Difference between revisions of "OSSEC"

From OnnoWiki
Jump to navigation Jump to search
 
(12 intermediate revisions by the same user not shown)
Line 7: Line 7:
 
OSSEC adalah salah satu tool yang dapat anda instal di server anda untuk melacak aktivitas tersebut.
 
OSSEC adalah salah satu tool yang dapat anda instal di server anda untuk melacak aktivitas tersebut.
  
OSSEC adalah sistem deteksi intrusi berbasis open-source (host-based intrusion detection system / HIDS) yang melakukan analisis log, pengecekan integritas, pemantauan registri Windows, deteksi rootkit, peringatan berbasis waktu, dan respons aktif. Ini bisa digunakan untuk memantau satu server atau ribuan server dalam mode server / agent.
+
OSSEC adalah sistem deteksi intrusi berbasis open-source (host-based intrusion detection system / HIDS) yang melakukan analisis log, pengecekan integritas, pemantauan registri Windows, deteksi rootkit, peringatan berbasis waktu, dan respons aktif. Ini bisa digunakan untuk memantau satu server atau ribuan server dalam mode server / agent. OSSEC run di kebanyakan sistem operasi, termasuk Linux, OpenBSD, FreeBSD, MacOS, Solaris dan Windows.
  
 
Jika dikonfigurasi dengan benar, OSSEC dapat memberi anda tampilan real-time ke dalam apa yang terjadi di server anda.
 
Jika dikonfigurasi dengan benar, OSSEC dapat memberi anda tampilan real-time ke dalam apa yang terjadi di server anda.
Line 106: Line 106:
 
  You are about to start the installation process of the OSSEC HIDS.
 
  You are about to start the installation process of the OSSEC HIDS.
 
  You must have a C compiler pre-installed in your system.
 
  You must have a C compiler pre-installed in your system.
 
 
   - System: Linux refserver 4.4.0-21-generic
 
   - System: Linux refserver 4.4.0-21-generic
 
   - User: root
 
   - User: root
 
   - Host: refserver
 
   - Host: refserver
 
 
   -- Press ENTER to continue or Ctrl-C to abort. --
 
   -- Press ENTER to continue or Ctrl-C to abort. --
 
  '''<ENTER>'''
 
  '''<ENTER>'''
Line 137: Line 135:
 
     Any questions about the configuration can be answered
 
     Any questions about the configuration can be answered
 
     by visiting us online at http://www.ossec.net .
 
     by visiting us online at http://www.ossec.net .
 
 
 
 
 
     --- Press ENTER to continue ---
 
     --- Press ENTER to continue ---
 
     '''<ENTER>'''
 
     '''<ENTER>'''
  
Tunggu beberapa saat karena sedang di compile.
+
Tunggu beberapa saat karena sedang di compile. Hasil terakhir,
 
 
 
 
By this time, the installer has all the information it needs to install OSSEC. Kick back and let the installer do its thing. Installation takes about 5 minutes. If installation is successful, you are now ready to start and configure OSSEC.
 
 
 
    Note: One reason installation might fail is if a compiler is not installed. In that case, you'll get an error like this:
 
 
 
    5- Installing the system
 
    - Running the Makefile
 
    ./install.sh: 85: ./install.sh: make: not found
 
 
 
    Error 0x5.
 
    Building error. Unable to finish the installation.
 
 
 
    If you get that error, then you need to install build-essential, as explained in the Prerequisites section of the tutorial.
 
 
 
If installation succeeds, you should see this type of output:
 
 
 
- System is Debian (Ubuntu or derivative).
 
- Init script modified to start OSSEC HIDS during boot.
 
 
 
- Configuration finished properly.
 
 
 
- To start OSSEC HIDS:
 
                /var/ossec/bin/ossec-control start
 
 
 
- To stop OSSEC HIDS:
 
                /var/ossec/bin/ossec-control stop
 
  
 
  - The configuration can be viewed or modified at /var/ossec/etc/ossec.conf
 
  - The configuration can be viewed or modified at /var/ossec/etc/ossec.conf
 
 
     ---  Press ENTER to finish (maybe more information below). ---
 
     ---  Press ENTER to finish (maybe more information below). ---
 
+
'''<ENTER>'''
OSSEC is now installed. The next step is to start it.
 
  
 
==Step 3 — Start OSSEC==
 
==Step 3 — Start OSSEC==
  
By default OSSEC is configured to start at boot, but the first time, you'll have to start it manually.
+
Secara default OSSEC dikonfigurasi untuk memulai saat boot, tapi untuk pertama kalinya, Anda harus memulainya secara manual.
  
If you want to check its current status, type:
+
Cek status,
  
 
  /var/ossec/bin/ossec-control status
 
  /var/ossec/bin/ossec-control status
  
Expected output:
+
Output:
  
 
  ossec-monitord not running...
 
  ossec-monitord not running...
Line 194: Line 161:
 
  ossec-execd not running...
 
  ossec-execd not running...
  
