OSSEC linux(server) windows(agent)史上最詳細中文配置

OSSEC linux(server) windows(agent)史上最詳細中文配置

作者：譚丙章
E-mail:[email protected]

ossec官方網站：http://www.ossec.net/
ossec幫助文檔：http://ossec-docs.readthedocs.org/en/latest/manual/index.html

介紹

SSEC是一款開源的多平臺的入侵檢測系統，可以運行於Windows, Linux, OpenBSD/FreeBSD, 以及 MacOS等操作系統中。包括了日誌分析，全面檢測，root-kit檢測，政策監控，實時報警和積極響應。

現在已經有新版本Latest Stable Release (2.8.3)
下載地址：http://ossec.github.io/downloads.html

部署

Ossec部署方式爲C/S，以下server：192.168.1.16
agent：192.168.1.19
linux系統爲最新版centos7
windows系統爲windows8.1

服務器安裝及配置

服務器ip:192.168.1.16

由於centos7自帶的SElinux會攔截，阻止太多的東西，避免麻煩，這裏 我們把SElinux關閉！
geidt /etc/selinux/config
編輯/etc/selinux/config，找到SELINUX 行修改成爲：SELINUX=disabled
然後重新啓動。

我們需要開啓80端口，CentOS 7.0默認使用的是firewall作爲防火牆，這裏我們把centos7的防火牆換成iptables
關閉firewall：
systemctl stop firewalld.service #停止firewall
systemctl disable firewalld.service #禁止firewall開機啓動
安裝iptables防火牆
yum install iptables-services #安裝
gedit /etc/sysconfig/iptables #編輯防火牆配置文件
原文件清空，複製粘貼保存：
# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state –state NEW -m tcp -p tcp –dport 22 -j ACCEPT
-A INPUT -m state –state NEW -m tcp -p tcp –dport 80 -j ACCEPT
-A INPUT -m state –state NEW -m tcp -p tcp –dport 3306 -j ACCEPT
-A INPUT -m state –state NEW -m udp -p udp –dport 514 -j ACCEPT
-A INPUT -m state –state NEW -m udp -p udp –dport 1514 -j ACCEPT
-A INPUT -j REJECT –reject-with icmp-host-prohibited
-A FORWARD -j REJECT –reject-with icmp-host-prohibited
COMMIT
因爲ossec通信是用udp 514,1514端口（可以用命令：# netstat -unlp|grep ossec 查看）所以加了下面這兩句
-A INPUT -m state –state NEW -m udp -p udp –dport 514 -j ACCEPT
-A INPUT -m state –state NEW -m udp -p udp –dport 1514 -j ACCEPT

好了，iptables配置好了，現在，我們開啓iptables:
systemctl restart iptables.service #最後重啓防火牆使配置生效
systemctl enable iptables.service #設置防火牆開機啓動

防火牆開啓成功，我們來接着安裝一些必要的工具：
yum install gcc gcc-c++ vim wget lrzsz ntpdate sysstat dstat wget unzip -y
安裝mysql數據庫，appach,php：
yum install mysql mysql-server mysql-devel httpd php php-mysql –y
我們把從官網下載下來的ossec-hids-2.8.3.tar.gz解壓：
tar -xzf ossec-hids-2.8.3.tar.gz
cd ossec-hids-2.8
cd src/
make setdb #使其支持mysql數據庫
接下來提示：
Error: PostgreSQL client libraries notinstalled.
Info: Compiled with MySQL support. #ossec支持mysql數據庫
cd ../
./install.sh
下面是安裝過程:
cn #選擇語言
Enter #繼續
Server #安裝爲server
/var/ossec #安裝目錄
- Do you want e-mail notification? (y/n)[y]: y
- What’s your e-mail address? [email protected]
- What’s your SMTP server ip/host? 127.0.0.1
Enter # Running syscheck (integrity check daemon)
Enter # Running rootcheck (rootkit detection)
Enter #Active response enabled
Enter # firewall-drop enabled (local) for levels >= 6
Do you want to add more IPs to the whitelist? (y/n)? [n]: y #設置ip白名單
-IPs (space separated):#把客戶端和服務端的ip都加上去
3.5- Do you want to enable remote syslog(port 514 udp)? (y/n) [y]:Enter
Enter #開始安裝

安裝完畢，下面我們來配置
使oosec支持mysql，並建立mysql表：
/var/ossec/bin/ossec-control enable database
service mysqld start
/usr/bin/mysql_secure_installation
mysql -uroot -p
mysql> create database ossec;
mysql> grant INSERT,SELECT,UPDATE,CREATE,DELETE,EXECUTE on ossec.* to ossec@localhost identified by 'ossec';
mysql> flush privileges;
mysql> \q

mysql -uossec -p ossec < src/os_dbd/mysql.schema 

Enter password:
gedit /usr/local/ossec/etc/ossec.conf #在最後添加
<ossec_config>
<database_output>
<hostname>localhost</hostname>
<username>ossec</username>
<password>ossec</password>
<database>ossec</database>
<type>mysql</type>
</database_output>
</ossec_config>
保存，退出。
添加128行內容，允許此網段的日誌,如果有其他ip需要設置白名單，依次添加即可
<remote>
<connection>syslog</connection>
<allowed-ips>192.168.1.0/24</allowed-ips> #128行
</remote>

