OSSEC: Big Brother is watching you
Perhaps I’m not mistaken if I say that it is important for any professional system administrator to know what happens to his servers and when. This issue is particularly acute in the field of information security.
In this post, I want to introduce you, colleagues, to a host-based IDS deployment called OSSEC. I ask under the cat ...
Theory
Intrusion Detection System (IDS) - software (as in our case) or hardware designed to detect unauthorized access (intrusion or network attack) to a computer system or network.
')
Goals achieved with IDS:
- The most important is to detect an intrusion or network attack.
- Predicting a possible invasion - the attacker usually performs a series of actions while probing your security, this will leave a mark
- Provide centralized control over network security (especially large and distributed)
- Many other goals you can think of yourself :)
IDS systems are divided into network-based and host-based .
Network-based IDS identify attacks by capturing and analyzing network packets. By listening to a network segment, NIDS can view network traffic from multiple hosts that are connected to a network segment, and thus protect these hosts.
Host-based IDS deals with information collected within a single computer. This advantageous location allows HIDS to analyze activities with great certainty and accuracy, identifying only those processes and users that are related to a specific attack in the OS. NIDS typically use two types of information sources: OS audit results and system logs.
OSSEC is HIDS, but has the ability to work on the architecture of the server <-> agents . In our case, we will consider just such a scheme.
Initial data
Suppose that we have a certain corporate network in which there is a DMZ zone with servers, for which we want to watch closely.
Let all servers work under CentOS 6.x (in fact, installation is possible under any distribution, including on other OS - for example Windows)
There is a server not in the DMZ, for which we will collect all the information from the OSSEC agents.
Installation
First of all, let's install the OSSEC server itself.
wget -q -O - https://www.atomicorp.com/installers/atomic |sh && yum install ossec-hids ossec-hids-server We answer all questions in the affirmative; after yum completes, we will receive a working OSSSEC installation.
All OSSEC files are stored in / var / ossec . Open the file /var/ossec/ossec.conf and bring it to the following form:
<ossec_config> <global> <email_notification>yes</email_notification> <email_to>root@domain.local</email_to> <smtp_server>smtp.domain.local</smtp_server> <email_from>osssec@domain.local</email_from> <email_maxperhour>200</email_maxperhour> </global> <rules> <include>rules_config.xml</include> <include>pam_rules.xml</include> <include>sshd_rules.xml</include> <include>telnetd_rules.xml</include> <include>syslog_rules.xml</include> <include>arpwatch_rules.xml</include> <include>symantec-av_rules.xml</include> <include>symantec-ws_rules.xml</include> <include>pix_rules.xml</include> <include>named_rules.xml</include> <include>smbd_rules.xml</include> <include>vsftpd_rules.xml</include> <include>pure-ftpd_rules.xml</include> <include>proftpd_rules.xml</include> <include>ms_ftpd_rules.xml</include> <include>ftpd_rules.xml</include> <include>hordeimp_rules.xml</include> <include>roundcube_rules.xml</include> <include>wordpress_rules.xml</include> <include>cimserver_rules.xml</include> <include>vpopmail_rules.xml</include> <include>vmpop3d_rules.xml</include> <include>courier_rules.xml</include> <include>web_rules.xml</include> <include>web_appsec_rules.xml</include> <include>apache_rules.xml</include> <include>nginx_rules.xml</include> <include>php_rules.xml</include> <include>mysql_rules.xml</include> <include>postgresql_rules.xml</include> <include>ids_rules.xml</include> <include>squid_rules.xml</include> <include>firewall_rules.xml</include> <include>cisco-ios_rules.xml</include> <include>netscreenfw_rules.xml</include> <include>sonicwall_rules.xml</include> <include>postfix_rules.xml</include> <include>sendmail_rules.xml</include> <include>imapd_rules.xml</include> <include>mailscanner_rules.xml</include> <include>dovecot_rules.xml</include> <include>ms-exchange_rules.xml</include> <include>racoon_rules.xml</include> <include>vpn_concentrator_rules.xml</include> <include>spamd_rules.xml</include> <include>msauth_rules.xml</include> <include>mcafee_av_rules.xml</include> <include>trend-osce_rules.xml</include> <include>ms-se_rules.xml</include> <!