That tells you that none of OSSEC's processes are running.
+
Start OSSEC,
 
 
To start OSSEC, type:
 
  
 
  /var/ossec/bin/ossec-control start
 
  /var/ossec/bin/ossec-control start
  
You should see it starting up:
+
Output:
  
  Starting OSSEC HIDS v2.8 (by Trend Micro Inc.)...
+
  Starting OSSEC HIDS v2.9.0 (by Trend Micro Inc.)...
 
  Started ossec-maild...
 
  Started ossec-maild...
 
  Started ossec-execd...
 
  Started ossec-execd...
Line 211: Line 176:
 
  Completed.
 
  Completed.
  
If you check the status again, you should get confirmation that OSSEC is now running.
+
Cek status lagi,
  
 
  /var/ossec/bin/ossec-control status
 
  /var/ossec/bin/ossec-control status
Line 224: Line 189:
 
  ossec-execd is running...
 
  ossec-execd is running...
  
Right after starting OSSEC, you should get an email that reads like this:
+
Harusnya akan dapat email kira-kira
  
 
  OSSEC HIDS Notification.
 
  OSSEC HIDS Notification.
Line 235: Line 200:
 
  ossec: Ossec started.
 
  ossec: Ossec started.
  
That's another confirmation that OSSEC is working and will send you email alerts whenever something it's configured to monitor happens. Even when it is restarted, OSSEC will send you an email.
+
==Step 4 — Konfigurasi OSSEC untuk Real-time Alerts saat ada modifikasi File==
 
 
If you didn't get this email right away, don't worry. You may still need to tweak your email settings (which we'll cover later in the tutorial) to make sure your OSSEC server's emails can get through to your mail provider. This is especially true for some 3rd-party email service providers like Google and Fastmail.
 
 
 
==Step 4 — Configure OSSEC for Real-time Alerts on File Modifications==
 
 
 
Next, let's get to know OSSEC's files and directories, and learn how to change OSSEC's monitoring and alert settings.
 
 
 
In this tutorial, we'll modify OSSEC to notify you whenever a file is modified, deleted, or added to directories that you specify.
 
Getting to know OSSEC's directory structure
 
 
 
OSSEC's default directory is a chroot-ed (sandbox) environment that only a user with root (admin) privileges can access. A standard user cannot cd into /var/ossec or even list the files in it. As the root (or admin) user, however, you can.
 
  
So, cd into the installation directory by typing:
+
Lakukan
  
 
  cd /var/ossec
 
  cd /var/ossec
  
To list the files in your new working directory, type:
+
File / folder penting
 
 
ls -lgG
 
 
 
You should see these files and directories:
 
 
 
total 40
 
dr-xr-x---  3 4096 Nov 26 14:56 active-response
 
dr-xr-x---  2 4096 Nov 20 20:56 agentless
 
dr-xr-x---  2 4096 Nov 20 20:56 bin
 
dr-xr-x---  3 4096 Nov 29 00:49 etc
 
drwxr-x---  5 4096 Nov 20 20:56 logs
 
dr-xr-x--- 11 4096 Nov 20 20:56 queue
 
dr-xr-x---  4 4096 Nov 20 20:56 rules
 
drwxr-x---  5 4096 Nov 20 21:00 stats
 
dr-xr-x---  2 4096 Nov 20 20:56 tmp
 
dr-xr-x---  3 4096 Nov 29 18:34 var
 
 
 
    OSSEC's main configuration file is in the /var/ossec/etc directory.
 
    Predefined rules are in the /var/ossec/rules directory
 
    Commands used to manage OSSEC are in /var/ossec/bin
 
    Take note of the /var/ossec/logs directory. If OSSEC ever throws an error, the /var/ossec/logs/ossec.log file in that directory is the first place to look
 
 
 
Main configuration file, /var/ossec/etc/ossec.conf
 
 
 
To access the main configuration file, you have to change into /var/ossec/etc. To do that, type:
 
  
  cd /var/ossec/etc
+
  /var/ossec/logs
 +
/var/ossec/logs/ossec.log
 +
/var/ossec/etc/ossec.conf
  
If you do an ls while in that directory, you'll see these files and directories:
+
Edit file konfigurasi
  
  ls -lgG
+
  cp /var/ossec/etc/ossec.conf /var/ossec/etc/ossec.conf.asli
 +
vi /var/ossec/etc/ossec.conf
  
