Step 4: Install OSSEC<\/h3>\n

To install OSSEC, you first need to unpack the tarball, which you do by typing:<\/p>\n

tar xf ossec-hids-2.8.2.tar.gz\r\n<\/code><\/pre>\n
It will be unpacked into a directory that bears the name and version of the program. Change or cd<\/code> into it. OSSEC 2.8.2, the version installed for this article, has a minor bug that needs to be fixed before starting the installation. By the time the next stable version is released, which should be OSSEC 2.9, this should not be necessary, because the fix is already in the master branch. Fixing it for OSSEC 2.8.2 just means editing one file, which is found in the active-response<\/code> directory. The file is hosts-deny.sh<\/code>, so open it using:<\/p>\n
nano active-response\/hosts-deny.sh\r\n<\/code><\/pre>\n
Towards the end of the file, look for this block of code:<\/p>\n
# Deleting from hosts.deny\r\nelif [ \"x$\" = \"xdelete\" ]; then\r\n   lock;\r\n   TMP_FILE = `mktemp \/var\/ossec\/ossec-hosts.XXXXXXXXXX`\r\n   if [ \"X$\" = \"X\" ]; then\r\n      # Cheap fake tmpfile, but should be harder then no random data\r\n      TMP_FILE = \"\/var\/ossec\/ossec-hosts.`cat \/dev\/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -1 `\"\r\n   fi\r\n<\/code><\/pre>\n
On the lines that start with TMP_FILE<\/strong>, delete the spaces around the =<\/strong> sign. After removing the spaces, that portion of the file should be as shown in the block of code below. Save and close the file.<\/p>\n
# Deleting from hosts.deny\r\nelif [ \"x$\" = \"xdelete\" ]; then\r\n   lock;\r\n   TMP_FILE=`mktemp \/var\/ossec\/ossec-hosts.XXXXXXXXXX`\r\n   if [ \"X$\" = \"X\" ]; then\r\n      # Cheap fake tmpfile, but should be harder then no random data\r\n      TMP_FILE=\"\/var\/ossec\/ossec-hosts.`cat \/dev\/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -1 `\"\r\n   fi\r\n<\/code><\/pre>\n
Now that the fix is in, we can start the installation process, which you do by typing:<\/p>\n
sudo .\/install.sh\r\n<\/code><\/pre>\n
Throughout the installation process, you’ll be prompted to provide some input. In most cases, you only have to press ENTER<\/strong> to accept the default. First, you’ll be prompted to select the installation language, which by default, is English (en). So press ENTER<\/strong> if that’s your preferred language. Otherwise, input the 2 letters from the list of supported languages. Afterwards, press ENTER<\/strong> again.<\/p>\n
The first question will ask you what type of installation you want. Here, enter local<\/strong>.<\/p>\n
1- What kind of installation do you want (server, agent, local, hybrid or help)? local\r\n<\/code><\/pre>\n
For subsequent questions, press ENTER<\/strong> to accept the default. Question 3.1 will prompt you for your email address and then ask for your SMTP server. For that question, enter a valid email address and the SMTP server you determined in Step 3.<\/p>\n
3- Configuring the OSSEC HIDS.\r\n\r\n   3.1- Do you want e-mail notification? (y\/n) [y]: \r\n      - What's your e-mail address? you@example.com\r\n      - What's your SMTP server ip\/host?\r\n<\/code><\/pre>\n
If installation is successful, you should see this output:<\/p>\n
- Configuration finished properly.\r\n\r\n...\r\n\r\n    More information can be found at http:\/\/www.ossec.net\r\n\r\n    ---  Press ENTER to finish (maybe more information below). ---\r\n<\/code><\/pre>\n
Press ENTER<\/strong> to finish the installation.<\/p>\n
Step 5: Start OSSEC<\/h3>\n
OSSEC has been installed, but not started. To start it, first switch to the root account.<\/p>\n
sudo su\r\n<\/code><\/pre>\n
Then, start it by issuing the following command.<\/p>\n
\/var\/ossec\/bin\/ossec-control start\r\n<\/code><\/pre>\n
Afterwards, check your Inbox. There should be an alert from OSSEC informing you that it has been started. With that, you now know that OSSEC is installed and will be sending alerts as needed.<\/p>\n
Step 6: Customize OSSEC<\/h3>\n
The default configuration of OSSEC works fine, but there are settings you can tweak to make it protect your server better. The first file to customize is the main configuration file – ossec.conf<\/code>, which you’ll find in the \/var\/ossec\/etc<\/code> directory. Open the file:<\/p>\n
nano \/var\/ossec\/etc\/ossec.conf\r\n<\/code><\/pre>\n
The first item to verify is an email setting, which you’ll find in the global<\/strong> section of the file:<\/p>\n
<global>\r\n   <email_notification>yes<\/email_notification>\r\n   <email_to>finid@vivaldi.net<\/email_to>\r\n   <smtp_server>mail.vivaldi.net.<\/smtp_server>\r\n   <email_from>ossecm@aklwebhost.guest<\/email_from>\r\n<\/global>\r\n<\/code><\/pre>\n
Make sure that the email_from<\/strong> address is a valid email. Otherwise, some email provider’s SMTP server’s will mark alerts from OSSEC as Spam. If the FQDN of the server is not set, the domain part of the email is set to the hostname of the server, so this is a setting that you really want to have a valid email address.<\/p>\n
