語でインストールします．選択して下さい．[jp].

** Voor installatie in het Nederlands, kies [nl].

** Aby instalowa? w j?zyku Polskim, wybierz [pl].

** Для инструкций по установке на русском ,введите [ru].

** Za instalaciju na srpskom, izaberi [sr].

** Türk?e kurulum i?in se?in [tr].

(en/br/cn/de/el/es/fr/it/jp/nl/pl/ru/sr/tr) [en]: #回车

OSSEC HIDS v2.4.1 Installation Script – http://www.ossec.net

You are about to start the installation process of the OSSEC HIDS.

You must have a C compiler pre-installed in your system.

If you have any questions or comments, please send an e-mail

to dcid@ossec.net (or daniel.cid@gmail.com).

- System: Linux vh.hostcoming.com 2.6.18-164.15.1.el5

- User: root

- Host: ossec.gaojinbo.com

– Press ENTER to continue or Ctrl-C to abort. —

#回车

1- What kind of installation do you want (server, agent, local or help)? server #输入server

- Server installation chosen.

2- Setting up the installation environment.

- Choose where to install the OSSEC HIDS [/var/ossec]: #回车

- Installation will be made at /var/ossec .

3- Configuring the OSSEC HIDS.

3.1- Do you want e-mail notification? (y/n) [y]: #回车

- What’s your e-mail address? hugwww@163.com #输入woods2001@12.com，换成自己的邮箱地址

- We found your SMTP server as: smtp.126.com

- Do you want to use it? (y/n) [y]: #回车

— Using SMTP server: 163mx03.mxmail.netease.com.

3.2- Do you want to run the integrity check daemon? (y/n) [y]: #回车

- Running syscheck (integrity check daemon).

3.3- Do you want to run the rootkit detection engine? (y/n) [y]: #回车

- Running rootcheck (rootkit detection).

3.4- Active response allows you to execute a specific

command based on the events received. For example,

you can block an IP address or disable access for

a specific user.

More information at:

http://www.ossec.net/en/manual.html#active-response

- Do you want to enable active response? (y/n) [y]: #回车

- Active response enabled.

- By default, we can enable the host-deny and the

firewall-drop responses. The first one will add

a host to the /etc/hosts.deny and the second one

will block the host on iptables (if linux) or on

ipfilter (if Solaris, FreeBSD or NetBSD).

- They can be used to stop SSHD brute force scans,

portscans and some other forms of attacks. You can

also add them to block on snort events, for example.

- Do you want to enable the firewall-drop response? (y/n) [y]: #回车

- firewall-drop enabled (local) for levels >= 6

- Default white list for the active response:

- 8.8.8.8

- Do you want to add more IPs to the white list? (y/n)? [n]: #回车

3.5- Do you want to enable remote syslog (port 514 udp)? (y/n) [y]: #回车

- Remote syslog enabled.

3.6- Setting the configuration to analyze the following logs:

– /var/log/messages

– /var/log/secure

– /var/log/maillog

– /var/log/httpd/access_log (apache log)

- If you want to monitor any other file, just change

the ossec.conf and add a new localfile entry.

Any questions about the configuration can be answered

by visiting us online at http://www.ossec.net .

— Press ENTER to continue —

#回车

下面程序会自动进行安装，稍等片刻。。。

- System is Redhat Linux.

- Init script modified to start OSSEC HIDS during boot.

- Configuration finished properly.

- To start OSSEC HIDS:

/var/ossec/bin/ossec-control start

- To stop OSSEC HIDS:

/var/ossec/bin/ossec-control stop

- The configuration can be viewed or modified at /var/ossec/etc/ossec.conf

Thanks for using the OSSEC HIDS.

If you have any question, suggestion or if you find any bug,

contact us at contact@ossec.net or using our public maillist at

ossec-list@ossec.net

( http://www.ossec.net/main/support/ ).

More information can be found at http://www.ossec.net

— Press ENTER to finish (maybe more information below). —

#回车

- In order to connect agent and server, you need to add each agent to the server.