Results:
+
===Setting Email===
  
total 120
+
Default-nya kira-kira
-r--r----- 1 97786 Sep  8 22:03 decoder.xml
 
-r--r----- 1  2842 Sep  8 22:03 internal_options.conf
 
-r--r----- 1  3519 Oct 30 13:46 localtime
 
-r--r----- 1  7752 Nov 29 09:45 ossec.conf
 
-rw-r----- 1    87 Nov 20 20:56 ossec-init.conf
 
drwxrwx--- 2  4096 Nov 20 21:00 shared
 
  
The main configuration file is /var/ossec/etc/ossec.conf.
+
  <global>
 +
    <email_notification>yes</email_notification>
 +
    <email_to>onno@indo.net.id</email_to>
 +
    <smtp_server>mx-2.indo.net.id.</smtp_server>
 +
    <email_from>ossecm@refserver</email_from>
 +
  </global>
  
Before modifying the file, make a backup copy, just in case. To make that copy, use the cp command like so:
+
Supaya bisa tembus, ada baiknya di ubah SMTP Server, email from yang valid, dan email max / jam, jadi
  
cp /var/ossec/etc/ossec.conf /var/ossec/etc/ossec.conf.00
+
  <global>
 +
    <email_notification>yes</email_notification>
 +
    <email_to>onno@indo.net.id</email_to>
 +
    '''<smtp_server>smtp.telkom.net.</smtp_server>'''
 +
    '''<email_from>onno@indo.net.id</email_from>'''
 +
    '''<email_maxperhour>12</email_maxperhour>'''
 +
  </global>
  
The idea is if your changes don't work or mess up the system, you can revert to the copy and be back to normal. It's the simplest disaster recovery practice that you should always take advantage of.
+
Jika emailnya ke localhost saja, bisa menggunakan,
  
Now, open ossec.conf by using the nano editor.
+
  <global>
 +
    <email_notification>yes</email_notification>
 +
    <email_to>onno@indo.net.id</email_to>
 +
    '''<smtp_server>localhost</smtp_server>'''
 +
    '''<email_from>onno@indo.net.id</email_from>'''
 +
    '''<email_maxperhour>12</email_maxperhour>'''
 +
  </global>
  
nano /var/ossec/etc/ossec.conf
+
Cek /var/ossec/logs/ossec.log, pastikan tidak ada error seperti,
  
The configuration file is a very long XML file with several sections.
+
cat  /var/ossec/logs/ossec.log | grep ERROR
Email settings
 
  
    Note: Email is finicky in general, especially if you are sending to a stricter mail provider like sending to a Gmail address. Check your spam, and tweak your settings if necessary.
+
2017/06/15 05:13:16 ossec-maild(1223): ERROR: Error Sending email to mx-2.indo.net.id. (smtp server)
  
The first configuration options you'll see are the email credentials you specified during installation. If you need to specify a different email address and/or SMTP server, this is the place to do it.
+
===Frekuensi Scan===
  
<global>
+
Edit /var/ossec/etc/ossec.conf
    <email_notification>yes</email_notification>
 
    <email_to>sammy@example.com</email_to>
 
    <smtp_server>mail.example.com.</smtp_server>
 
    <email_from>ossecm@ossec_server</email_from>
 
</global>
 
  
By default, OSSEC sends 12 emails per hour, so you'll not be flooded with email alerts. You can increase or decrease that value by adding the <email_maxperhour>N</email_maxperhour> setting to that section so that it reads:
+
vi /var/ossec/etc/ossec.conf
  
<global>
+
Lihat bagian
    <email_notification>yes</email_notification>
 
    <email_to>sammy@example.com</email_to>
 
    <smtp_server>mail.example.com.</smtp_server>
 
    <email_from>ossecm@ossec_server</email_from>
 
    <email_maxperhour>N</email_maxperhour>
 
</global>
 
 
 
Please replace N with the number of emails you want to receive per hour, between 1 and 9999.
 
 
 
Some third-party email service providers (Google and Fastmail, for example) will silently drop alerts sent by OSSEC if the <email_from> address does not contain a valid domain part, like the one in the code block above. To avoid that, make sure that that email address contains a valid domain part. For example:
 
 
 
<global>
 
    <email_notification>yes</email_notification>
 
    <email_to>sammy@example.com</email_to>
 
    <smtp_server>mail.example.com.</smtp_server>
 
    <email_from>sammy@ossec_server.com</email_from>
 
</global>
 
 
 
The <email_to> and <email_from> addresses can be the same. For example:
 
 
 
<global>
 
    <email_notification>yes</email_notification>
 
    <email_to>sammy@example.com</email_to>
 
    <smtp_server>mail.example.com.</smtp_server>
 
    <email_from>sammy@example.com</email_from>
 
</global>
 
 
 
If you don't want to use an external email provider's SMTP server, you can specify your own SMTP server, if you have one configured. (This is not covered in this tutorial, but you can install Postfix following these instructions.) If your SMTP server is running on the same Droplet as OSSEC, change the <smtp_server> setting to localhost. For example:
 
 
 
<global>
 
    <email_notification>yes</email_notification>
 
    <email_to>sammy@example.com</email_to>
 
    <smtp_server>localhost</smtp_server>
 
    <email_from>sammy@example.com</email_from>
 
</global>
 
 
 
OSSEC does not send real-time alerts by default, but this tutorial calls for real-time notifications, so that's one aspect that you're going to modify.
 