-- <include>policy_rules.xml</include> --> <include>zeus_rules.xml</include> <include>solaris_bsm_rules.xml</include> <include>vmware_rules.xml</include> <include>ms_dhcp_rules.xml</include> <include>asterisk_rules.xml</include> <include>ossec_rules.xml</include> <include>attack_rules.xml</include> <include>openbsd_rules.xml</include> <include>clam_av_rules.xml</include> <include>bro-ids_rules.xml</include> <include>dropbear_rules.xml</include> <include>local_rules.xml</include> </rules> <syscheck> <!-- Frequency that syscheck is executed - default to every 22 hours --> <frequency>79200</frequency> <!-- Directories to check (perform all possible verifications) --> <directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories> <directories check_all="yes">/bin,/sbin</directories> <!-- Files/directories to ignore --> <ignore>/etc/mtab</ignore> <ignore>/etc/mnttab</ignore> <ignore>/etc/hosts.deny</ignore> <ignore>/etc/mail/statistics</ignore> <ignore>/etc/random-seed</ignore> <ignore>/etc/adjtime</ignore> <ignore>/etc/httpd/logs</ignore> <ignore>/etc/utmpx</ignore> <ignore>/etc/wtmpx</ignore> <ignore>/etc/cups/certs</ignore> <ignore>/etc/dumpdates</ignore> <ignore>/etc/svc/volatile</ignore> </syscheck> <rootcheck> <rootkit_files>/var/ossec//etc/shared/rootkit_files.txt</rootkit_files> <rootkit_trojans>/var/ossec//etc/shared/rootkit_trojans.txt</rootkit_trojans> <system_audit>/var/ossec//etc/shared/system_audit_rcl.txt</system_audit> <system_audit>/var/ossec//etc/shared/cis_rhel_linux_rcl.txt</system_audit> <system_audit>/var/ossec//etc/shared/cis_rhel5_linux_rcl.txt</system_audit> </rootcheck> <global> <white_list>127.0.0.1</white_list> <white_list>^localhost.localdomain$</white_list> </global> <remote> <connection>syslog</connection> </remote> <remote> <connection>secure</connection> </remote> <alerts> <log_alert_level>1</log_alert_level> <email_alert_level>7</email_alert_level> </alerts> <command> <name>host-deny</name> <executable>host-deny.sh</executable> <expect>srcip</expect> <timeout_allowed>yes</timeout_allowed> </command> <command> <name>firewall-drop</name> <executable>firewall-drop.sh</executable> <expect>srcip</expect> <timeout_allowed>yes</timeout_allowed> </command> <command> <name>disable-account</name> <executable>disable-account.sh</executable> <expect>user</expect> <timeout_allowed>yes</timeout_allowed> </command> <command> <name>restart-ossec</name> <executable>restart-ossec.sh</executable> <expect></expect> </command> <command> <name>route-null</name> <executable>route-null.sh</executable> <expect>srcip</expect> <timeout_allowed>yes</timeout_allowed> </command> <!-- Active Response Config --> <active-response> <!-- This response is going to execute the host-deny - command for every event that fires a rule with - level (severity) >= 6. - The IP is going to be blocked for 600 seconds. --> <command>host-deny</command> <location>local</location> <level>6</level> <timeout>600</timeout> </active-response> <active-response> <!-- Firewall Drop response. Block the IP for - 600 seconds on the firewall (iptables, - ipfilter, etc). --> <command>firewall-drop</command> <location>local</location> <level>6</level> <timeout>600</timeout> </active-response> <localfile> <log_format>syslog</log_format> <location>/var/log/messages</location> </localfile> <localfile> <log_format>syslog</log_format> <location>/var/log/secure</location> </localfile> <localfile> <log_format>syslog</log_format> <location>/var/log/xferlog</location> </localfile> <localfile> <log_format>syslog</log_format> <location>/var/log/maillog</location> </localfile> <localfile> <log_format>apache</log_format> <location>/var/log/httpd/error_log</location> </localfile> <localfile> <log_format>apache</log_format> <location>/var/log/httpd/access_log</location> </localfile> </ossec_config> Let's see what is there. At the very beginning we include sending alerts to the mail, indicating the server address, mailing address and the maximum possible number of emails per hour. By default, OSSEC groups events so as not to overwhelm you with a stream of letters.
