Intrusion Detection with OSSEC

Guardian Angel

Configuring the OSSEC Server

The next step is to tailor OSSEC to your requirements in the /var/ossec/etc/ossec.conf configuration file, for example, in Nano:

sudo nano /var/ossec/etc/ossec.conf

You can customize the email configuration and, as shown in Listing 1, integrate the IP addresses of the services and clients in the <global> section.

Listing 1

Store IP Addresses

<global>
    <allow_list>127.0.0.1</allow_list>
    <allow_list>::1</allow_list>
    <allow_list>localhost.localdomain</allow_list>
    <allow_list>127.0.0.53</allow_list>
    <allow_list>10.0.0.2</allow_list>
    <!-- OSSEC client -- >
</global>

To read the syslogs from the various OSSEC agents, the client IP addresses need to be added to the configuration file under <remote>, and the connection must be defined as secure:

<remote>
<connection><secure></connection><allowed-ips>192.168.0.2</allowed-ips> <!-- OSSEC client -->
</remote>

If OSSEC detects an attack originating from an IP address, the system blocks it for 10 minutes. If further suspicious packets then originate from the IP address, OSSEC identifies them as repeat offenders and blocks them for a longer period. This can be defined in the <active-response> section of the same configuration file:

<!-- Active Response Config -->
<active-response>
<repeated_offenders>30,60,120,240,480</repeated_offenders>
</active-response>

This example blocks potential attackers for a longer period on each new attempt. If you make changes to the configuration file, you need to restart OSSEC.

Connecting Agents

The best way for OSSEC to collect information from computers on the network is to install agents. A client for Windows is available from the download page, which you can install from the graphical user interface. Connecting Linux computers is slightly more complicated but is also quickly done.

To launch the agent on a Windows server, you first need to complete the install, which can be scripted easily. A connection to OSSEC is then opened by the OSSEC agent manager where you enter the IP address or the name of the OSSEC server and the authentication key for the connection that you create on the OSSEC server. It is important at this point to enter the IP addresses of the clients in the OSSEC configuration file on the server, as already described.

To manage the agents on the server or to create authentication keys, launch the administration program on the server by typing:

sudo /var/ossec/bin/manage_agents

Installing the Linux agent is basically the same as installing the OSSEC server, but select the agent installation variant and not server . A wizard then appears, and you can set up the agent in the same way as the server. Specify the installation directory, enter the name of the OSSEC server, and enable the integrity check daemon, the rootkit detection engine, and active response. On Linux computers, you can also configure the agent in the /var/ossec/etc/ossec.conf file. At this point, it is important to enter the server's IP address in the <ossec_config> section:

<ossec_config>
  <client>
    <server-ip><IP-address></server-ip>

When managing the connected clients, you can first display a list of the connected computers and create the authentication keys that the clients require for the connection. For Windows clients, use the setup window; on Linux, start the same tool as on the server by typing:

sudo /var/ossec/bin/manage_agents

You can then enter the authentication code in the terminal by selecting I . It generally makes sense to reboot the server and the client after integrating clients. To do this, run the following on the devices:

/var/ossec/bin/ossec-control restart

You can see whether a Linux client has connected successfully by typing:

sudo /var/ossec/bin/agent_control -lc

If the connections between clients and servers do not work, it is usually because of the firewall settings on the server. Make sure the firewall does not block communication between the server and the clients, especially ports 1514 and 514. Additionally, secure communication with the server must be permitted in the OSSEC configuration file (Listing 2).

Listing 2

Secure Communication with Server

<global>
    <allow_list>10.0.0.2</allow_list>
    <!-- OSSEC client -- >
</global>
<remote>
    <connection>secure</connetion>
   <allowed-ips>10.0.0.2</allowed-ips>
    <!-- OSSEC client -- >
</remote>

Conclusions

OSSEC is a powerful tool that can detect and combat malware and cyberattacks and can be run on a virtual machine – no physical hardware is required. As well as email notifications, OSSEC can run actions and use Slack for communication – the project documentation provides useful help for setting up these features.

In addition to the free OSSEC version, you might also want to try out OSSEC+. You do need to register, and in many cases OSSEC is fully up to the task in hand.

The Author

Thomas Joos is a freelance IT consultant and has been working in IT for more than 20 years. In addition, he writes hands-on books and papers on Windows and other Microsoft topics. Online you can meet him on http://thomasjoos.spaces.live.com.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy ADMIN Magazine

SINGLE ISSUES
 
SUBSCRIPTIONS
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • Open Source Security Information and Event Management system
    Systems, network, and security professionals face a big problem managing disparate security data from a variety of sources. OSSIM gives IT security professionals the capacity to cut through the noise and gain wisdom and foresight in defending and managing their networks.
  • Centralized monitoring and intrusion detection
    Security Onion bundles numerous individual Linux tools that help you monitor networks or fend off attacks to create a standardized platform for securing IT environments.
  • Security analysis with Security Onion
    Security Onion offers a comprehensive security suite for intrusion detection that involves surprisingly little work.
  • Harden your Apache web server
    Cyberattacks don't stop at the time-honored Apache HTTP server, but a smart configuration, timely updates, and carefully considered security strategies can keep it from going under.
  • CrowdSec crowd security service
    Threats can be detected and averted at an early stage with crowd security, in which organizations form a community to take concentrated action against cyberattacks by sharing attack data. We explain how this strategy works with the CrowdSec cloud service.
comments powered by Disqus