Install OSsec on Centos

1. Download Ossec :

wget http://www.ossec.net/files/ossec-hids-2.7.tar.gz

tar -zxvf ossec-hids-2.7.tar.gz

cd ossec-hids-2.7

./install.sh
Controlling Service:

/var/ossec/bin/ossec-control start

/var/ossec/bin/ossec-control stop

Edit Configuration File :

vi /var/ossec/etc/ossec.conf

Installing Agent:

Authorizing Agents:

/var/ossec/bin/manage_agents

1. Add an Agent : press A

2. Extract Key for an agent : Press E

CDAxIGxpbnX4MSAxOTIuMTY4LjAuMzIgOWM5MENlYzNXXXYYYZZZZZ==

Copy the agent Key and now login to the agent machine

/var/ossec/bin/manage_agents

a. Press I to import the key : Press I

b. Paste the key:

CDAxIGxpbnX4MSAxOTIuMTY4LjAuMzIgOWM5MENlYzNXXXYYYZZZZZ==

/var/ossec/bin/ossec-control start

Now Restart the server [ you have to restart the server every time you add an agent ]

 

Troubleshooting :

Error Executing analysisd :

There is a small bug in version 2.6 , the logtest directory is missing, run the below command to fix that.

ln -s /var/ossec/bin/ossec-logtest /var/ossec/ossec-logtest 

 

Tips & Tricks :

Sending  Email to a different email for a particular rule ID:

<email_alerts>
        <email_to>admin@yourdomain.com</email_to>
        <rule_id>31430</rule_id>
</email_alerts>

Disable Ossec Active Response :

Replace everything between <active-response> </active-response> with following :

<disabled>yes</disabled>

In order to Enable Ossec Active Response , just replace that part with :

  <!-- Active Response Config -->
  <active-response>
    <!-- This response is going to execute the host-deny
       - command for every event that fires a rule with
       - level (severity) >= 6.
       - The IP is going to be blocked for  600 seconds.
      -->
    <command>host-deny</command>
    <location>local</location>
    <level>6</level>
    <timeout>600</timeout>
  </active-response>

  <active-response>
    <!-- Firewall Drop response. Block the IP for
       - 600 seconds on the firewall (iptables,
       - ipfilter, etc).
      -->
    <command>firewall-drop</command>
    <location>local</location>
    <level>6</level>
    <timeout>600</timeout>
  </active-response>
  1. No comments yet.

  1. No trackbacks yet.

You must be logged in to post a comment.

return top