Difference between revisions of "OSSEC: Ubuntu 18.04"

From OnnoWiki
Jump to navigation Jump to search
(Created page with "==Install Pendukung== sudo su apt update apt -y install build-essential make zlib1g-dev libpcre2-dev ==Pranala Menarik== * IDS")
 
 
(12 intermediate revisions by the same user not shown)
Line 3: Line 3:
 
  sudo su
 
  sudo su
 
  apt update
 
  apt update
  apt -y install build-essential make zlib1g-dev libpcre2-dev
+
  apt -y install build-essential make zlib1g-dev libpcre2-dev libz-dev libssl-dev libevent-dev
  
 +
==Download & Install==
  
 +
sudo su
 +
cd /usr/local/src
 +
wget https://github.com/ossec/ossec-hids/archive/3.6.0.tar.gz
 +
tar zxvf 3.6.0.tar.gz
 +
cd /usr/local/src/ossec-hids-3.6.0
 +
./install.sh
  
 +
 +
==Cuplikan Proses Instalasi==
 +
 +
'''CATATAN:'''
 +
* Sebagian besar cukup tekan '''ENTER'''
 +
* Jika notifikasi email di enable, kita perlu memasukan email address.
 +
 +
 +
* Pilih Bahasa: '''[en]'''
 +
 +
OSSEC HIDS v3.6.0 Installation Script - http://www.ossec.net
 +
 +
You are about to start the installation process of the OSSEC HIDS.
 +
You must have a C compiler pre-installed in your system.
 +
 +
  - System: Linux ubuntu 4.15.0-20-generic
 +
  - User: root
 +
  - Host: ubuntu
 +
 +
'''ENTER'''
 +
 +
1- What kind of installation do you want (server, agent, local, hybrid or help)?
 +
 +
'''server'''
 +
'''hybrid'''
 +
 +
2- Setting up the installation environment.
 +
 +
'''ENTER''' [/var/ossec]
 +
 +
3- Configuring the OSSEC HIDS.
 +
  3.1- Do you want e-mail notification? (y/n) [y]: '''ENTER'''
 +
  - What's your e-mail address? '''email@address.anda'''
 +
  - We found your SMTP server as: smtp.server.anda
 +
  - Do you want to use it? (y/n) [y]: '''ENTER'''
 +
  3.2- Do you want to run the integrity check daemon? (y/n) [y]: '''ENTER'''
 +
  - Running syscheck (integrity check daemon).
 +
  3.3- Do you want to run the rootkit detection engine? (y/n) [y]: '''ENTER'''
 +
  3.4- Active response allows you to execute a specific
 +
      command based on the events received. For example,
 +
      you can block an IP address or disable access for
 +
      a specific user. 
 +
      More information at:
 +
      http://www.ossec.net/en/manual.html#active-response     
 +
  - Do you want to enable active response? (y/n) [y]:  ''''ENTER'''
 +
    - Active response enabled.
 +
 +
  - By default, we can enable the host-deny and the
 +
    firewall-drop responses. The first one will add
 +
    a host to the /etc/hosts.deny and the second one
 +
    will block the host on iptables (if linux) or on
 +
    ipfilter (if Solaris, FreeBSD or NetBSD).
 +
  - They can be used to stop SSHD brute force scans,
 +
    portscans and some other forms of attacks. You can
 +
    also add them to block on snort events, for example.
 +
  - Do you want to enable the firewall-drop response? (y/n) [y]: '''ENTER'''
 +
 +
    - firewall-drop enabled (local) for levels >= 6
 +
  -
 +
      - 127.0.0.53
 +
  - Do you want to add more IPs to the white list? (y/n)? [n]: '''ENTER'''
 +
 +
  3.5- Do you want to enable remote syslog (port 514 udp)? (y/n) [y]:
 +
  - Remote syslog enabled.
 +
  3.6- Setting the configuration to analyze the following logs:
 +
    -- /var/log/auth.log
 +
    -- /var/log/syslog
 +
    -- /var/log/dpkg.log
 +
- If you want to monitor any other file, just change
 +
  the ossec.conf and add a new localfile entry.
 +
  Any questions about the configuration can be answered
 +
  by visiting us online at http://www.ossec.net .
 +
 +
==Selesai Compile==
 +
 +
- Configuration finished properly.
 +
 +
- To start OSSEC HIDS:
 +
      /var/ossec/bin/ossec-control start
 +
 +
- To stop OSSEC HIDS:
 +
      /var/ossec/bin/ossec-control stop
 +
 +
- The configuration can be viewed or modified at /var/ossec/etc/ossec.conf
 +
 +
    Thanks for using the OSSEC HIDS.
 +
    If you have any question, suggestion or if you find any bug,
 +
    contact us at https://github.com/ossec/ossec-hids or using
 +
    our public maillist at 
 +
    https://groups.google.com/forum/#!forum/ossec-list
 +
 +
    More information can be found at http://www.ossec.net
 +
 +
 
