Oct 2, 2008

Installing Ossec to Ubuntu

OSSEC-HIDS is much easier to install. Basically, there will be two steps to install Ossec. Download and run an installation script. To download ossec, you may visit ossec website here:
  • http://www.ossec.net/main/downloads/
  • and you can start downloading with wget command:
wget http://www.ossec.net/files/ossec-hids-1.6.tar.gz
  • After download complete, extract the tarball:
tar zxvf ossec-hids-1.6.tar.gz
  • And now run the installation script by running this commands:
cd ossec-hids-1.6
  • You will be asked series of questions, but most of the questions are basic questions. So I dont think that you will have any problem in answering them. Add additional IP if you wish so into the whitelist.
  • To start and stop the ossec services, just use:
sudo /etc/init.d/ossec start|stop
Configuring OSSEC

Not much needs to be done. HOWEVER I would caution you that OSSEC has an active response to threats. If OSSEC detects a bad ip address, it will block that ip address using iptables. This means that if your snort rules are giving you false alerts legitimate traffic to your server will be blocked.

This also means you can lose access to your server as well.

Fortunately this is a temporary ban. It is more than sufficient to deter the script kiddies and if your access is blocked, access is restored in a few minutes.

This means , however, you need to monitor snort (base) and fine tune your rules so you are not blocking legitimate traffic.

Again, if there are repeat offending IP addresses, black list them in iptables (See the using snort/base post for how to do this).

Additional configuration of OSSEC is is done by editing /var/ossec/etc/ossec.conf

This configuration file is well commented and you will see a white list section where you may white list additional ip addresses if needed.

Taken from Ubuntuforums.org
I hope you can try this HIDS in order to work side by side with snort. It's fun to experimenting with this HIDS. Detecting and preventing early stage of an attack is the best way to prevent it from happening.

Thank you for your unbelievable support on Negative Zero - Permission to read and write blog for nearly 4 years. Don't forget to like Negative Zero on Facebook.
Blogirific.com Blog Directory

Post(s) you might like to read :

1 comment:

  1. wow.. great post. especially when HIDs are on the raise now...