|
本文介绍在Ubuntu 18.04/Ubuntu 16.04/Debian 9系统上安装OSSEC HIDS的方法。
OSSEC是一个基于主机的开源入侵检测系统(HIDS),可在Linux、OpenBSD、Solaris、FreeBSD、Windows和其他系统上运行。OSSEC在服务器/客户端模型中工作,OSSEC客户端执行日志分析、策略监视、文件完整性检查、实时警报、rootkit检测和主动响应。 OSSEC具有HIDS(基于主机的入侵检测),日志监控和SIM/SIEM等方面作为Web UI管理的简单解决方案。
一、安装OSSEC依赖项 OSSEC需要PHP、gcc、libc和Apache Web Server,通过运行以下命令安装它们: sudo apt install -y wget unzip make gcc build-essential sudo apt install -y php php-cli php-common libapache2-mod-php apache2-utils sendmail inotify-tools
二、在Ubuntu 18.04/Debian 9上安装OSSEC HIDS 安装了上面的依赖项完毕后,下一个安装就是OSSEC HIDS。 下载前请检查最新版本,ossec-hids地址,目前最新的是3.1.0: wget https://github.com/ossec/ossec-hids/archive/3.1.0.tar.gz 下载后,使用以下命令解压缩文件: tar -xvzf 3.1.0.tar.gz 此提取将创建一个文件夹,更改到此文件夹并运行安装脚本。 cd ossec-hids-3.1.0 sudo sh install.sh 1.设置语言 (en/br/cn/de/el/es/fr/hu/it/jp/nl/pl/ru/sr/tr) [en]: en 2.按<ENTER>继续 OSSEC HIDS v3.1.0 Installation Script - http://www.ossec.net You are about to start the installation process of the OSSEC HIDS. You must have a C compiler pre-installed in your system. - System: Linux deb9 4.9.0-8-amd64 - User: root - Host: deb9 -- Press ENTER to continue or Ctrl-C to abort. -- 3.选择本地安装类型 What kind of installation do you want (server, agent, local, hybrid or help)? local 通过本地安装,将能够执行服务器执行的所有操作,但从代理或外部syslog设备接收远程消息除外。 4.选择安装OSSEC HIDS [/var/ossec]的位置,按enter键以使用/var/ossec: Installation will be made at /var/ossec . 5.配置OSSEC HIDS 3.1- Do you want e-mail notification? (y/n) [y]: y - What's your e-mail address? admin@example.com - What's your SMTP server ip/host? localhost 3.2- Do you want to run the integrity check daemon? (y/n) [y]: y - Running syscheck (integrity check daemon). 3.3- Do you want to run the rootkit detection engine? (y/n) [y]: y - Running rootcheck (rootkit detection). 3.4- Active response allows you to execute a specific command based on the events received. For example,you can block an IP address or disable access for a specific user. More information at: http://www.ossec.net/en/manual.html#active-response - Do you want to enable active response? (y/n) [y]: y - Active response enabled. - By default, we can enable the host-deny and the firewall-drop responses. The first one will add a host to the /etc/hosts.deny and the second one will block the host on iptables (if linux) or on ipfilter (if Solaris, FreeBSD or NetBSD). - They can be used to stop SSHD brute force scans, portscans and some other forms of attacks. You can also add them to block on snort events, for example. - Do you want to enable the firewall-drop response? (y/n) [y]: y - firewall-drop enabled (local) for levels >= 6 - Default white list for the active response: - 192.168.121.1 - Do you want to add more IPs to the white list? (y/n)? [n]: 3.6- Setting the configuration to analyze the following logs: -- /var/log/messages -- /var/log/auth.log -- /var/log/syslog -- /var/log/mail.info -- /var/log/dpkg.log -- /var/log/apache2/error.log (apache log) -- /var/log/apache2/access.log (apache log) - If you want to monitor any other file, just change the ossec.conf and add a new localfile entry.Any questions about the configuration can be answered by visiting us online at http://www.ossec.net . --- Press ENTER to continue --- 按Enter开始安装 用于管理OSSEC HIDS的init脚本是/var/ossec/bin/ossec-control。 要启动该服务,请使用: $ sudo /var/ossec/bin/ossec-control start Starting OSSEC HIDS v3.1.0 (by Trend Micro Inc.)... Started ossec-maild... Started ossec-execd... Started ossec-analysisd... Started ossec-logcollector... Started ossec-syscheckd... Started ossec-monitord... Completed. 并通过运行来阻止它: sudo /var/ossec/bin/ossec-control stop 你可以通过编辑配置文件来进一步配置OSSEC HIDS: sudo vim /var/ossec/etc/ossec.conf 规则位于/var/ossec/rules/目录下,本地系统文件的规则在文件/var/ossec/rules/local_rules.xml上设置。 每当进行更改时,请不要忘记重新启动OSSEC HIDS: sudo /var/ossec/bin/ossec-control restart
三、安装OSSEC Web UI OSSEC HIDS有一个简单的Web界面,需要安装: git clone https://github.com/ossec/ossec-wui.git sudo mv ossec-wui /srv cd /srv/ossec-wui sudo ./setup.sh 设置管理员用户名/密码和Web服务器用户名: trap: SIGHUP: bad trap Setting up ossec ui... Username: admin New password: <ENTER PASSWORD> Re-type new password:<CONFIRM PASSWORD> Adding password for user admin Enter your web server user name (e.g. apache, www, nobody, www-data, ...) www-data You must restart your web server after this setup is done. Setup completed successfully. 创建Apache VirtualHost配置文件: sudo vim /etc/apache2/sites-enabled/ossec-wui.conf 将下面的内容放入文件中: <VirtualHost *:80> DocumentRoot /srv/ossec-wui/ ServerName ossec.example.com ServerAlias www.ossec.example.com ServerAdmin admin@example.com <Directory /srv/ossec-wui/> Options +FollowSymlinks AllowOverride All Require all granted </Directory> ErrorLog /var/log/apache2/moodle-error.log CustomLog /var/log/apache2/moodle-access.log combined </VirtualHost> 注意:将example.com替换为你的域名,保存文件并退出。 启用Apache重写模块: sudo a2enmod rewrite sudo systemctl restart apache2 $ sudo systemctl status apache2.service
在Web浏览器中打开http://ossec.example.com(替换自己的域名)并进行身份验证:
登录后就可以进入到管理面板中了:
这也标志着在Ubuntu 18.04/Debian 9上安装OSSEC HIDS结束了。
相关主题 |