 
 
If you still aren't receiving expected emails from OSSEC, check the logs at /var/ossec/logs/ossec.log for mail errors.
 
 
 
Example mail errors:
 
 
 
2014/12/18 17:48:35 os_sendmail(1767): WARN: End of DATA not accepted by server
 
2014/12/18 17:48:35 ossec-maild(1223): ERROR: Error Sending email to 74.125.131.26 (smtp server)
 
 
 
You can use these error messages to help you debug any issues with receiving email notifications.
 
Frequency of scans
 
 
 
In the <syscheck> section of ossec.conf, which starts like this:
 
  
 
  <syscheck>
 
  <syscheck>
Line 378: Line 266:
 
     <frequency>79200</frequency>
 
     <frequency>79200</frequency>
  
We will turn on alerts for new file creation. Add the line <alert_new_files>yes</alert_new_files> so that it reads like this:
+
Tambahkan alert new file,
 +
 
  
 
  <syscheck>
 
  <syscheck>
Line 386: Line 275:
 
     <alert_new_files>yes</alert_new_files>
 
     <alert_new_files>yes</alert_new_files>
  
For testing purposes, you may also want to set the frequency of the system check to be much lower. By default, the system check is run every 22 hours. For testing purposes, you may want to set this to once a minute, that is, 60 seconds. Revert this to a sane value when you are done testing.
+
Untuk testing bisa di ubah frekuensi ke 60, untuk operasional 79200 cukup.
  
<syscheck>
+
===Setting Directory & Perubahan File===
    <!-- Frequency that syscheck is executed - default to every 22 hours -->
+
 
    <frequency>60</frequency>
+
Edit /var/ossec/etc/ossec.conf
 
    <alert_new_files>yes</alert_new_files>
 
  
Directory and file change settings
+
vi /var/ossec/etc/ossec.conf
  
Right after that, you should see the list of system directories that OSSEC monitors. It reads like:
+
Edit
  
 
  <!-- Directories to check  (perform all possible verifications) -->
 
  <!-- Directories to check  (perform all possible verifications) -->
Line 402: Line 289:
 
  <directories check_all="yes">/bin,/sbin</directories>
 
  <directories check_all="yes">/bin,/sbin</directories>
  
Let's enable real-time monitoring by adding the settings report_changes="yes" realtime="yes" to each line. Modify these lines so they read:
+
Ubah menjadi,
  
 
  <!-- Directories to check  (perform all possible verifications) -->
 
  <!-- Directories to check  (perform all possible verifications) -->
  <directories report_changes="yes" realtime="yes" check_all="yes">/etc,/usr/bin,/usr/sbin</directories>
+
  <directories '''report_changes="yes" realtime="yes"''' check_all="yes">/etc,/usr/bin,/usr/sbin</directories>
  <directories report_changes="yes" realtime="yes" check_all="yes">/bin,/sbin</directories>
+
  <directories '''report_changes="yes" realtime="yes"''' check_all="yes">/bin,/sbin</directories>
  
report_changes="yes" does exactly what is says. Ditto for realtime="yes".
+
Bisa juga menambahkan directory yang harus di monitor misalnya,
 
 
In addition to the default list of directories that OSSEC has been configured to monitor, you can add new directories that you wish to monitor. In this next section, I'm going to tell OSSEC to monitor /home/sammy and /var/www. For that, I'm going to add a new line right under the existing ones, so that that section now reads:
 
  
 
  <!-- Directories to check  (perform all possible verifications) -->
 
  <!-- Directories to check  (perform all possible verifications) -->
Line 416: Line 301:
 
  <directories report_changes="yes" realtime="yes" check_all="yes">/bin,/sbin</directories>
 
  <directories report_changes="yes" realtime="yes" check_all="yes">/bin,/sbin</directories>
 
   
 
   
  <directories report_changes="yes" realtime="yes" restrict=".php|.js|.py|.sh|.html" check_all="yes">/home/sammy,/var/www</directories>
+
  '''<directories report_changes="yes" realtime="yes" restrict=".php|.js|.py|.sh|.html" check_all="yes">/home/onno,/var/www</directories>'''
  
You should modify the directories to match your desired settings. If your user is not named sammy, you will want to change the path to the home directory.
+
===Local.rules===
  
For the new directories to monitor, we've added the restrict option, which tells OSSEC to monitor only the specified file formats. You don't have to use that option, but it comes in handy when you have other files, like image files, that you don't want OSSEC to alert on.
+
Rules & Local rules ada di
  
That's all the changes for ossec.conf. You may save and close the file.
+
/var/ossec/rules/
Local rules in /var/ossec/rules/local_rules.xml
+
/var/ossec/rules/local_rules.xml
 +
/var/ossec/rules/ossec_rules.xml
  
