download page<\/a> and download whatever the latest version is.<\/p>\nTo download the tarball, type:<\/p>\n
wget -U ossec http:\/\/www.ossec.net\/files\/ossec-hids-2.8.2.tar.gz\r\n<\/code><\/pre>\nFor the checksum file, type:<\/p>\n
wget -U ossec http:\/\/www.ossec.net\/files\/ossec-hids-2.8.2-checksum.txt\r\n<\/code><\/pre>\nWith both files downloaded, the next step is to verify the MD5 and SHA1 checksums of the tarball. For the MD5sum, type:<\/p>\n
md5sum -c ossec-hids-2.8.2-checksum.txt\r\n<\/code><\/pre>\nThe expected output is:<\/p>\n
ossec-hids-2.8.2.tar.gz: OK\r\nmd5sum: WARNING: 1 line is improperly formatted\r\n<\/code><\/pre>\nTo verify the SHA1 hash, type:<\/p>\n
sha1sum -c ossec-hids-2.8.2-checksum.txt\r\n<\/code><\/pre>\nAnd its expected output is:<\/p>\n
ossec-hids-2.8.2.tar.gz: OK\r\nsha1sum: WARNING: 1 line is improperly formatted\r\n<\/code><\/pre>\nStep 3: Determine Your SMTP Server<\/h3>\n
During OSSEC’s installation process, you’ll be prompted to specify an SMTP server for your email address. If you don’t know what it is, the easiest method to find out is by issuing this command from your local machine (replace the fake email address with your real one):<\/p>\n
dig -t mx you@example.com\r\n<\/code><\/pre>\nThe relevant section in the output is shown in this code block. In this sample output, the SMTP server for the queried email address is at the end of the line – mail.vivaldi.net.<\/strong> . Note that the dot at the end is included.<\/p>\n;; ANSWER SECTION:\r\nvivaldi.net. 300 IN MX 10 mail.vivaldi.net.\r\n<\/code><\/pre>\nStep 4: Install OSSEC<\/h3>\n
To install OSSEC, you first need to unpack the tarball, which you do by typing:<\/p>\n
tar xf ossec-hids-2.8.2.tar.gz\r\n<\/code><\/pre>\nIt will be unpacked into a directory that bears the name and version of the program. Change or cd<\/code> into it. OSSEC 2.8.2, the version installed for this article, has a minor bug that needs to be fixed before starting the installation. By the time the next stable version is released, which should be OSSEC 2.9, this should not be necessary, because the fix is already in the master branch. Fixing it for OSSEC 2.8.2 just means editing one file, which is found in the active-response<\/code> directory. The file is hosts-deny.sh<\/code>, so open it using:<\/p>\nnano active-response\/hosts-deny.sh\r\n<\/code><\/pre>\nTowards the end of the file, look for this block of code:<\/p>\n
# Deleting from hosts.deny\r\nelif [ \"x$\" = \"xdelete\" ]; then\r\n lock;\r\n TMP_FILE = `mktemp \/var\/ossec\/ossec-hosts.XXXXXXXXXX`\r\n if [ \"X$\" = \"X\" ]; then\r\n # Cheap fake tmpfile, but should be harder then no random data\r\n TMP_FILE = \"\/var\/ossec\/ossec-hosts.`cat \/dev\/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -1 `\"\r\n fi\r\n<\/code><\/pre>\nOn the lines that start with TMP_FILE<\/strong>, delete the spaces around the =<\/strong> sign. After removing the spaces, that portion of the file should be as shown in the block of code below. Save and close the file.<\/p>\n# Deleting from hosts.deny\r\nelif [ \"x$\" = \"xdelete\" ]; then\r\n lock;\r\n TMP_FILE=`mktemp \/var\/ossec\/ossec-hosts.XXXXXXXXXX`\r\n if [ \"X$\" = \"X\" ]; then\r\n # Cheap fake tmpfile, but should be harder then no random data\r\n TMP_FILE=\"\/var\/ossec\/ossec-hosts.`cat \/dev\/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -1 `\"\r\n fi\r\n<\/code><\/pre>\nNow that the fix is in, we can start the installation process, which you do by typing:<\/p>\n
sudo .