 +
==Run==
 +
 +
Run
 +
/var/ossec/bin/ossec-control start
 +
 +
Stop
 +
/var/ossec/bin/ossec-control stop
 +
 +
Konfigurasi di
 +
/var/ossec/etc/ossec.conf
 +
 +
==Log==
 +
 +
Log penting yang di catat oleh OSSEC HIDS dapat di baca di
 +
 +
/var/ossec/logs/
 +
 +
File yang berisi hal yang penting antara lain adalah
 +
 +
/var/ossec/logs/active-responses.log
 +
/var/ossec/logs/alerts/alerts.log
  
 
==Pranala Menarik==
 
==Pranala Menarik==
  
 
* [[IDS]]
 
* [[IDS]]
 +
* [[OSSEC]]
 +
* [[OSSEC: Ubuntu 18.04]]
 +
* [[OSSEC: whitelisting]]

Latest revision as of 07:36, 30 March 2020

Install Pendukung

sudo su
apt update
apt -y install build-essential make zlib1g-dev libpcre2-dev libz-dev libssl-dev libevent-dev

Download & Install

sudo su
cd /usr/local/src
wget https://github.com/ossec/ossec-hids/archive/3.6.0.tar.gz
tar zxvf 3.6.0.tar.gz 
cd /usr/local/src/ossec-hids-3.6.0
./install.sh


Cuplikan Proses Instalasi

CATATAN:

  • Sebagian besar cukup tekan ENTER
  • Jika notifikasi email di enable, kita perlu memasukan email address.


  • Pilih Bahasa: [en]
OSSEC HIDS v3.6.0 Installation Script - http://www.ossec.net

You are about to start the installation process of the OSSEC HIDS.
You must have a C compiler pre-installed in your system.

 - System: Linux ubuntu 4.15.0-20-generic
 - User: root
 - Host: ubuntu
ENTER

1- What kind of installation do you want (server, agent, local, hybrid or help)?

server
hybrid

2- Setting up the installation environment.

ENTER [/var/ossec]

3- Configuring the OSSEC HIDS.

 3.1- Do you want e-mail notification? (y/n) [y]: ENTER 
  - What's your e-mail address? email@address.anda
  - We found your SMTP server as: smtp.server.anda
  - Do you want to use it? (y/n) [y]: ENTER 
 3.2- Do you want to run the integrity check daemon? (y/n) [y]: ENTER
  - Running syscheck (integrity check daemon).
 3.3- Do you want to run the rootkit detection engine? (y/n) [y]: ENTER
 3.4- Active response allows you to execute a specific 
      command based on the events received. For example,
      you can block an IP address or disable access for
      a specific user.  
      More information at:
      http://www.ossec.net/en/manual.html#active-response       
  - Do you want to enable active response? (y/n) [y]:  'ENTER
    - Active response enabled.
  - By default, we can enable the host-deny and the 
    firewall-drop responses. The first one will add
    a host to the /etc/hosts.deny and the second one
    will block the host on iptables (if linux) or on
    ipfilter (if Solaris, FreeBSD or NetBSD).
  - They can be used to stop SSHD brute force scans, 
    portscans and some other forms of attacks. You can 
    also add them to block on snort events, for example.
  - Do you want to enable the firewall-drop response? (y/n) [y]: ENTER
    - firewall-drop enabled (local) for levels >= 6
  - 
     - 127.0.0.53
  - Do you want to add more IPs to the white list? (y/n)? [n]: ENTER
 3.5- Do you want to enable remote syslog (port 514 udp)? (y/n) [y]: 
  - Remote syslog enabled.
 3.6- Setting the configuration to analyze the following logs:
   -- /var/log/auth.log
   -- /var/log/syslog
   -- /var/log/dpkg.log
- If you want to monitor any other file, just change 
  the ossec.conf and add a new localfile entry.
  Any questions about the configuration can be answered
  by visiting us online at http://www.ossec.net .

Selesai Compile

- Configuration finished properly.

- To start OSSEC HIDS:
     /var/ossec/bin/ossec-control start

- To stop OSSEC HIDS:
     /var/ossec/bin/ossec-control stop

- The configuration can be viewed or modified at /var/ossec/etc/ossec.conf

   Thanks for using the OSSEC HIDS.
   If you have any question, suggestion or if you find any bug,
   contact us at https://github.com/ossec/ossec-hids or using
   our public maillist at  
   https://groups.google.com/forum/#!forum/ossec-list

   More information can be found at http://www.ossec.net


Run

Run

/var/ossec/bin/ossec-control start

Stop

/var/ossec/bin/ossec-control stop

Konfigurasi di

/var/ossec/etc/ossec.conf

Log

Log penting yang di catat oleh OSSEC HIDS dapat di baca di

/var/ossec/logs/

File yang berisi hal yang penting antara lain adalah

/var/ossec/logs/active-responses.log
/var/ossec/logs/alerts/alerts.log

Pranala Menarik