How to install and configure OSSEC server and client

By

How to install and configure OSSEC server and client

sudo timedatectl set-timezone Asia/Calcutta

Asia/Calcutta

 

1. sudo apt-get update && sudo apt-get upgrade -y

2. sudo apt-get install build-essential libevent-dev zlib1g-dev libssl-dev unzip wget -y

3. sudo apt-get install libpcre2-dev

4. sudo apt-get install libsystemd-dev

5. wget https://github.com/ossec/ossec-hids/archive/3.7.0.tar.gz

6. tar -xvzf 3.7.0.tar.gz

7. cd ossec-hids-3.7.0

8. sudo ./install.sh

9. sudo /var/ossec/bin/ossec-control start

 

Configure OSSEC

nano /var/ossec/etc/ossec.conf

Update below

<global>

    <email_notification>yes</email_notification>

    <email_to>root@localhost</email_to>

    <smtp_server>127.0.0.1</smtp_server>

    <email_from>ossecm@localhost</email_from>

</global>

 

<global>

    <email_notification>yes</email_notification>

    <email_to>sammy@example.com</email_to>

    <smtp_server>mail.example.com.</smtp_server>

    <email_from>sammy@example.com</email_from>

</global>

 

 

 

 

 

 

 

 

 

<syscheck>

    <!-- Frequency that syscheck is executed - default to every 22 hours -->

    <frequency>79200</frequency>

    <alert_new_files>yes</alert_new_files>

 

<directories report_changes="yes" realtime="yes" check_all="yes">/etc,/usr/bin,/usr/sbin</directories>

<directories report_changes="yes" realtime="yes" check_all="yes">/var/www,/bin,/sbin</directories>

nano /var/ossec/rules/local_rules.xml

<rule id="554" level="7" overwrite="yes">

    <category>ossec</category>

    <decoded_as>syscheck_new_entry</decoded_as>

    <description>File added to the system.</description>

    <group>syscheck,</group>

</rule>

 

/var/ossec/bin/ossec-control restart

 

Install OSSEC Web UI

wget https://github.com/ossec/ossec-wui/archive/master.zip

unzip master.zip

mv ossec-wui-master /var/www/html/ossec

cd /var/www/html/ossec

./setup.sh

Create an Apache VirtualHost configuration file  Replace example.com with your domain name, save the file and exit.

sudo vim /etc/apache2/sites-enabled/ossec-wui.conf

<VirtualHost *:80>

     DocumentRoot /srv/ossec-wui/

     ServerName ossec.example.com

     ServerAlias www.ossec.example.com

     ServerAdmin admin@example.com

 

     <Directory /srv/ossec-wui/>

        Options +FollowSymlinks

        AllowOverride All

        Require all granted

     </Directory>

 

     ErrorLog /var/log/apache2/moodle-error.log

     CustomLog /var/log/apache2/moodle-access.log combined

</VirtualHost>

 

sudo a2enmod rewrite

sudo systemctl restart apache2

 

 

systemctl restart apache2

 http://server-ip/ossec.

 

Install the OSSEC Agent

1. sudo apt-get update && sudo apt-get upgrade -y

2. sudo apt-get install build-essential libevent-dev zlib1g-dev libssl-dev unzip wget -y

3. sudo apt-get install libpcre2-dev

4. sudo apt-get install libsystemd-dev

5. wget https://github.com/ossec/ossec-hids/archive/3.7.0.tar.gz

6. tar -xvzf 3.7.0.tar.gz

7. cd ossec-hids-3.7.0

8. sudo ./install.sh

 

1- What kind of installation do you want (server, agent, local, hybrid or help)? agent

2- What's the IP Address or hostname of the OSSEC HIDS server?:your_server_ip

 

Add Agent to Server and Extract Its Key

/var/ossec/bin/manage_agents

(A)dd an agent (A).

   (E)xtract key for an agent (E).

   (L)ist already added agents (L).

   (R)emove an agent (R).

   (Q)uit.

Choose your action: A,E,L,R or Q: a

 

When you enter all three fields, enter y to confirm.

- Adding a new agent (use '\q' to return to the main menu).

