« Previous 1 2 3
Intrusion Detection with OSSEC
Guardian Angel
Configuring the OSSEC Server
The next step is to tailor OSSEC to your requirements in the /var/ossec/etc/ossec.conf
configuration file, for example, in Nano:
sudo nano /var/ossec/etc/ossec.conf
You can customize the email configuration and, as shown in Listing 1, integrate the IP addresses of the services and clients in the <global>
section.
Listing 1
Store IP Addresses
<global> <allow_list>127.0.0.1</allow_list> <allow_list>::1</allow_list> <allow_list>localhost.localdomain</allow_list> <allow_list>127.0.0.53</allow_list> <allow_list>10.0.0.2</allow_list> <!-- OSSEC client -- > </global>
To read the syslogs from the various OSSEC agents, the client IP addresses need to be added to the configuration file under <remote>
, and the connection must be defined as secure
:
<remote> <connection><secure></connection><allowed-ips>192.168.0.2</allowed-ips> <!-- OSSEC client --> </remote>
If OSSEC detects an attack originating from an IP address, the system blocks it for 10 minutes. If further suspicious packets then originate from the IP address, OSSEC identifies them as repeat offenders and blocks them for a longer period. This can be defined in the <active-response>
section of the same configuration file:
<!-- Active Response Config --> <active-response> <repeated_offenders>30,60,120,240,480</repeated_offenders> </active-response>
This example blocks potential attackers for a longer period on each new attempt. If you make changes to the configuration file, you need to restart OSSEC.
Connecting Agents
The best way for OSSEC to collect information from computers on the network is to install agents. A client for Windows is available from the download page, which you can install from the graphical user interface. Connecting Linux computers is slightly more complicated but is also quickly done.
To launch the agent on a Windows server, you first need to complete the install, which can be scripted easily. A connection to OSSEC is then opened by the OSSEC agent manager where you enter the IP address or the name of the OSSEC server and the authentication key for the connection that you create on the OSSEC server. It is important at this point to enter the IP addresses of the clients in the OSSEC configuration file on the server, as already described.
To manage the agents on the server or to create authentication keys, launch the administration program on the server by typing:
sudo /var/ossec/bin/manage_agents
Installing the Linux agent is basically the same as installing the OSSEC server, but select the agent
installation variant and not server
. A wizard then appears, and you can set up the agent in the same way as the server. Specify the installation directory, enter the name of the OSSEC server, and enable the integrity check daemon, the rootkit detection engine, and active response. On Linux computers, you can also configure the agent in the /var/ossec/etc/ossec.conf
file. At this point, it is important to enter the server's IP address in the <ossec_config>
section:
<ossec_config> <client> <server-ip><IP-address></server-ip>
When managing the connected clients, you can first display a list of the connected computers and create the authentication keys that the clients require for the connection. For Windows clients, use the setup window; on Linux, start the same tool as on the server by typing:
sudo /var/ossec/bin/manage_agents
You can then enter the authentication code in the terminal by selecting I . It generally makes sense to reboot the server and the client after integrating clients. To do this, run the following on the devices:
/var/ossec/bin/ossec-control restart
You can see whether a Linux client has connected successfully by typing:
sudo /var/ossec/bin/agent_control -lc
If the connections between clients and servers do not work, it is usually because of the firewall settings on the server. Make sure the firewall does not block communication between the server and the clients, especially ports 1514 and 514. Additionally, secure communication with the server must be permitted in the OSSEC configuration file (Listing 2).
Listing 2
Secure Communication with Server
<global> <allow_list>10.0.0.2</allow_list> <!-- OSSEC client -- > </global> <remote> <connection>secure</connetion> <allowed-ips>10.0.0.2</allowed-ips> <!-- OSSEC client -- > </remote>
Conclusions
OSSEC is a powerful tool that can detect and combat malware and cyberattacks and can be run on a virtual machine – no physical hardware is required. As well as email notifications, OSSEC can run actions and use Slack for communication – the project documentation provides useful help for setting up these features.
In addition to the free OSSEC version, you might also want to try out OSSEC+. You do need to register, and in many cases OSSEC is fully up to the task in hand.
Infos
- OSSEC: https://www.ossec.net
- OSSEC downloads: https://www.ossec.net/ossec-downloads/
- OSSEC documentation: https://ossec-docs.readthedocs.io/en/latest
« Previous 1 2 3
Buy this article as PDF
(incl. VAT)