测试机 172.16.53.191 服务端(server)
测试机 172.16.53.253 客户端(agent)
【server端配置】
yum install mysql mysql-server mysql-devel httpd php php-mysql gcc gcc-c++ vim wget lrzsz ntpdate sysstat dstat unzip -y
wget https://bintray.com/artifact/download/ossec/ossec-hids/ossec-hids-2.8.3.tar.gz
tar zxvf ossec-hids-2.8.3.tar.gz
cd ossec-hids-2.8.3
cd src
make setdb
#Info: Compiled with MySQL support.出现mysql 说明ossec支持mysql数据库
cd ..
./install.sh
下面是安装过程,如果输入错误,按住Ctrl+Backspace
en #选择语言
Enter #继续
Server #安装为server
/usr/local/ossec #安装目录
3.1- Do you want e-mail notification? (y/n)[y]: y
-What's your e-mail address? [email protected]
-What's your SMTP server ip/host? 127.0.0.1
Enter # Running syscheck (integrity check daemon)
Enter # Running rootcheck (rootkit detection)
Enter #Active response enabled
Enter # firewall-drop enabled (local) for levels >= 6
Do you want to add more IPs to the whitelist? (y/n)? [n]: y #设置ip白名单
-IPs (space separated):
3.5- Do you want to enable remote syslog(port 514 udp)? (y/n) [y]:Enter
Enter #开始安装
安装完成的配置文件及选项:
/usr/local/ossec/bin/ossec-control start
/usr/local/ossec/bin/ossec-control stop
/usr/local/ossec/etc/ossec.conf
/usr/local/ossec/bin/manage_agents
# /usr/local/ossec/bin/ossec-control --help
Usage: /usr/local/ossec/bin/ossec-control{start|stop|restart|status|enable|disable}
# /usr/local/ossec/bin/ossec-control enable --help
Enable options: database, client-syslog,agentless, debug
Usage: /usr/local/ossec/bin/ossec-controlenable [database|client-syslog|agentless|debug]
【ossec日志入数据库】
1. 启用数据库功能 /var/ossec/bin/ossec-control enable database
2.安装数据库,创建数据库
yum -y install mysql-server mysql mysql-devel #安装mysqlserver
mysql -u root
mysql>create database ossec;
mysql>set password for root@localhost=password ('ufenqi123');
mysql>CREATE USER 'ossecuser'@'%'IDENTIFIED BY 'ufenqi123';
mysql> grant INSERT,SELECT,UPDATE,CREATE,DELETE,EXECUTE on ossec.* to ossecuser@'%' IDENTIFIED BY 'ufenqi123';
mysql>flush privileges;
mysql>exit
进入ossec源码目录,【初始化数据库】
/root/ossec-hids-2.8.3/src/os_dbd/mysql.schema
mysql -u ossecuser -p -D ossec < /root/ossec-hids-2.8.3/src/os_dbd/mysql.schema
3.修改ossec配置文件,添加数据库支持
vim /usr/local/ossec/etc/ossec.conf 添加如下字段
<ossec_config> <database_output> <hostname>192.168.2.30</hostname> <username>ossecuser</username> <password>ossecpass</password> <database>ossec</database> <type>mysql</type> </database_output> </ossec_config>
3.2、接收远端syslog信息
<remote>
<connection>syslog</connection>
<allowed-ips>172.16.0.0/16</allowed-ips>
</remote>
配置上syslog后,本机监听了udp端口514和1514
4 配置完成后,启用数据库,并重启ossec
/usr/local/ossec/bin/ossec-control enable database
/usr/local/ossec/bin/ossec-control restart
【添加agent】
1.在server端执行
/usr/local/ossec/bin/manage_agents 按照提示添加客户端
添加完成后,输入E,获取agent的key,复制下来
2.在agent端执行
/usr/local/ossec/bin/manage_agents
将1中复制下来的key粘贴进去就可以添加成功了
【server中查看在线的agent列表】
/usr/local/ossec/bin/agent_control -l
[root@172-16-53-191 bin]# ./agent_control -l
OSSEC HIDS agent_control. List of available agents:
ID: 000, Name: 172-16-53-191 (server), IP: 127.0.0.1, Active/Local
ID: 002, Name: test-agent-53.253, IP: 172.16.53.253, Active
List of agentless devices:
/usr/local/ossec/bin/list_agent -a
【安装web界面-管理ossec】
1.配置nginx+php运行环境
2下载安装
tar -zxvf ossec-wui-0.3.tar.gz mv ossec-wui-0.3 /usr/local/nginx/html ossec-wui
cd /usr/local/nginx/html/ossec-wui
./setup.sh
3.修改权限,将运行web服务的用户加入ossec用户组
vim /etc/group 修改ossec这一行为:
ossec:x:1002:apache 其中Apache是运行php的启动用户
将ossec的安装目录(/usr/local/ossec/)下的tmp目录权限设置为770
chmod 770 /usr/local/ossec/tmp
chown -R apache.apache /usr/local/ossec/tmp
service php-fpm restart
然后访问http://ossec-server-ip/ossec-wui/index.php 即可访问到ossec管理界面
【ossec的实际应用】
一、【ossec syscheck文件监控配置】
1.在agent端,修改/usr/local/ossec/etc/ossec.conf文件
在<syscheck>下添加如下:
<alert_new_files>yes</alert_new_files>
<directories check_all="yes" realtime="yes" report_changes="yes">/tmp/mzk</directories> 添加监控的目录
设置扫描频率
2.在server端重写rules规则,编辑/usr/local/ossec/rules/ossec_rules.xml文件,找到rule_id 554,在这个规则的下面添加如下行
<rule id="554" level="10" overwrite="yes">
<category>ossec</category>
<decoded_as>syscheck_new_entry</decoded_as>
<description>File added to the system. by mzk</description>
<group>syscheck,</group>
</rule>
二、【异常ip登录服务器】
在server端上编辑rules/local_rules.xml文件,添加如下行
<rule id="7778" level="7">
<if_sid>5700</if_sid>
<group>authentication_failure</group>
<srcip>!10.10.2.1</srcip>
<description>not come from 10.10.2.1</description>
</rule>
重启服务端即可
三、【暴力破解】
在server端上编辑rules/sshd_rules.xml文件,修改规则如下
<rule id="5720" level="7" frequency="3">
<if_matched_sid>5716</if_matched_sid>
<same_source_ip />
<description>3 Failed passwords within 1 minutes Multiple SSHD authentication failures.</description>
<group>authentication_failures,</group>
</rule>
四、【进程监控】
<rule id="533" level="7">
<if_sid>530</if_sid>
<match>ossec: output: 'netstat -tan</match>
<check_diff />
<description>Listened ports status (netstat) changed (new port opened or closed).</description>
</rule>