Next is the rules block, which describes what and how OSSEC will react - you can leave everything, according to my observations, not to affect the speed of work. The syscheck section is the settings of the so-called integrity check . Its meaning is that the IDS counts the hash of each file in the specified directories and periodically compares them. Here we ask which directories we will monitor and after how much time will be checked. The command section describes the scripts that IDS can use when certain conditions occur. The active-response section uses these commands. For example, when a certain rule fires, a firewall-block will put src ip into iptables for 600 seconds. Convenient to use from brute force. At the very end, we have the actual log files that need to be analyzed and compared with the rules.
This completes the rough setup of the OSSEC server part and we can start it:
service ossec-hids start If successful, a letter with a message about the start will be sent to the e-mail address you specified:
OSSEC HIDS Notification. 2013 Sep 06 13:10:35 Received From: server.domain.local->ossec-monitord Rule: 502 fired (level 3) -> "Ossec server started." Portion of the log(s): ossec: Ossec started. --END OF NOTIFICATION If the launch fails, check the configuration again for errors. The help will be the /var/ossec/logs/ossec.log file.
Installing a web interface
The web interface is quite primitive, but for the sake of convenience, you can install
wget –c http://www.ossec.net/files/ossec-wui-0.3.tar.gz tar xzvf ossec-wui-0.3.tar.gz mv ossec-wui-0.3 /var/www/html/ossec cd /var/www/html/ossec/ ./setup.sh Here you will need to enter a login and password, the .htaccess file will be created accordingly. Now add the ossec user to the apache group
nano /etc/group ossec:x:494:ossec,ossecr,ossecm,ossece,apache service httpd restart We open the browser on our page, then give the tmp folder rights:
chmod 770 /var/www/html/ossec/tmp chgrp apache /var/www/html/ossec/tmp Now we can see the events registered in OSSEC and use a simple interface.
Agent installation
Install agents on the server in the DMZ
wget -q -O - https://www.atomicorp.com/installers/atomic |sh && yum install ossec-hids ossec-hids-client Edit the /var/ossec/ossec.conf file and bring it to the following form:
<ossec_config> <client> <server-ip><b>server.domain.local</b></server-ip> </client> <syscheck> <!-- Frequency that syscheck is executed -- default every 2 hours --> <frequency>7200</frequency> <!-- Directories to check (perform all possible verifications) --> <directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories> <directories check_all="yes">/bin,/sbin</directories> <!-- Files/directories to ignore --> <ignore>/etc/mtab</ignore> <ignore>/etc/mnttab</ignore> <ignore>/etc/hosts.deny</ignore> <ignore>/etc/mail/statistics</ignore> <ignore>/etc/random-seed</ignore> <ignore>/etc/adjtime</ignore> <ignore>/etc/httpd/logs</ignore> <ignore>/etc/utmpx</ignore> <ignore>/etc/wtmpx</ignore> <ignore>/etc/cups/certs</ignore> </syscheck> <rootcheck> <rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files> <rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans> </rootcheck> <localfile> <log_format>syslog</log_format> <location>/var/log/messages</location> </localfile> <localfile> <log_format>syslog</log_format> <location>/var/log/secure</location> </localfile> <localfile> <log_format>syslog</log_format> <location>/var/log/maillog</location> </localfile> <localfile> <log_format>apache</log_format> <location>/var/log/httpd/error_log</location> </localfile> <localfile> <log_format>apache</log_format> <location>/var/log/httpd/access_log</location> </localfile> <localfile> <log_format>syslog</log_format> <location>/var/log/proftpd/error.log</location> </localfile> </ossec_config> As you can see, this config is very similar to the truncated server. The main thing that you need to specify here is the actual OSSEC server address itself and log files. I added a proftpd log file for an example.