\/install.sh\r\n<\/code><\/pre>\nThroughout the installation process, you’ll be prompted to provide some input. In most cases, you only have to press ENTER<\/strong> to accept the default. First, you’ll be prompted to select the installation language, which by default, is English (en). So press ENTER<\/strong> if that’s your preferred language. Otherwise, input the 2 letters from the list of supported languages. Afterwards, press ENTER<\/strong> again.<\/p>\nThe first question will ask you what type of installation you want. Here, enter local<\/strong>.<\/p>\n1- What kind of installation do you want (server, agent, local, hybrid or help)? local\r\n<\/code><\/pre>\nFor subsequent questions, press ENTER<\/strong> to accept the default. Question 3.1 will prompt you for your email address and then ask for your SMTP server. For that question, enter a valid email address and the SMTP server you determined in Step 3.<\/p>\n3- Configuring the OSSEC HIDS.\r\n\r\n 3.1- Do you want e-mail notification? (y\/n) [y]: \r\n - What's your e-mail address? you@example.com\r\n - What's your SMTP server ip\/host?\r\n<\/code><\/pre>\nIf installation is successful, you should see this output:<\/p>\n
- Configuration finished properly.\r\n\r\n...\r\n\r\n More information can be found at http:\/\/www.ossec.net\r\n\r\n --- Press ENTER to finish (maybe more information below). ---\r\n<\/code><\/pre>\nPress ENTER<\/strong> to finish the installation.<\/p>\nStep 5: Start OSSEC<\/h3>\n
OSSEC has been installed, but not started. To start it, first switch to the root account.<\/p>\n
sudo su\r\n<\/code><\/pre>\nThen, start it by issuing the following command.<\/p>\n
\/var\/ossec\/bin\/ossec-control start\r\n<\/code><\/pre>\nAfterwards, check your Inbox. There should be an alert from OSSEC informing you that it has been started. With that, you now know that OSSEC is installed and will be sending alerts as needed.<\/p>\n
Step 6: Customize OSSEC<\/h3>\n
The default configuration of OSSEC works fine, but there are settings you can tweak to make it protect your server better. The first file to customize is the main configuration file – ossec.conf<\/code>, which you’ll find in the \/var\/ossec\/etc<\/code> directory. Open the file:<\/p>\nnano \/var\/ossec\/etc\/ossec.conf\r\n<\/code><\/pre>\nThe first item to verify is an email setting, which you’ll find in the global<\/strong> section of the file:<\/p>\n<global>\r\n <email_notification>yes<\/email_notification>\r\n <email_to>finid@vivaldi.net<\/email_to>\r\n <smtp_server>mail.vivaldi.net.<\/smtp_server>\r\n <email_from>ossecm@aklwebhost.guest<\/email_from>\r\n<\/global>\r\n<\/code><\/pre>\nMake sure that the email_from<\/strong> address is a valid email. Otherwise, some email provider’s SMTP server’s will mark alerts from OSSEC as Spam. If the FQDN of the server is not set, the domain part of the email is set to the hostname of the server, so this is a setting that you really want to have a valid email address.<\/p>\nAnother setting that you want to customize, especially while testing the system, is the frequency with which OSSEC runs its audits. That setting is in the syscheck<\/strong> section, and, by default, it is run every 22 hours. To test OSSEC’s alerting features, you might want to set it to a lower value, but reset it to the default afterwards.<\/p>\n<syscheck>\r\n <!-- Frequency that syscheck is executed - default to every 22 hours -->\r\n <frequency>79200<\/frequency>\r\n<\/code><\/pre>\nBy default, OSSEC does not alert when a new file is added to the server. To change that, add a new tag just under the < frequency ><\/strong> tag. When completed, the section should now contain:<\/p>\n<syscheck>\r\n <!-- Frequency that syscheck is executed - default to every 22 hours -->\r\n <frequency>79200<\/frequency>\r\n\r\n <alert_new_files>yes<\/alert_new_files>\r\n<\/code><\/pre>\nOne last setting that’s good to change is in the list to directories that OSSEC should check. You’ll find them right after the previous setting. Be default, the directories are shown as:<\/p>\n
