Difference between revisions of "OSSEC: Ubuntu 18.04"
Jump to navigation
Jump to search
Onnowpurbo (talk | contribs) |
Onnowpurbo (talk | contribs) |
||
(11 intermediate revisions by the same user not shown) | |||
Line 3: | Line 3: | ||
sudo su | sudo su | ||
apt update | apt update | ||
− | apt -y install build-essential make zlib1g-dev libpcre2-dev | + | apt -y install build-essential make zlib1g-dev libpcre2-dev libz-dev libssl-dev libevent-dev |
− | |||
− | + | ==Download & Install== | |
− | + | sudo su | |
− | + | cd /usr/local/src | |
+ | wget https://github.com/ossec/ossec-hids/archive/3.6.0.tar.gz | ||
+ | tar zxvf 3.6.0.tar.gz | ||
+ | cd /usr/local/src/ossec-hids-3.6.0 | ||
+ | ./install.sh | ||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | + | ==Cuplikan Proses Instalasi== | |
− | |||
− | |||
− | + | '''CATATAN:''' | |
+ | * Sebagian besar cukup tekan '''ENTER''' | ||
+ | * Jika notifikasi email di enable, kita perlu memasukan email address. | ||
+ | |||
+ | * Pilih Bahasa: '''[en]''' | ||
+ | |||
+ | OSSEC HIDS v3.6.0 Installation Script - http://www.ossec.net | ||
+ | |||
+ | You are about to start the installation process of the OSSEC HIDS. | ||
+ | You must have a C compiler pre-installed in your system. | ||
+ | |||
+ | - System: Linux ubuntu 4.15.0-20-generic | ||
+ | - User: root | ||
+ | - Host: ubuntu | ||
+ | |||
+ | '''ENTER''' | ||
+ | |||
+ | 1- What kind of installation do you want (server, agent, local, hybrid or help)? | ||
+ | |||
+ | '''server''' | ||
+ | '''hybrid''' | ||
+ | |||
+ | 2- Setting up the installation environment. | ||
+ | |||
+ | '''ENTER''' [/var/ossec] | ||
+ | |||
+ | 3- Configuring the OSSEC HIDS. | ||
+ | 3.1- Do you want e-mail notification? (y/n) [y]: '''ENTER''' | ||
+ | - What's your e-mail address? '''email@address.anda''' | ||
+ | - We found your SMTP server as: smtp.server.anda | ||
+ | - Do you want to use it? (y/n) [y]: '''ENTER''' | ||
+ | 3.2- Do you want to run the integrity check daemon? (y/n) [y]: '''ENTER''' | ||
+ | - Running syscheck (integrity check daemon). | ||
+ | 3.3- Do you want to run the rootkit detection engine? (y/n) [y]: '''ENTER''' | ||
+ | 3.4- Active response allows you to execute a specific | ||
+ | command based on the events received. For example, | ||
+ | you can block an IP address or disable access for | ||
+ | a specific user. | ||
+ | More information at: | ||
+ | http://www.ossec.net/en/manual.html#active-response | ||
+ | - Do you want to enable active response? (y/n) [y]: ''''ENTER''' | ||
+ | - Active response enabled. | ||
+ | |||
+ | - By default, we can enable the host-deny and the | ||
+ | firewall-drop responses. The first one will add | ||
+ | a host to the /etc/hosts.deny and the second one | ||
+ | will block the host on iptables (if linux) or on | ||
+ | ipfilter (if Solaris, FreeBSD or NetBSD). | ||
+ | - They can be used to stop SSHD brute force scans, | ||
+ | portscans and some other forms of attacks. You can | ||
+ | also add them to block on snort events, for example. | ||
+ | - Do you want to enable the firewall-drop response? (y/n) [y]: '''ENTER''' | ||
+ | |||
+ | - firewall-drop enabled (local) for levels >= 6 | ||
+ | - | ||
+ | - 127.0.0.53 | ||
+ | - Do you want to add more IPs to the white list? (y/n)? [n]: '''ENTER''' | ||
+ | |||
+ | 3.5- Do you want to enable remote syslog (port 514 udp)? (y/n) [y]: | ||
+ | - Remote syslog enabled. | ||
+ | 3.6- Setting the configuration to analyze the following logs: | ||
+ | -- /var/log/auth.log | ||
+ | -- /var/log/syslog | ||
+ | -- /var/log/dpkg.log | ||
+ | - If you want to monitor any other file, just change | ||
+ | the ossec.conf and add a new localfile entry. | ||
+ | Any questions about the configuration can be answered | ||
+ | by visiting us online at http://www.ossec.net . | ||
+ | |||
+ | ==Selesai Compile== | ||
+ | |||
+ | - Configuration finished properly. | ||
+ | |||
+ | - To start OSSEC HIDS: | ||
+ | /var/ossec/bin/ossec-control start | ||
+ | |||
+ | - To stop OSSEC HIDS: | ||
+ | /var/ossec/bin/ossec-control stop | ||
+ | |||
+ | - The configuration can be viewed or modified at /var/ossec/etc/ossec.conf | ||
+ | |||
+ | Thanks for using the OSSEC HIDS. | ||
+ | If you have any question, suggestion or if you find any bug, | ||
+ | contact us at https://github.com/ossec/ossec-hids or using | ||