/var/ossec/bin/ossec-control restart

此時，郵箱已經收到郵件了。

添加agent客戶端

/var/ossec/bin/manage_agents
下面依次：
A #add
Please provide the following:
*A name for the new agent: agent1
*The IP Address of the new agent: 192.168.1.19 #agent端的ip地址
*An ID for the new agent[001]: 001
Agent information:
ID:001
Name:agent1
IPAddress:192.168.1.19
Confirm adding it?(y/n): y
Agent added.

然後Enter後 又繼續：
Choose your action: A,E,L,R or Q: E
Available agents:
ID: 001, Name: agent1, IP: 192.168.1.19
Provide the ID of the agent to extract thekey (or ‘\q’ to quit): 001
Agent key information for ‘001’ is: #複製這個祕鑰，客戶端需要

然後Enter後輸入Q退出

客戶端配置

這裏我們配置的客戶端是在windows上的：
下載客戶端exe: https://bintray.com/artifact/download/ossec/ossec-hids/ossec-agent-win32-2.8.3.exe
然後默認安裝
注意：運行時要以管理員權限運行，即以Administrator運行
首先到安裝目錄下運行manage_agents.exe
輸入你的服務器IP，我這裏是：192.168.1.16
然後粘貼你複製下來的祕鑰

再運行win32ui.exe

點擊View config
在<ossec_config>下面增加你的server ip ，上面有格式。保存關閉後
然後再在

中輸入你的Server ip和 key(複製下來的祕鑰)，然後Save,運行。

安裝web界面

ossec-wui界面

cd /var/www
unzip ossec-wui-master.zip
mv ossec-wui-master html/ossec
cd html/ossec/
./setup.sh
Setting up ossec ui…

Username: ossec
New password:
Re-type new password:
Adding password for user ossec
Enter your web server user name (e.g.apache, www, nobody, www-data, …)
apache
Enter your OSSEC install directory path(e.g. /var/ossec)
/var/ossec
You must restart your web server after thissetup is done.

Setup completed successfuly.
gedit /etc/httpd/conf.d/ossec.conf

Alias /ossec/ "/var/www/html/ossec/"  

<Directory /var/www/html/ossec>  
Order deny,allow  
Deny from all  
Allow from 192.168.1.0/24  

Options FollowSymLinks  #外網訪問配置，把上面註釋或刪除
AllowOverride None      #外網訪問配置
Order deny,allow        #外網訪問配置
allow from all          #外網訪問配置

Options -MultiViews
AuthName "OSSEC AUTH"
AuthType Basic
AuthUserFile /var/www/html/ossec/.htpasswd
Require valid-user
</Directory>  

保存退出。
chown apache:apache *
service httpd restart

analogi界面

cd /var/www/html
wget https://github.com/ECSC/analogi/archive/master.zip
unzip master.zip
mv analogi-master ossec/analogi
chown apache.apache -R ossec
cd ossec/analogi
cp db_ossec.php.new db_ossec.php

gedit db_ossec.php

define ('DB_USER_O', 'ossec');
define ('DB_PASSWORD_O', 'ossec');
define ('DB_HOST_O', 'localhost');
define ('DB_NAME_O', 'ossec');  

gedit /etc/httpd/conf.d/analogi.conf

Alias /analogi/ "/var/www/html/ossec/analogi/" 

<Directory /var/www/html/ossec/analogi>
Order deny,allow
Deny from all
Allow from 192.168.1.0/24

Options FollowSymLinks   #外網訪問配置，把上面註釋或刪除
AllowOverride None       #外網訪問配置
Order deny,allow         #外網訪問配置
allow from all           #外網訪問配置

</Directory>

service httpd restart

查看狀態信息

/var/ossec/bin/agent_control -lc
OSSEC HIDS agent_control. List of availableagents:
ID: 000, Name: localhost.localdomain (server), IP: 127.0.0.1,Active/Local
ID: 001, Name: agent1, IP: 192.168.22.241, Active
/var/ossec/bin/list_agents -a
agent1-192.168.1.19 is available.
/var/ossec/bin/ossec-control status
ossec-monitord is running…
ossec-logcollector is running…
ossec-remoted is running…
ossec-syscheckd is running…
ossec-analysisd is running…
ossec-maild is running…
ossec-execd is running…
ossec-dbd is running…

OSSEC的圖形界面

analogi圖形界面