  Please provide the following:

   * A name for the new agent: agentUbuntu

   * The IP Address of the new agent: your_agent_ip

   * An ID for the new agent[001]:001

Agent information:

   ID:001

   Name:agentUbuntu

   IP Address:111.111.111.111

Confirm adding it?(y/n): y

Agent added.

you’ll be returned to the main menu. Now you have to extract the agent’s key

Choose your action: A,E,L,R or Q: e

 

Available agents:

   ID: 001, Name: agentUbuntu, IP: 111.111.111.111

Provide the ID of the agent to extract the key (or '\q' to quit): 001

 

Agent key information for '001' is:

MDAxIGFnZW50VWJ1bnyEwNjI5MjI4ODBhMDkzMzA4MR1IXXwNC4yMzYuMjIyLjI1MSBiMTI2U3MTI4YWYzYzg4M2YyNTRlYzM5M2FmNGVhNDYTIwNDE3NDI1NWVkYmQw

 

** Press ENTER to return to the main menu.

 

Import The Key From Server to Agent

Go to agent pc and type below command: -

sudo su

/var/ossec/bin/manage_agents

 

  (I)mport key from the server (I).

   (Q)uit.

Choose your action: I or Q: i

 

Agent information:

   ID:001

   Name:agentUbuntu

   IP Address:104.236.222.251

Confirm adding it?(y/n): y

Added.

** Press ENTER to return to the main menu.

 

Allow UDP Port 1514 Traffic Through the Firewalls  agent and the server same process

First, temporarily remove the drop rule on both the agent and the server.

sudo iptables -D INPUT -j DROP

 

To add the rule to the OSSEC server, enter the following, using your OSSEC agent’s IP

iptables -A INPUT -p UDP --dport 1514 -s your_agent_ip -j ACCEPT

Then on the agent, enter the following, using your OSSEC server’s IP.

iptables -A INPUT -p UDP --dport 1514 -s your_server_ip -j ACCEPT

 

Next, allow all outbound traffic through the firewall on both the agent and the server.

iptables -A OUTPUT -j ACCEPT

 

This command disconnect server and client via ssh

{ Finally, add the drop rule again to both.

sudo iptables -A INPUT -j DROP }

 

 

Restart OSSEC Agent and Server

/var/ossec/bin/ossec-control restart

/var/ossec/bin/list_agents -c

 

 

 

 

 

apt install checkpolicy

apt install semodule-utils

apt install policycoreutils

 

edit php.ini file   /etc/php/8.3/apache2

     max_execution_time = 180

     max_input_time = 180

     memory_limit = 256M

 

https://www.digitalocean.com/community/tutorials/how-to-monitor-ossec-agents-using-an-ossec-server-on-ubuntu-14-04#step-8-restart-ossec-agent-and-server

 

https://www.rapid7.com/blog/post/2017/06/30/how-to-install-and-configure-ossec-on-ubuntu-linux/

 

 


Comments

Post a Comment

Popular posts from this blog

How to install nuke in windows 10 and windows 11,Installing Nuke on Windows, Install Nuke on Windows

By
  SINGLE MACHINE 1.Install Your Foundry Product 2.Install FLT7 (If you already have our rlm server working and running , jump to step 8)  3.Stop Foundry License Server 4.Copy the cracked rlm.foundry.exe over the original one (C:\Program Files\The Foundry\LicensingTools7.1\bin\RLM\rlm.foundry.exe)  5.Edit xf_foundry.lic replacing desktop 1234567890123456 (host name, Mac-Address)  You can get those informations using rlmutil.exe , a simple dos window ipconfig/all   or you can start Foundry License Utility and choose Diagnostics and Run Diagnostics, you will find your hostname, your mac address (System ID)     PORT is by default 5053 if you dont put any (dont forget to delete the word PORT then if you dont want to specify one) . If you need more infos read RLM manual. 6.Copy the xf_foundry.lic to C:\ProgramData\The Foundry\RLM or C:\Program Files\The Foundry\LicensingTools7.1\bin\RLM\ 7.Restart RLM Server you can do that from services or just with Fo...
Read more

Autodesk Maya 2024 Install Windows 11

By
 1) Install Autodesk Application - Do Not Start it yet  2) Install the Autodesk network license manager (v11.18.0) from crack folder (NLM.msi Update 8)      -Default install is "C:\Autodesk\Network License Manager"     -Stop any running instance (lmgrd, adskflex) if you have one     -Replace adskflex.exe by cracked one   3) Replace the version.dll - \Program Files (x86)\Common Files\Autodesk Shared\AdskLicensing\Current\AdskLicensingAgent\ 4) Edit lic.dat and change HOSTNAME and MAC to suit your configuration (if you are not sure start LMTOOLS Utility and go to     System Settings, your HOSTNAME and MAC will be listed)    You can change vendor port too and add your previous licenses of course :)    Save lic.dat where you want (we suggest to "C:\Autodesk\Network License Manager" folder) 5) You have 2 options:     1)Start Network License Manager manually :     Run the license manager w...
Read more