Run the ‘manage_agents’ to add or remove them:

/var/ossec/bin/manage_agents

More information at:

http://www.ossec.net/en/manual.html#ma

2.启动ossec

service ossec start

3.查看进程

ps aux|grep ossec

#出现以下内容，说明成功运行

root 1009 0.0 0.0 61196 732 pts/0 S+ 11:33 0:00 grep ossec

ossecm 32283 0.0 0.0 10256 552 ? S 10:48 0:00 /var/ossec/bin/ossec-maild

root 32287 0.0 0.0 5940 444 ? S 10:48 0:00 /var/ossec/bin/ossec-execd

ossec 32291 0.1 0.0 7356 2024 ? S 10:48 0:03 /var/ossec/bin/ossec-analysisd

root 32295 0.0 0.0 3984 496 ? S 10:48 0:00 /var/ossec/bin/ossec-logcollector

root 32307 1.2 0.0 4256 1072 ? S 10:48 0:33 /var/ossec/bin/ossec-syscheckd

ossec 32311 0.0 0.0 6192 520 ? S 10:48 0:00 /var/ossec/bin/ossec-monitord

 

二、ossec client安装

tar xvzf ossec-hids-2.4.1.tar.gz
cd ossec-hids-2.4.1

./install.sh

** Para instala??o em português, escolha [br].

** 要使用中文进行安装, 请选择 [cn].

** Fur eine deutsche Installation wohlen Sie [de].

** Για εγκατ?σταση στα Ελληνικ?, επιλ?ξτε [el].

** For installation in English, choose [en].

** Para instalar en Espa?ol , eliga [es].

** Pour une installation en fran?ais, choisissez [fr]

** Per l’installazione in Italiano, scegli [it].

** 日本語でインストールします．選択して下さい．[jp].

** Voor installatie in het Nederlands, kies [nl].

** Aby instalowa? w j?zyku Polskim, wybierz [pl].

** Для инструкций по установке на русском ,введите [ru].

** Za instalaciju na srpskom, izaberi [sr].

** Türk?e kurulum i?in se?in [tr].

(en/br/cn/de/el/es/fr/it/jp/nl/pl/ru/sr/tr) [en]: #回车

OSSEC HIDS v2.4.1 Installation Script – http://www.ossec.net

You are about to start the installation process of the OSSEC HIDS.

You must have a C compiler pre-installed in your system.

If you have any questions or comments, please send an e-mail

to dcid@ossec.net (or daniel.cid@gmail.com).

- System: Linux web 2.6.18-194.3.1.el5

- User: root

- Host: web.gaojinbo.com

– Press ENTER to continue or Ctrl-C to abort. —

#回车

1- What kind of installation do you want (server, agent, local or help)? agent #输入agent,回车

- Agent(client) installation chosen.

2- Setting up the installation environment.

- Choose where to install the OSSEC HIDS [/var/ossec]: #回车

- Installation will be made at /var/ossec .

3- Configuring the OSSEC HIDS.

3.1- What’s the IP Address of the OSSEC HIDS server?: 10.64.68.169 #输入ossec server的ip,回车

3.2- Do you want to run the integrity check daemon? (y/n) [y]: #回车

- Running syscheck (integrity check daemon).

3.3- Do you want to run the rootkit detection engine? (y/n) [y]: #回车

- Running rootcheck (rootkit detection).

3.4 – Do you want to enable active response? (y/n) [y]: #回车

3.5- Setting the configuration to analyze the following logs:

– /var/log/messages

– /var/log/secure

– /var/log/maillog

- If you want to monitor any other file, just change

the ossec.conf and add a new localfile entry.

Any questions about the configuration can be answered

by visiting us online at http://www.ossec.net .

— Press ENTER to continue —

#回车

程序自动安装，稍等片刻。。。

- System is Redhat Linux.

- Init script modified to start OSSEC HIDS during boot.

- Configuration finished properly.

- To start OSSEC HIDS:

/var/ossec/bin/ossec-control start

- To stop OSSEC HIDS:

/var/ossec/bin/ossec-control stop

- The configuration can be viewed or modified at /var/ossec/etc/ossec.conf

Thanks for using the OSSEC HIDS.

