What is OSSEC HIDS?

OSSEC HIDS is an Intrusion detection system that is based on the server and agent paradigm. The agent communicates with the server against a set of rule IDs and alert levels and the server then takes actions such as emailing specified recipients warning messages, logging any suspicious activity and if it deems the risk to be great enough, blocking the IP address of any would be attacker for 10 minute periods. This is done after too many failed logon attempts and is accomplished by adding a deny rule to the iptables firewall and /etc/hosts.deny file of the suspicious IP address. Unfortunately, although there are agents available for Windows servers and workstations, this software does not have the ability to block IP addresses in the firewall as it is does with Linux servers. The rules are based on alert levels from 1-15, 1 being the least risk and 15 the most severe attack. The alert level then generally dictates what action the OSSEC server takes, although some rule ID’s do not behave in the generally anticipated way. This can be altered with exception files in the server configuration directory.

Installing the Server

Servers must be installed before agents as during the agent setup you are asked the IP address of the server.

Get the Atomic Repo from here – https://ossec.github.io/downloads.html

# Add Yum repo configuration
wget -q -O – https://updates.atomicorp.com/installers/atomic | sudo bash

# Server
sudo yum install ossec-hids-server

# Agent
sudo yum install ossec-hids-agent

NB> WUI is now depreciated and you should feed this data into your favourite log program – I prefer Graylog2.

In order to be able to see the website, you will also subsequently need to install the WUI (Web User Interface), the download of which can be found here:

Then start the server and ensures it starts automatically on restart by issuing the commands:

chkconfig ossec on
service ossec start

Installing the Agents

Follow the prompts accepting the defaults, specify agent as the installation type and put in the IP address of the server dependent on which network range you are on.

With windows just follow the prompts accepting the defaults and make sure the service is started and set to automatic.

When you have installed the server and agent you are ready to add the agent to be managed by the server. On the server run the following commands:

cd /var/ossec/bin
./manage_agents

You will then have the option to add an agent by pressing A.

Put in the hostname, IP address and then accept the default number for the agent.

You can then select E to extract an agent’s key. Copy the output, ready to paste it into the agent’s configuration.

To access the agent’s configuration, run the same two commands as the server. When you are in the manage agents interface, select I to import the key, then paste it in and press enter.

It will ask you if you accept the details – review them and then press y or enter.

Exit both server and agent Manage Agents Interface and then run the following commands on both:

./ossec-control restart

Within a minute or so you should see your new agent appear on the WUI in blue. If any hosts are red and say “inactive” you need to reactivate them.

Reactivating Inactive Agents

On the server, access the Manage Agents Interface and select R to remove a key. Select the number of the inactive host and the repeat the process of above setting up a new agent.