OSSEC adalah aplikasi yang mampu berjalan multi platform, jadi silahkan anda implementasikan sesuai dengan sistem operasi yang anda gunakan, berikut adalah cara instalasi dan konfigurasi diatas sistem operasi linux, tepat nya ubuntu server 11.04.
1. Pastikan paket dasar di ubuntu telah lengkap, untuk menginstallnya;
$ sudo apt-get install build-essential
2. Download versi terbaru ossec , pada saat ini 2.6
$sudo wget http://www.ossec.net/files/ossec-hids-2.6.tar.gz
3.Extract
$sudo tar -xzvf ossec-hids-2.6.tar.gz
4.masuk ke direktory extract dan jalankan perintah install.sh dan ikuti pentunjuk yang diberikan.
cd ossec-hids-2.6
./install.sh
berikut tampilan yang akan tampil kurang lebih ^_^;
----------
** Fur eine deutsche Installation wohlen Sie [de].
** For installation in English, choose [en].
** Per l'installazione in Italiano, scegli [it].
** Aby instalowac w jezyku Polskim, wybierz [pl].
** Türkçe kurulum için seçin [tr].
(en/br/de/it/pl/tr) [en]: en
OSSEC HIDS v0.8 Installation Script - http://www.ossec.net
You are about to start the installation process of the OSSEC HIDS.
You must have a C compiler pre-installed in your system.
If you have any questions or comments, please send an e-mail
to dcid@ossec.net (or daniel.cid@gmail.com).
- System: Linux diana 2.6.15-25-k7
- User: root - Host: xpredator
-- Press ENTER to continue or Ctrl-C to abort. --
1- What kind of installation do you want (server, agent, local or help)? local
- Choose where to install the OSSEC HIDS [/var/ossec]:
3- Configuring the OSSEC HIDS.
3.1- Do you want e-mail notification? (y/n) [y]: y
- What's your e-mail address? emailkita@email.com
- What's your SMTP server ip/host? your smtp server address (localhost)
3.2- Do you want to run the integrity check daemon? (y/n) [y]: y
- Running syscheck (integrity check daemon).
3.3- Do you want to run the rootkit detection engine? (y/n) [y]: y
- Running rootcheck (rootkit detection).
3.4- Active response allows you to execute a specific
command based on the events received. For example,
you can block an IP address or disable access for
a specific user.
More information at:
http://www.ossec.net/en/manual.html#active-response
- Do you want to enable active response? (y/n) [y]: y
- Active response enabled.
- By default, we can enable the host-deny and the
firewall-drop responses. The first one will add
a host to the /etc/hosts.deny and the second one
will block the host on iptables (if linux) or on
ipfilter (if Solaris, FreeBSD or NetBSD).
- They can be used to stop SSHD brute force scans,
portscans and some other forms of attacks. You can
also add them to block on snort events, for example.
- Do you want to enable the firewall-drop response? (y/n) [y]: y
- firewall-drop enabled (local) for levels >= 6
- Default white list for the active response:
- 192.168.2.1
- Do you want to add more IPs to the white list? (y/n)? [n]: n
3.6- Setting the configuration to analyze the following logs:
-- /var/log/messages
-- /var/log/auth.log
-- /var/log/syslog
-- /var/log/mail.info
-- /var/log/apache2/error.log (apache log)
-- /var/log/apache2/access.log (apache log)
- If you want to monitor any other file, just change
the ossec.conf and add a new localfile entry.
Any questions about the configuration can be answered
by visiting us online at http://www.ossec.net .
--- Press ENTER to continue ---
- Unknown system. No init script added.
- Configuration finished properly.
- To start OSSEC HIDS:
/var/ossec/bin/ossec-control start
- To stop OSSEC HIDS:
/var/ossec/bin/ossec-control stop
- The configuration can be viewed or modified at /var/ossec/etc/ossec.conf
Thanks for using the OSSEC HIDS.
If you have any question, suggestion or if you find any bug,
contact us at contact@ossec.net or using our public maillist at
ossec-list@ossec.net
(http://mailman.underlinux.com.br/mailman/listinfo/ossec-list).
More information can be found at http://www.ossec.net
--- Press ENTER to finish (maybe more information bellow). ---
/etc/init.d/ossec start
contoh tampilan (real) alert ke email ane, ;
----
OSSEC HIDS Notification.
2011 Aug 01 06:49:06
Received From: xpredator->/var/log/auth.log
Rule: 5551 fired (level 10) -> "Multiple failed logins in a small period of time."
Portion of the log(s):
Aug 1 06:49:04 xpredator sshd[31563]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=122.228.197.134 user=root
Aug 1 06:48:55 xpredator sshd[31491]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=122.228.197.134 user=root
Aug 1 06:48:45 xpredator sshd[31435]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=122.228.197.134 user=root
Aug 1 06:48:35 xpredator sshd[31426]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=122.228.197.134 user=root
Aug 1 06:48:26 xpredator sshd[31358]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=122.228.197.134 user=root
Aug 1 06:48:16 xpredator sshd[31302]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=122.228.197.134 user=root
Aug 1 06:48:07 xpredator sshd[31295]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=122.228.197.134 user=root
Aug 1 06:47:58 xpredator sshd[31249]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=122.228.197.134 user=root
--END OF NOTIFICATION
OSSEC HIDS Notification.
2011 Aug 01 06:49:08
Received From: xpredator->/var/log/auth.log
Rule: 5720 fired (level 10) -> "Multiple SSHD authentication failures."
Portion of the log(s):
Aug 1 06:49:06 xpredator sshd[31563]: Failed password for root from 122.228.197.134 port 59870 ssh2
Aug 1 06:48:57 xpredator sshd[31491]: Failed password for root from 122.228.197.134 port 59156 ssh2
Aug 1 06:48:47 xpredator sshd[31435]: Failed password for root from 122.228.197.134 port 58373 ssh2
Aug 1 06:48:37 xpredator sshd[31426]: Failed password for root from 122.228.197.134 port 57604 ssh2
Aug 1 06:48:28 xpredator sshd[31358]: Failed password for root from 122.228.197.134 port 56851 ssh2
Aug 1 06:48:18 xpredator sshd[31302]: Failed password for root from 122.228.197.134 port 56104 ssh2
Aug 1 06:48:09 xpredator sshd[31295]: Failed password for root from 122.228.197.134 port 55355 ssh2
Aug 1 06:47:59 xpredator sshd[31249]: Failed password for root from 122.228.197.134 port 54609 ssh2
--END OF NOTIFICATION
=============