Difference between revisions of "OSSEC: Ubuntu 18.04"

From OnnoWiki
Jump to navigation Jump to search
 
(6 intermediate revisions by the same user not shown)
Line 17: Line 17:
 
==Cuplikan Proses Instalasi==
 
==Cuplikan Proses Instalasi==
  
'''CATATAN:''' Sebagian besar cukup tekan '''ENTER'''
+
'''CATATAN:'''
 +
* Sebagian besar cukup tekan '''ENTER'''
 +
* Jika notifikasi email di enable, kita perlu memasukan email address.
  
  
Line 88: Line 90:
  
 
  - Configuration finished properly.
 
  - Configuration finished properly.
 
+
 
  - To start OSSEC HIDS:
 
  - To start OSSEC HIDS:
 
       /var/ossec/bin/ossec-control start
 
       /var/ossec/bin/ossec-control start
 
+
 
  - To stop OSSEC HIDS:
 
  - To stop OSSEC HIDS:
 
       /var/ossec/bin/ossec-control stop
 
       /var/ossec/bin/ossec-control stop
 
+
 
  - The configuration can be viewed or modified at /var/ossec/etc/ossec.conf
 
  - The configuration can be viewed or modified at /var/ossec/etc/ossec.conf
 
+
 
 
 
     Thanks for using the OSSEC HIDS.
 
     Thanks for using the OSSEC HIDS.
 
     If you have any question, suggestion or if you find any bug,
 
     If you have any question, suggestion or if you find any bug,
Line 103: Line 104:
 
     our public maillist at   
 
     our public maillist at   
 
     https://groups.google.com/forum/#!forum/ossec-list
 
     https://groups.google.com/forum/#!forum/ossec-list
 
+
 
     More information can be found at http://www.ossec.net
 
     More information can be found at http://www.ossec.net
  
 
    
 
    
 +
==Run==
  
 +
Run
 +
/var/ossec/bin/ossec-control start
  
 +
Stop
 +
/var/ossec/bin/ossec-control stop
  
 +
Konfigurasi di
 +
/var/ossec/etc/ossec.conf
  
 +
==Log==
  
Fast way steps:
+
Log penting yang di catat oleh OSSEC HIDS dapat di baca di
 
 
1- Run the script ./install.sh. It will guide you through the
 
  installation process.
 
  
2- The script will create everything in /var/ossec and try to
+
/var/ossec/logs/
  create the initialization script in your system (/etc/rc.local
 
  or /etc/rc.d/init.d/ossec). If the init script is not created,
 
  make sure to follow the instructions from the install.sh to make
 
  OSSEC HIDS start during the boot. To start it by hand, just run
 
  /var/ossec/bin/ossec-control start
 
  
3- If you are running it on multiple clients, make sure to install
+
File yang berisi hal yang penting antara lain adalah
  the server first. Use the manage_agents tool
 
  to create the right encryption keys.
 
  
4- Enjoy.
+
/var/ossec/logs/active-responses.log
 +
/var/ossec/logs/alerts/alerts.log
  
 
==Pranala Menarik==
 
==Pranala Menarik==
  
 
* [[IDS]]
 
* [[IDS]]
 +
* [[OSSEC]]
 +
* [[OSSEC: Ubuntu 18.04]]
 +
* [[OSSEC: whitelisting]]

Latest revision as of 07:36, 30 March 2020

Install Pendukung

sudo su
apt update
apt -y install build-essential make zlib1g-dev libpcre2-dev libz-dev libssl-dev libevent-dev

Download & Install

sudo su
cd /usr/local/src
wget https://github.com/ossec/ossec-hids/archive/3.6.0.tar.gz
tar zxvf 3.6.0.tar.gz 
cd /usr/local/src/ossec-hids-3.6.0
./install.sh


Cuplikan Proses Instalasi

CATATAN:

  • Sebagian besar cukup tekan ENTER
  • Jika notifikasi email di enable, kita perlu memasukan email address.


  • Pilih Bahasa: [en]
OSSEC HIDS v3.6.0 Installation Script - http://www.ossec.net

You are about to start the installation process of the OSSEC HIDS.
You must have a C compiler pre-installed in your system.

 - System: Linux ubuntu 4.15.0-20-generic
 - User: root
 - Host: ubuntu
ENTER

1- What kind of installation do you want (server, agent, local, hybrid or help)?

server
hybrid

2- Setting up the installation environment.

ENTER [/var/ossec]

3- Configuring the OSSEC HIDS.

 3.1- Do you want e-mail notification? (y/n) [y]: ENTER 
  - What's your e-mail address? email@address.anda
  - We found your SMTP server as: smtp.server.anda
  - Do you want to use it? (y/n) [y]: ENTER 
 3.2- Do you want to run the integrity check daemon? (y/n) [y]: ENTER
  - Running syscheck (integrity check daemon).
 3.3- Do you want to run the rootkit detection engine? (y/n) [y]: ENTER
 3.4- Active response allows you to execute a specific 
      command based on the events received. For example,
      you can block an IP address or disable access for
      a specific user.  
      More information at:
      http://www.ossec.net/en/manual.html#active-response       
  - Do you want to enable active response? (y/n) [y]:  'ENTER
    - Active response enabled.
  - By default, we can enable the host-deny and the 
    firewall-drop responses. The first one will add
    a host to the /etc/hosts.deny and the second one
    will block the host on iptables (if linux) or on
    ipfilter (if Solaris, FreeBSD or NetBSD).
  - They can be used to stop SSHD brute force scans, 
    portscans and some other forms of attacks. You can 
    also add them to block on snort events, for example.
  - Do you want to enable the firewall-drop response? (y/n) [y]: ENTER
    - firewall-drop enabled (local) for levels >= 6
  - 
     - 127.0.0.53
  - Do you want to add more IPs to the white list? (y/n)? [n]: ENTER
 3.5- Do you want to enable remote syslog (port 514 udp)? (y/n) [y]: 
  - Remote syslog enabled.
 3.6- Setting the configuration to analyze the following logs:
   -- /var/log/auth.log
   -- /var/log/syslog
   -- /var/log/dpkg.log
- If you want to monitor any other file, just change 
  the ossec.conf and add a new localfile entry.
  Any questions about the configuration can be answered
  by visiting us online at http://www.ossec.net .

Selesai Compile

- Configuration finished properly.

- To start OSSEC HIDS:
     /var/ossec/bin/ossec-control start

- To stop OSSEC HIDS:
     /var/ossec/bin/ossec-control stop

- The configuration can be viewed or modified at /var/ossec/etc/ossec.conf

   Thanks for using the OSSEC HIDS.
   If you have any question, suggestion or if you find any bug,
   contact us at https://github.com/ossec/ossec-hids or using
   our public maillist at  
   https://groups.google.com/forum/#!forum/ossec-list

   More information can be found at http://www.ossec.net


Run

Run

/var/ossec/bin/ossec-control start

Stop

/var/ossec/bin/ossec-control stop

Konfigurasi di

/var/ossec/etc/ossec.conf

Log

Log penting yang di catat oleh OSSEC HIDS dapat di baca di

/var/ossec/logs/

File yang berisi hal yang penting antara lain adalah

/var/ossec/logs/active-responses.log
/var/ossec/logs/alerts/alerts.log

Pranala Menarik