+ | our public maillist at | ||
+ | https://groups.google.com/forum/#!forum/ossec-list | ||
+ | |||
+ | More information can be found at http://www.ossec.net | ||
+ | |||
+ | |||
+ | ==Run== | ||
+ | |||
+ | Run | ||
+ | /var/ossec/bin/ossec-control start | ||
+ | |||
+ | Stop | ||
+ | /var/ossec/bin/ossec-control stop | ||
+ | |||
+ | Konfigurasi di | ||
+ | /var/ossec/etc/ossec.conf | ||
+ | |||
+ | ==Log== | ||
+ | |||
+ | Log penting yang di catat oleh OSSEC HIDS dapat di baca di | ||
+ | |||
+ | /var/ossec/logs/ | ||
+ | |||
+ | File yang berisi hal yang penting antara lain adalah | ||
+ | |||
+ | /var/ossec/logs/active-responses.log | ||
+ | /var/ossec/logs/alerts/alerts.log | ||
==Pranala Menarik== | ==Pranala Menarik== | ||
* [[IDS]] | * [[IDS]] | ||
+ | * [[OSSEC]] | ||
+ | * [[OSSEC: Ubuntu 18.04]] | ||
+ | * [[OSSEC: whitelisting]] |
Latest revision as of 07:36, 30 March 2020
Install Pendukung
sudo su apt update apt -y install build-essential make zlib1g-dev libpcre2-dev libz-dev libssl-dev libevent-dev
Download & Install
sudo su cd /usr/local/src wget https://github.com/ossec/ossec-hids/archive/3.6.0.tar.gz tar zxvf 3.6.0.tar.gz cd /usr/local/src/ossec-hids-3.6.0 ./install.sh
Cuplikan Proses Instalasi
CATATAN:
- Sebagian besar cukup tekan ENTER
- Jika notifikasi email di enable, kita perlu memasukan email address.
- Pilih Bahasa: [en]
OSSEC HIDS v3.6.0 Installation Script - http://www.ossec.net You are about to start the installation process of the OSSEC HIDS. You must have a C compiler pre-installed in your system. - System: Linux ubuntu 4.15.0-20-generic - User: root - Host: ubuntu
ENTER
1- What kind of installation do you want (server, agent, local, hybrid or help)?
server hybrid
2- Setting up the installation environment.
ENTER [/var/ossec]
3- Configuring the OSSEC HIDS.
3.1- Do you want e-mail notification? (y/n) [y]: ENTER - What's your e-mail address? email@address.anda - We found your SMTP server as: smtp.server.anda - Do you want to use it? (y/n) [y]: ENTER 3.2- Do you want to run the integrity check daemon? (y/n) [y]: ENTER - Running syscheck (integrity check daemon). 3.3- Do you want to run the rootkit detection engine? (y/n) [y]: ENTER 3.4- Active response allows you to execute a specific command based on the events received. For example, you can block an IP address or disable access for a specific user. More information at: http://www.ossec.net/en/manual.html#active-response - Do you want to enable active response? (y/n) [y]: 'ENTER - Active response enabled.
- By default, we can enable the host-deny and the firewall-drop responses. The first one will add a host to the /etc/hosts.deny and the second one will block the host on iptables (if linux) or on ipfilter (if Solaris, FreeBSD or NetBSD). - They can be used to stop SSHD brute force scans, portscans and some other forms of attacks. You can also add them to block on snort events, for example. - Do you want to enable the firewall-drop response? (y/n) [y]: ENTER
- firewall-drop enabled (local) for levels >= 6 - - 127.0.0.53 - Do you want to add more IPs to the white list? (y/n)? [n]: ENTER
3.5- Do you want to enable remote syslog (port 514 udp)? (y/n) [y]: - Remote syslog enabled. 3.6- Setting the configuration to analyze the following logs: -- /var/log/auth.log -- /var/log/syslog -- /var/log/dpkg.log - If you want to monitor any other file, just change the ossec.conf and add a new localfile entry. Any questions about the configuration can be answered by visiting us online at http://www.ossec.net .
Selesai Compile
- Configuration finished properly. - To start OSSEC HIDS: /var/ossec/bin/ossec-control start - To stop OSSEC HIDS: /var/ossec/bin/ossec-control stop - The configuration can be viewed or modified at /var/ossec/etc/ossec.conf Thanks for using the OSSEC HIDS. If you have any question, suggestion or if you find any bug, contact us at https://github.com/ossec/ossec-hids or using our public maillist at https://groups.google.com/forum/#!forum/ossec-list More information can be found at http://www.ossec.net
Run
Run
/var/ossec/bin/ossec-control start
Stop
/var/ossec/bin/ossec-control stop
Konfigurasi di
/var/ossec/etc/ossec.conf
Log
Log penting yang di catat oleh OSSEC HIDS dapat di baca di
/var/ossec/logs/
File yang berisi hal yang penting antara lain adalah
/var/ossec/logs/active-responses.log /var/ossec/logs/alerts/alerts.log