Communication between the client and the server takes place on the UDP / 1514 port, do not forget to open it!
With the installation and configuration we have finished, now we need to associate the server with the agent. To do this, we will launch a special utility / var / ossec / bin / manage_agents on the server
**************************************** * OSSEC HIDS v2.7 Agent manager. * * The following options are available: * **************************************** (A)dd an agent (A). (E)xtract key for an agent (E). (L)ist already added agents (L). (R)emove an agent (R). (Q)uit. Choose your action: A,E,L,R or Q: a - Adding a new agent (use '\q' to return to the main menu). Please provide the following: * A name for the new agent: ftp-server * The IP Address of the new agent: 192.168.0.2 * An ID for the new agent[001]: Agent information: ID:001 Name:ftp-server IP Address:192.168.0.2 Confirm adding it?(y/n): y Agent added. **************************************** * OSSEC HIDS v2.7 Agent manager. * * The following options are available: * **************************************** (A)dd an agent (A). (E)xtract key for an agent (E). (L)ist already added agents (L). (R)emove an agent (R). (Q)uit. Choose your action: A,E,L,R or Q: e Available agents: ID: 001, Name: ftp-server, IP: 192.168.0.2 Provide the ID of the agent to extract the key (or '\q' to quit): 001 Agent key information for '001' is: MDA3IGZ0cC1zZXJ1ZXIgMTkyLjE2OC4wLjIgOTQyODg5ODg2NDI5MGNiYTkzYTU1N2I5Yzg5OWTwNTJhNzQ2ZDdlYmNkNzM3NGYyZWQyZGQyZmFlNjdjMjZmOA== ** Press ENTER to return to the main menu. **************************************** * OSSEC HIDS v2.7 Agent manager. * * The following options are available: * **************************************** (A)dd an agent (A). (E)xtract key for an agent (E). (L)ist already added agents (L). (R)emove an agent (R). (Q)uit. Choose your action: A,E,L,R or Q: q ** You must restart OSSEC for your changes to take effect. manage_agents: Exiting .. As you can see - everything is simple. The result of the work will be a BASE64 string that you want to copy and paste to the agent. Do not forget to restart the server:
service ossec-hid restart Now run the / var / ossec / bin / manage_client command on the agent:
**************************************** * OSSEC HIDS v2.7 Agent manager. * * The following options are available: * **************************************** (I)mport key from the server (I). (Q)uit. Choose your action: I or Q: i * Provide the Key generated by the server. * The best approach is to cut and paste it. *** OBS: Do not include spaces or new lines. Paste it here (or '\q' to quit): MDA3IGZ0cC1zZXJ1ZXIgMTkyLjE2OC4wLjIgOTQyODg5ODg2NDI5MGNiYTkzYTU1N2I5Yzg5OWTwNTJhNzQ2ZDdlYmNkNzM3NGYyZWQyZGQyZmFlNjdjMjZmOA== ** Press ENTER to return to the main menu. **************************************** * OSSEC HIDS v2.7 Agent manager. * * The following options are available: * **************************************** (I)mport key from the server (I). (Q)uit. Choose your action: I or Q: q manage_agents: Exiting .. Restart agent:
service ossec-hid restart Go to the server console and check that the agent is connected:
/var/ossec/bin/list_agents -a ftp-server-192.168.0.2 is available. At this setting can be considered over. What to do next? OSSEC is very flexible and powerful IDS. You can write your own rules - their format is very simple. You can manage agents from the server, assign them a configuration from there, link IDS with another IDS (for example, with NIDS Snort), and much more.
If you did everything correctly, you can now control all the changes at the file level and possible attacks.
Links
Source: https://habr.com/ru/post/192800/
All Articles