Another setting that you want to customize, especially while testing the system, is the frequency with which OSSEC runs its audits. That setting is in the syscheck<\/strong> section, and, by default, it is run every 22 hours. To test OSSEC’s alerting features, you might want to set it to a lower value, but reset it to the default afterwards.<\/p>\n
<syscheck>\r\n   <!-- Frequency that syscheck is executed - default to every 22 hours -->\r\n   <frequency>79200<\/frequency>\r\n<\/code><\/pre>\n
By default, OSSEC does not alert when a new file is added to the server. To change that, add a new tag just under the < frequency ><\/strong> tag. When completed, the section should now contain:<\/p>\n
<syscheck>\r\n   <!-- Frequency that syscheck is executed - default to every 22 hours -->\r\n   <frequency>79200<\/frequency>\r\n\r\n   <alert_new_files>yes<\/alert_new_files>\r\n<\/code><\/pre>\n
One last setting that’s good to change is in the list to directories that OSSEC should check. You’ll find them right after the previous setting. Be default, the directories are shown as:<\/p>\n
<!-- Directories to check  (perform all possible verifications) -->\r\n   <directories check_all=\"yes\">\/etc,\/usr\/bin,\/usr\/sbin<\/directories>\r\n   <directories check_all=\"yes\">\/bin,\/sbin<\/directories>\r\n<\/code><\/pre>\n
Modify both lines to make OSSEC report changes in real-time. When finished, they should read:<\/p>\n
<directories report_changes=\"yes\" realtime=\"yes\" check_all=\"yes\">\/etc,\/usr\/bin,\/usr\/sbin<\/directories>\r\n<directories report_changes=\"yes\" realtime=\"yes\" check_all=\"yes\">\/bin,\/sbin<\/directories>\r\n<\/code><\/pre>\n
Save and close the file.<\/p>\n
The next file that we’ll need to modify is local_rules.xml<\/code> in the \/var\/ossec\/rules<\/code> directory. So cd<\/code> into that directory:<\/p>\n
cd \/var\/ossec\/rules\r\n<\/code><\/pre>\n
That directory holds OSSEC’s rule files, none of which should be modified, except the local_rules.xml<\/code> file. In that file, we add custom rules. The rule we need to add is the one that fires when a new file is added. That rule, numbered 554<\/strong>, does not trigger an alert by default. That’s because OSSEC does not send out alerts when a rule with level set to zero is triggered.<\/p>\n
Here’s what rule 554 looks like by default.<\/p>\n
 <rule id=\"554\" level=\"0\">\r\n    <category>ossec<\/category>\r\n    <decoded_as>syscheck_new_entry<\/decoded_as>\r\n    <description>File added to the system.<\/description>\r\n    <group>syscheck,<\/group>\r\n <\/rule>\r\n<\/code><\/pre>\n
We need to add a modified version of that rule in the local_rules.xml<\/code> file. That modified version is given in the block of code below. Copy and add it to the bottom of the file just before the closing tag.<\/p>\n
 <rule id=\"554\" level=\"7\" overwrite=\"yes\">\r\n    <category>ossec<\/category>\r\n    <decoded_as>syscheck_new_entry<\/decoded_as>\r\n    <description>File added to the system.<\/description>\r\n    <group>syscheck,<\/group>\r\n <\/rule>\r\n<\/code><\/pre>\n
Save and close the file, then restart OSSEC.<\/p>\n
\/var\/ossec\/bin\/ossec-control restart\r\n<\/code><\/pre>\n
More Information<\/h3>\n
OSSEC is a very powerful piece of software, and this article just touched on the basics. You will find more customization settings in the official documentation<\/a>.<\/p>\n","protected":false},"author":1,"featured_media":0,"parent":0,"menu_order":0,"comment_status":"open","ping_status":"closed","template":"","format":"standard","manualknowledgebasecat":[231,242],"manual_kb_tag":[],"_links":{"self":[{"href":"https:\/\/support.aklwebhost.com\/wp-json\/wp\/v2\/manual_kb\/3206"}],"collection":[{"href":"https:\/\/support.aklwebhost.com\/wp-json\/wp\/v2\/manual_kb"}],"about":[{"href":"https:\/\/support.aklwebhost.com\/wp-json\/wp\/v2\/types\/manual_kb"}],"author":[{"embeddable":true,"href":"https:\/\/support.aklwebhost.com\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/support.aklwebhost.com\/wp-json\/wp\/v2\/comments?post=3206"}],"version-history":[{"count":1,"href":"https:\/\/support.aklwebhost.com\/wp-json\/wp\/v2\/manual_kb\/3206\/revisions"}],"predecessor-version":[{"id":3207,"href":"https:\/\/support.aklwebhost.com\/wp-json\/wp\/v2\/manual_kb\/3206\/revisions\/3207"}],"wp:attachment":[{"href":"https:\/\/support.aklwebhost.com\/wp-json\/wp\/v2\/media?parent=3206"}],"wp:term":[{"taxonomy":"manualknowledgebasecat","embeddable":true,"href":"https:\/\/support.aklwebhost.com\/wp-json\/wp\/v2\/manualknowledgebasecat?post=3206"},{"taxonomy":"manual_kb_tag","embeddable":true,"href":"https:\/\/support.aklwebhost.com\/wp-json\/wp\/v2\/manual_kb_tag?post=3206"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}