The next file to modify is in the /var/ossec/rules directory, so cd into it by typing:
+
Kita tertarik pada local_rules.xml & ossec_rules.xml, contoh mengubah rules 554 di ossec_rules.xml. isinya,
  
cd /var/ossec/rules
+
  <rule id="554" level="0">
 +
    <category>ossec</category>
 +
    <decoded_as>syscheck_new_entry</decoded_as>
 +
    <description>File added to the system.</description>
 +
    <group>syscheck,</group>
 +
  </rule>
  
If you do an ls in that directory, you'll see a bunch of XML files like these:
+
Yang perlu di lakukan,
  
  ls -lgG
+
  cp /var/ossec/rules/local_rules.xml /var/ossec/rules/local_rules.xml.asli
 +
vi /var/ossec/rules/local_rules.xml
  
Abbreviated output:
+
Tambahkan
  
total 376
+
  <group name="syscheck,">
-r-xr-x--- 1  5882 Sep  8 22:03 apache_rules.xml
+
    <rule id="554" level="7" overwrite="yes">
-r-xr-x--- 1  2567 Sep  8 22:03 arpwatch_rules.xml
+
      <category>ossec</category>
-r-xr-x--- 1  3726 Sep  8 22:03 asterisk_rules.xml
+
      <decoded_as>syscheck_new_entry</decoded_as>
-r-xr-x--- 1  4315 Sep  8 22:03 attack_rules.xml
+
      <description>File added to the system.</description>
...
+
    </rule>
-r-xr-x--- 1  1772 Nov 30 17:33 local_rules.xml
+
  </group>
...
 
-r-xr-x--- 1 10359 Sep  8 22:03 ossec_rules.xml
 
...
 
  
Only two of those files are of interest to us now - local_rules.xml and ossec_rules.xml. The latter contains OSSEC's default rule definitions, while the former is where you add your custom rules. In other words, aside from local_rules.xml, you don't modify any files in this directory.
+
Save file
  
The default rule definitions in ossec_rules.xml are useful to look at so we can modify and copy them into our local rules. In ossec_rules.xml, the rule that fires when a file is added to a monitored directory is rule 554. By default, OSSEC does not send out alerts when that rule is triggered, so the task here is to change that behavior. Here's what rule 554 looks like in the default version:
+
===Restart OSSEC===
  
<rule id="554" level="0">
+
Sesudah semua modifikasi di lakukan restart OSSEC
<category>ossec</category>
 
<decoded_as>syscheck_new_entry</decoded_as>
 
<description>File added to the system.</description>
 
<group>syscheck,</group>
 
</rule>
 
 
 
OSSEC does not send out an alert if a rule has a level set to 0. We want to modify this rule to raise the alert level. Instead of changing it in the default file, we will copy the rule to local_rules.xml and modify it so that it can trigger an alert.
 
 
 
To do that, make a backup copy of the /var/ossec/rules/local_rules.xml file:
 
 
 
cp /var/ossec/rules/local_rules.xml /var/ossec/rules/local_rules.xml.00
 
 
 
Edit the file with nano:
 
 
 
nano /var/ossec/rules/local_rules.xml
 
 
 
Add the new rule at the end of the file. Make sure that it is within the <group> ... </group> tag.
 
 
 
<rule id="554" level="7" overwrite="yes">
 
<category>ossec</category>
 
<decoded_as>syscheck_new_entry</decoded_as>
 
<description>File added to the system.</description>
 
<group>syscheck,</group>
 
</rule>
 
 
 
Save and close the file.
 
 
 
Those are all the changes necessary.
 
Restart OSSEC
 
 
 
All that's left now is to restart OSSEC, something that has to be done any time you modify OSSEC's files. To restart OSSEC type:
 
  
 
  /var/ossec/bin/ossec-control restart
 
  /var/ossec/bin/ossec-control restart
  
If all is working correctly, you should receive an email from OSSEC informing you that it has (re)started.
+
==Step 5 — Coba alert perubahan file==
  
==Step 5 — Trigger File Change Alerts==
+
Coba buat file, isi, dan delete file,
  
And depending on what happens in the directories that OSSEC has been configured to monitor, you should be getting emails that read something like this:
+
touch /home/onno/coba.sh
 +
touch /home/onno/index.html
 +
sleep 70
 +
echo "percobaan" > /home/onno/index.html
 +
echo "coba" > /home/onno/coba.sh
 +
sleep 70
 +
rm /home/onno/index.html
 +
rm /home/onno/coba.sh
  
Now try creating a sample file in /home/sammy
+
Cek apakah ada email, kira-kira,
  
touch /home/sammy/index.html
+
==Referensi==
  
Wait a minute. Add some content:
+
* https://www.digitalocean.com/community/tutorials/how-to-install-and-configure-ossec-security-notifications-on-ubuntu-14-04
  
nano /home/sammy/index.html
+
==Pranala Menarik==
  
Wait a minute. Delete the file:
+
* [[IDS]]
 
+
* [[OSSEC]]
rm /home/sammy/index.html
+
* [[OSSEC: Ubuntu 18.04]]
 
+
* [[OSSEC: Ubuntu 20.04]]
You should start receiving notifications like this:
+
* [[OSSEC: whitelisting]]
 
 
OSSEC HIDS Notification.
 
