Difference between revisions of "OSSEC: Ubuntu 18.04"
Jump to navigation
Jump to search
Onnowpurbo (talk | contribs) |
Onnowpurbo (talk | contribs) |
||
| Line 50: | Line 50: | ||
- Running syscheck (integrity check daemon). | - Running syscheck (integrity check daemon). | ||
3.3- Do you want to run the rootkit detection engine? (y/n) [y]: '''ENTER''' | 3.3- Do you want to run the rootkit detection engine? (y/n) [y]: '''ENTER''' | ||
| + | 3.4- Active response allows you to execute a specific | ||
| + | command based on the events received. For example, | ||
| + | you can block an IP address or disable access for | ||
| + | a specific user. | ||
| + | More information at: | ||
| + | http://www.ossec.net/en/manual.html#active-response | ||
| + | - Do you want to enable active response? (y/n) [y]: ''''ENTER''' | ||
| + | - Active response enabled. | ||
| + | |||
| + | - By default, we can enable the host-deny and the | ||
| + | firewall-drop responses. The first one will add | ||
| + | a host to the /etc/hosts.deny and the second one | ||
| + | will block the host on iptables (if linux) or on | ||
| + | ipfilter (if Solaris, FreeBSD or NetBSD). | ||
| + | - They can be used to stop SSHD brute force scans, | ||
| + | portscans and some other forms of attacks. You can | ||
| + | also add them to block on snort events, for example. | ||
| + | - Do you want to enable the firewall-drop response? (y/n) [y]: '''ENTER''' | ||
| + | |||
| + | - firewall-drop enabled (local) for levels >= 6 | ||
| + | - | ||
| + | - 127.0.0.53 | ||
| + | - Do you want to add more IPs to the white list? (y/n)? [n]: '''ENTER''' | ||
| + | |||
| + | 3.5- Do you want to enable remote syslog (port 514 udp)? (y/n) [y]: | ||
| + | - Remote syslog enabled. | ||
| + | 3.6- Setting the configuration to analyze the following logs: | ||
| + | -- /var/log/auth.log | ||
| + | -- /var/log/syslog | ||
| + | -- /var/log/dpkg.log | ||
| + | - If you want to monitor any other file, just change | ||
| + | the ossec.conf and add a new localfile entry. | ||
| + | Any questions about the configuration can be answered | ||
| + | by visiting us online at http://www.ossec.net . | ||
| + | |||
Revision as of 06:44, 30 March 2020
Install Pendukung
sudo su apt update apt -y install build-essential make zlib1g-dev libpcre2-dev libz-dev libssl-dev libevent-dev
Download & Install
sudo su cd /usr/local/src wget https://github.com/ossec/ossec-hids/archive/3.6.0.tar.gz tar zxvf 3.6.0.tar.gz cd /usr/local/src/ossec-hids-3.6.0 ./install.sh
Cuplikan Proses Instalasi
CATATAN: Sebagian besar cukup tekan ENTER
- Pilih Bahasa: [en]
OSSEC HIDS v3.6.0 Installation Script - http://www.ossec.net You are about to start the installation process of the OSSEC HIDS. You must have a C compiler pre-installed in your system. - System: Linux ubuntu 4.15.0-20-generic - User: root - Host: ubuntu
ENTER
1- What kind of installation do you want (server, agent, local, hybrid or help)?
server hybrid
2- Setting up the installation environment.
ENTER [/var/ossec]
3- Configuring the OSSEC HIDS.
3.1- Do you want e-mail notification? (y/n) [y]: ENTER
- What's your e-mail address? email@address.anda
- We found your SMTP server as: smtp.server.anda
- Do you want to use it? (y/n) [y]: ENTER
3.2- Do you want to run the integrity check daemon? (y/n) [y]: ENTER
- Running syscheck (integrity check daemon).
3.3- Do you want to run the rootkit detection engine? (y/n) [y]: ENTER
3.4- Active response allows you to execute a specific
command based on the events received. For example,
you can block an IP address or disable access for
a specific user.
More information at:
http://www.ossec.net/en/manual.html#active-response
- Do you want to enable active response? (y/n) [y]: 'ENTER
- Active response enabled.
- By default, we can enable the host-deny and the
firewall-drop responses. The first one will add
a host to the /etc/hosts.deny and the second one
will block the host on iptables (if linux) or on
ipfilter (if Solaris, FreeBSD or NetBSD).
- They can be used to stop SSHD brute force scans,
portscans and some other forms of attacks. You can
also add them to block on snort events, for example.
- Do you want to enable the firewall-drop response? (y/n) [y]: ENTER
- firewall-drop enabled (local) for levels >= 6
-
- 127.0.0.53
- Do you want to add more IPs to the white list? (y/n)? [n]: ENTER
3.5- Do you want to enable remote syslog (port 514 udp)? (y/n) [y]: - Remote syslog enabled. 3.6- Setting the configuration to analyze the following logs: -- /var/log/auth.log -- /var/log/syslog -- /var/log/dpkg.log - If you want to monitor any other file, just change the ossec.conf and add a new localfile entry. Any questions about the configuration can be answered by visiting us online at http://www.ossec.net .
Fast way steps:
1- Run the script ./install.sh. It will guide you through the
installation process.
2- The script will create everything in /var/ossec and try to
create the initialization script in your system (/etc/rc.local or /etc/rc.d/init.d/ossec). If the init script is not created, make sure to follow the instructions from the install.sh to make OSSEC HIDS start during the boot. To start it by hand, just run /var/ossec/bin/ossec-control start
3- If you are running it on multiple clients, make sure to install
the server first. Use the manage_agents tool to create the right encryption keys.
4- Enjoy.