If you have any question, suggestion or if you find any bug,

contact us at contact@ossec.net or using our public maillist at

ossec-list@ossec.net

( http://www.ossec.net/main/support/ ).

More information can be found at http://www.ossec.net

— Press ENTER to finish (maybe more information below). —

#回车

- You first need to add this agent to the server so they

can communicate with each other. When you have done so,

you can run the ‘manage_agents’ tool to import the

authentication key from the server.

/var/ossec/bin/manage_agents

More information at:

http://www.ossec.net/en/manual.html#ma

 

三、添加ossec client到ossec server

1.服务器端操作

/var/ossec/bin/manage_agents

****************************************

* OSSEC HIDS v2.4.1 Agent manager. *

* The following options are available: *

****************************************

(A)dd an agent (A).

(E)xtract key for an agent (E).

(L)ist already added agents (L).

(R)emove an agent (R).

(Q)uit.

Choose your action: A,E,L,R or Q: A #输入A，回车

- Adding a new agent (use ‘\q’ to return to the main menu).

Please provide the following:

* A name for the new agent: web #输入web，回车

* The IP Address of the new agent: 10.64.68.168 #输入10.64.68.168,这是client ip，回车

* An ID for the new agent[001]: #回车

Agent information:

ID:001

Name:web

IP Address:192.168.1.223

Confirm adding it?(y/n): y #回车

Agent added.

****************************************

* OSSEC HIDS v2.4.1 Agent manager. *

* The following options are available: *

****************************************

(A)dd an agent (A).

(E)xtract key for an agent (E).

(L)ist already added agents (L).

(R)emove an agent (R).

(Q)uit.

Choose your action: A,E,L,R or Q: E #输入E，回车

Available agents:

ID: 001, Name: web, IP: 192.168.1.223

Provide the ID of the agent to extract the key (or ‘\q’ to quit): 001 #输入001，回车

Agent key information for ’001′ is:

MDAxIHdlYiAxOTIuMTY4LjEuMjIzIDBhOTEwYjdlMzQ3ZjM2ZDQwNDI0\ YjUyYjMwNjVlMTU0ZDI5MGRhZjBmZDU3NDU3Yjg1YjgzMzBlNGJlNjY0MjE=

** Press ENTER to return to the main menu.

****************************************

* OSSEC HIDS v2.4.1 Agent manager. *

* The following options are available: *

****************************************

(A)dd an agent (A).

(E)xtract key for an agent (E).

(L)ist already added agents (L).

(R)emove an agent (R).

(Q)uit.

Choose your action: A,E,L,R or Q: q #输入q，回车

** You must restart the server for your changes to have effect.

manage_agents: Exiting ..

2.客户端操作

导入 key

/var/ossec/bin/manage_agents

****************************************

* OSSEC HIDS v2.4.1 Agent manager. *

* The following options are available: *

****************************************

(I)mport key from the server (I).

(Q)uit.

Choose your action: I or Q: i #输入i，回车

* Provide the Key generated by the server.

* The best approach is to cut and paste it.

*** OBS: Do not include spaces or new lines.

#将ossec server上’001′的key复制到下面，并按回车

Paste it here (or ‘\q’ to quit): MDAxIHdlYiAxOTIuMTY4LjEuMjIzIDBhOTEwYjdlMzQ3ZjM2ZDQwNDI0YjUy\ YjMwNjVlMTU0ZDI5MGRhZjBmZDU3NDU3Yjg1YjgzMzBlNGJlNjY0MjE=

Agent information:

ID:001

Name:web

IP Address:10.64.68.168

Confirm adding it?(y/n): y#输入y，回车

Added.

** Press ENTER to return to the main menu.

****************************************

* OSSEC HIDS v2.4.1 Agent manager. *

* The following options are available: *

****************************************

(I)mport key from the server (I).

(Q)uit.

Choose your action: I or Q: q

** You must restart the server for your changes to have effect.

manage_agents: Exiting ..

启动ossec

/var/ossec/bin/ossec-control start

查看端口

netstat -antup|grep ossec

#出现以下内容，说明成功运行

udp        0      0 10.64.68.168:54127          10.64.68.169:1514           ESTABLISHED 5421/ossec-agentd 

 

配置完成！