2014 Nov 30 18:03:51
 
 
 
Received From: ossec2->syscheck
 
Rule: 550 fired (level 7) -> "Integrity checksum changed."
 
Portion of the log(s):
 
 
 
Integrity checksum changed for: '/home/sammy/index.html'
 
Size changed from '21' to '46'
 
What changed:
 
1c1,4
 
< This is an html file
 
---
 
 
 
    <!doctype html> <p>This is an html file</p>
 
 
 
Old md5sum was: '4473d6ada73de51b5b36748627fa119b'
 
New md5sum is : 'ef36c42cd7014de95680d656dec62de9'
 
Old sha1sum was: '96bd9d685a7d23b20abd7d8231bb215521bcdb6c'
 
New sha1sum is : '5ab0f31c32077a23c71c18018a374375edcd0b90'
 
 
 
Or this:
 
 
 
OSSEC HIDS Notification.
 
2014 Dec 01 10:13:31
 
 
 
Received From: ossec2->syscheck
 
Rule: 554 fired (level 7) -> "File added to the system."
 
Portion of the log(s):
 
 
 
New file '/var/www/header.html' added to the file system.
 
 
 
    Note: OSSEC does not send out real-time alerts on file additions, only on file modifications and deletions. Alerts on file additions go out after a full system check, which is governed by the frequency check time in ossec.conf.
 
 
 
    nano /var/ossec/etc/ossec.conf
 
 
 
    Setting for frequency:
 
 
 
    <syscheck>
 
        <!-- Frequency that syscheck is executed - default to every 22 hours -->
 
        <frequency>79200</frequency>
 
 
 
Again, if you are not getting emails, check your spam, check your /var/ossec/logs/ossec.log, check your mail logs, etc.
 
Conclusion
 
 
 
I hope this has given you a taste of what OSSEC has to offer. More advanced setups and configurations are possible, so stay tuned for future articles on how to deploy OSSEC to monitor and protect your servers.
 
 
 
For more information on OSSEC, visit the project's website at http://www.ossec.net/.
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
==Referensi==
 
 
 
* https://www.digitalocean.com/community/tutorials/how-to-install-and-configure-ossec-security-notifications-on-ubuntu-14-04
 

Latest revision as of 06:13, 11 January 2021

sumber: https://www.digitalocean.com/community/tutorials/how-to-install-and-configure-ossec-security-notifications-on-ubuntu-14-04


Intro

Bagaimana anda melacak aktivitas yang sah dan tidak sah di server anda? OSSEC adalah salah satu tool yang dapat anda instal di server anda untuk melacak aktivitas tersebut.

OSSEC adalah sistem deteksi intrusi berbasis open-source (host-based intrusion detection system / HIDS) yang melakukan analisis log, pengecekan integritas, pemantauan registri Windows, deteksi rootkit, peringatan berbasis waktu, dan respons aktif. Ini bisa digunakan untuk memantau satu server atau ribuan server dalam mode server / agent. OSSEC run di kebanyakan sistem operasi, termasuk Linux, OpenBSD, FreeBSD, MacOS, Solaris dan Windows.

Jika dikonfigurasi dengan benar, OSSEC dapat memberi anda tampilan real-time ke dalam apa yang terjadi di server anda.

Apa keuntungan OSSEC?

Di bawah ini contoh email notifikasi dari OSSEC, memperlihatkan ada yang mengubah file /var/ossec/etc/ossec.conf.

OSSEC HIDS Notification.
2014 Nov 29 09:45:15

Received From: kuruji->syscheck
Rule: 552 fired (level 7) -> "Integrity checksum changed again (3rd time)."
Portion of the log(s):

Integrity checksum changed for: '/var/ossec/etc/ossec.conf'
Size changed from '7521' to '7752'

Jika anda menerima peringatan semacam itu, dan anda tidak mengharapkan file itu berubah, berarti anda tahu ada sesuatu yang tidak sah yang terjadi di server anda.

Berikut contoh email peringatan lainnya dari OSSEC, yang menunjukkan bahwa file /etc/ossec/testossec.txt telah dihapus.

OSSEC HIDS Notification.
2014 Nov 29 10:56:14

Received From: kuruji->syscheck
Rule: 553 fired (level 7) -> "File deleted. Unable to retrieve checksum."
Portion of the log(s):

File /etc/ossec/testossec.txt was deleted. Unable to retrieve checksum.

Sekali lagi, jika anda tidak menghapus file tersebut, anda harus mencari tahu apa yang terjadi pada server anda.