<!-- Directories to check (perform all possible verifications) -->\r\n <directories check_all=\"yes\">\/etc,\/usr\/bin,\/usr\/sbin<\/directories>\r\n <directories check_all=\"yes\">\/bin,\/sbin<\/directories>\r\n<\/code><\/pre>\nModify both lines to make OSSEC report changes in real-time. When finished, they should read:<\/p>\n
<directories report_changes=\"yes\" realtime=\"yes\" check_all=\"yes\">\/etc,\/usr\/bin,\/usr\/sbin<\/directories>\r\n<directories report_changes=\"yes\" realtime=\"yes\" check_all=\"yes\">\/bin,\/sbin<\/directories>\r\n<\/code><\/pre>\nSave and close the file.<\/p>\n
The next file that we’ll need to modify is local_rules.xml<\/code> in the \/var\/ossec\/rules<\/code> directory. So cd<\/code> into that directory:<\/p>\ncd \/var\/ossec\/rules\r\n<\/code><\/pre>\nThat directory holds OSSEC’s rule files, none of which should be modified, except the local_rules.xml<\/code> file. In that file, we add custom rules. The rule we need to add is the one that fires when a new file is added. That rule, numbered 554<\/strong>, does not trigger an alert by default. That’s because OSSEC does not send out alerts when a rule with level set to zero is triggered.<\/p>\nHere’s what rule 554 looks like by default.<\/p>\n
<rule id=\"554\" level=\"0\">\r\n <category>ossec<\/category>\r\n <decoded_as>syscheck_new_entry<\/decoded_as>\r\n <description>File added to the system.<\/description>\r\n <group>syscheck,<\/group>\r\n <\/rule>\r\n<\/code><\/pre>\nWe need to add a modified version of that rule in the local_rules.xml<\/code> file. That modified version is given in the block of code below. Copy and add it to the bottom of the file just before the closing tag.<\/p>\n <rule id=\"554\" level=\"7\" overwrite=\"yes\">\r\n <category>ossec<\/category>\r\n <decoded_as>syscheck_new_entry<\/decoded_as>\r\n <description>File added to the system.<\/description>\r\n <group>syscheck,<\/group>\r\n <\/rule>\r\n<\/code><\/pre>\nSave and close the file, then restart OSSEC.<\/p>\n
\/var\/ossec\/bin\/ossec-control restart\r\n<\/code><\/pre>\nOSSEC is a very powerful piece of software, and this article just touched on the basics. You will find more customization settings in the official documentation<\/a>.<\/p>\n","protected":false},"author":1,"featured_media":0,"parent":0,"menu_order":0,"comment_status":"open","ping_status":"closed","template":"","format":"standard","manualknowledgebasecat":[231,242],"manual_kb_tag":[],"_links":{"self":[{"href":"https:\/\/support.aklwebhost.com\/wp-json\/wp\/v2\/manual_kb\/3206"}],"collection":[{"href":"https:\/\/support.aklwebhost.com\/wp-json\/wp\/v2\/manual_kb"}],"about":[{"href":"https:\/\/support.aklwebhost.com\/wp-json\/wp\/v2\/types\/manual_kb"}],"author":[{"embeddable":true,"href":"https:\/\/support.aklwebhost.com\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/support.aklwebhost.com\/wp-json\/wp\/v2\/comments?post=3206"}],"version-history":[{"count":1,"href":"https:\/\/support.aklwebhost.com\/wp-json\/wp\/v2\/manual_kb\/3206\/revisions"}],"predecessor-version":[{"id":3207,"href":"https:\/\/support.aklwebhost.com\/wp-json\/wp\/v2\/manual_kb\/3206\/revisions\/3207"}],"wp:attachment":[{"href":"https:\/\/support.aklwebhost.com\/wp-json\/wp\/v2\/media?parent=3206"}],"wp:term":[{"taxonomy":"manualknowledgebasecat","embeddable":true,"href":"https:\/\/support.aklwebhost.com\/wp-json\/wp\/v2\/manualknowledgebasecat?post=3206"},{"taxonomy":"manual_kb_tag","embeddable":true,"href":"https:\/\/support.aklwebhost.com\/wp-json\/wp\/v2\/manual_kb_tag?post=3206"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}