Prasyarat

  • Ubuntu server
  • ssh
  • sudo su

Instalasi aplikasi pendukung

apt update
apt install postfix make gcc build-essential inotify-tools


Step 1 — Download & Verifikasi OSSEC

cd /usr/local/src
wget -U ossec https://github.com/ossec/ossec-hids/archive/2.9.0.tar.gz

Entah kenapa, versi 2.9.0 tidak ketemu file checksum-nya. Kalau harus cek checksum, contoh versi 2.8.1

cd /usr/local/src
wget -U ossec http://www.ossec.net/files/ossec-hids-2.8.1.tar.gz
wget -U ossec http://www.ossec.net/files/ossec-hids-2.8.1-checksum.txt

Cek nilai Seharusnya checksum

cat ossec-hids-2.8.1-checksum.txt

Output

MD5(ossec-hids-2.8.1.tar.gz)= c2ffd25180f760e366ab16eeb82ae382
SHA1(ossec-hids-2.8.1.tar.gz)= 0ecf1df09558dc8bb4b6f65e1fb2ca7a7df9817c

Check

md5sum ossec-hids-2.8.1.tar.gz

Output harusnya

c2ffd25180f760e366ab16eeb82ae382  ossec-hids-2.8.1.tar.gz

Check

sha1sum  ossec-hids-2.8.1.tar.gz

Output harusnya

0ecf1df09558dc8bb4b6f65e1fb2ca7a7df9817c  ossec-hids-2.8.1.tar.gz

Step 2 — Install OSSEC

OSSEC bisa dipasang di server, agent, local atau hybrid mode. Instalasi ini untuk memantau server yang diinstal OSSEC. Itu berarti instalasi lokal. Lakukan

cd /usr/local/src
tar zxvf 2.9.0.tar.gz 
cd ossec-hids-2.9.0/
./install.sh

Jawaban pertanyaan saat instalasi

(en/br/cn/de/el/es/fr/hu/it/jp/nl/pl/ru/sr/tr) [en]: <ENTER>
OSSEC HIDS v2.9.0 Installation Script - http://www.ossec.net

You are about to start the installation process of the OSSEC HIDS.
You must have a C compiler pre-installed in your system.
 - System: Linux refserver 4.4.0-21-generic
 - User: root
 - Host: refserver
 -- Press ENTER to continue or Ctrl-C to abort. --
<ENTER>
1- What kind of installation do you want (server, agent, local, hybrid or help)? local
2- Setting up the installation environment.
 - Choose where to install the OSSEC HIDS [/var/ossec]: <ENTER>
3- Configuring the OSSEC HIDS.
  3.1- Do you want e-mail notification? (y/n) [y]: <ENTER>
   - What's your e-mail address? onno@indo.net.id
   - Do you want to use it? (y/n) [y]: <ENTER>
  3.2- Do you want to run the integrity check daemon? (y/n) [y]: <ENTER>
  3.3- Do you want to run the rootkit detection engine? (y/n) [y]: <ENTER>
   - Do you want to enable active response? (y/n) [y]: <ENTER>
   - Do you want to enable the firewall-drop response? (y/n) [y]: <ENTER>
   - Do you want to add more IPs to the white list? (y/n)? [n]: <ENTER>
  3.6- Setting the configuration to analyze the following logs:
    -- /var/log/auth.log
    -- /var/log/syslog
    -- /var/log/dpkg.log

 - If you want to monitor any other file, just change 
   the ossec.conf and add a new localfile entry.
   Any questions about the configuration can be answered
   by visiting us online at http://www.ossec.net .
   --- Press ENTER to continue ---
   <ENTER>

Tunggu beberapa saat karena sedang di compile. Hasil terakhir,

- The configuration can be viewed or modified at /var/ossec/etc/ossec.conf
   ---  Press ENTER to finish (maybe more information below). ---
<ENTER>

Step 3 — Start OSSEC

Secara default OSSEC dikonfigurasi untuk memulai saat boot, tapi untuk pertama kalinya, Anda harus memulainya secara manual.

Cek status,

/var/ossec/bin/ossec-control status

Output:

ossec-monitord not running...
ossec-logcollector not running...
ossec-syscheckd not running...
ossec-analysisd not running...
ossec-maild not running...
ossec-execd not running...

Start OSSEC,

/var/ossec/bin/ossec-control start

Output:

Starting OSSEC HIDS v2.9.0 (by Trend Micro Inc.)...
Started ossec-maild...
Started ossec-execd...
Started ossec-analysisd...
Started ossec-logcollector...
Started ossec-syscheckd...
Started ossec-monitord...
Completed.

Cek status lagi,

/var/ossec/bin/ossec-control status

This output shows that OSSEC is running:

ossec-monitord is running...
ossec-logcollector is running...
ossec-syscheckd is running...
ossec-analysisd is running...
ossec-maild is running...
ossec-execd is running...

Harusnya akan dapat email kira-kira

OSSEC HIDS Notification.
2014 Nov 30 11:15:38

Received From: ossec2->ossec-monitord
Rule: 502 fired (level 3) -> "Ossec server started."
Portion of the log(s):

ossec: Ossec started.

Step 4 — Konfigurasi OSSEC untuk Real-time Alerts saat ada modifikasi File

Lakukan

cd /var/ossec

File / folder penting

/var/ossec/logs
/var/ossec/logs/ossec.log
/var/ossec/etc/ossec.conf

Edit file konfigurasi

cp /var/ossec/etc/ossec.conf /var/ossec/etc/ossec.conf.asli
vi /var/ossec/etc/ossec.conf

Setting Email

Default-nya kira-kira

 <global>
   <email_notification>yes</email_notification>
   <email_to>onno@indo.net.id</email_to>
   <smtp_server>mx-2.indo.net.id.</smtp_server>
   <email_from>ossecm@refserver</email_from>
 </global>

Supaya bisa tembus, ada baiknya di ubah SMTP Server, email from yang valid, dan email max / jam, jadi

 <global>
   <email_notification>yes</email_notification>
   <email_to>onno@indo.net.id</email_to>
   <smtp_server>smtp.telkom.net.</smtp_server>
   <email_from>onno@indo.net.id</email_from>
   <email_maxperhour>12</email_maxperhour>
 </global>

Jika emailnya ke localhost saja, bisa menggunakan,

 <global>
   <email_notification>yes</email_notification>
   <email_to>onno@indo.net.id</email_to>
   <smtp_server>localhost</smtp_server>
   <email_from>onno@indo.net.id</email_from>
   <email_maxperhour>12</email_maxperhour>
 </global>

Cek /var/ossec/logs/ossec.log, pastikan tidak ada error seperti,

cat  /var/ossec/logs/ossec.log | grep ERROR
2017/06/15 05:13:16 ossec-maild(1223): ERROR: Error Sending email to mx-2.indo.net.id. (smtp server)

Frekuensi Scan

Edit /var/ossec/etc/ossec.conf

vi /var/ossec/etc/ossec.conf

Lihat bagian

<syscheck>
    <frequency>79200</frequency>

Tambahkan alert new file,


<syscheck>
    <frequency>79200</frequency>

    <alert_new_files>yes</alert_new_files>

Untuk testing bisa di ubah frekuensi ke 60, untuk operasional 79200 cukup.

Setting Directory & Perubahan File

Edit /var/ossec/etc/ossec.conf

vi /var/ossec/etc/ossec.conf

Edit

<directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories>
<directories check_all="yes">/bin,/sbin</directories>

Ubah menjadi,

<directories report_changes="yes" realtime="yes" check_all="yes">/etc,/usr/bin,/usr/sbin</directories>
<directories report_changes="yes" realtime="yes" check_all="yes">/bin,/sbin</directories>

Bisa juga menambahkan directory yang harus di monitor misalnya,

<directories report_changes="yes" realtime="yes" check_all="yes">/etc,/usr/bin,/usr/sbin</directories>
<directories report_changes="yes" realtime="yes" check_all="yes">/bin,/sbin</directories>

<directories report_changes="yes" realtime="yes" restrict=".php|.js|.py|.sh|.html" check_all="yes">/home/onno,/var/www</directories>

Local.rules

Rules & Local rules ada di

/var/ossec/rules/
/var/ossec/rules/local_rules.xml
/var/ossec/rules/ossec_rules.xml

Kita tertarik pada local_rules.xml & ossec_rules.xml, contoh mengubah rules 554 di ossec_rules.xml. isinya,

 <rule id="554" level="0">
   <category>ossec</category>
   <decoded_as>syscheck_new_entry</decoded_as>
   <description>File added to the system.</description>
   <group>syscheck,</group>
 </rule>

Yang perlu di lakukan,

cp /var/ossec/rules/local_rules.xml /var/ossec/rules/local_rules.xml.asli
vi /var/ossec/rules/local_rules.xml

Tambahkan

 <group name="syscheck,">
   <rule id="554" level="7" overwrite="yes">
     <category>ossec</category>
     <decoded_as>syscheck_new_entry</decoded_as>
     <description>File added to the system.</description>
   </rule>
 </group>

Save file

Restart OSSEC

Sesudah semua modifikasi di lakukan restart OSSEC

/var/ossec/bin/ossec-control restart

Step 5 — Coba alert perubahan file

Coba buat file, isi, dan delete file,

touch /home/onno/coba.sh
touch /home/onno/index.html
sleep 70
echo "percobaan" > /home/onno/index.html
echo "coba" > /home/onno/coba.sh
sleep 70
rm /home/onno/index.html
rm /home/onno/coba.sh

Cek apakah ada email, kira-kira,

Referensi

Pranala Menarik