OSSEC is an open-source, host-based intrusion detection system (HIDS) that performs log analysis, integrity checking, Windows registry monitoring, rootkit detection, time-based alerting, and active response. It’s the application to install on your server if you want to keep an eye on what’s happening inside it. OSSEC is supported on Windows and all Unix-like operating systems; however, the Droplets used in this tutorial are both running Ubuntu 14.04.
OSSEC can be installed to monitor just the server it is installed on, which is a local installation in OSSEC parlance. The two previous tutorials on OSSEC are examples of local OSSEC installations: How To Install and Configure OSSEC Security Notifications on Ubuntu 14.04 and How To Install and Configure OSSEC on FreeBSD 10.1.
OSSEC can also be used to monitor thousands of other servers, called OSSEC agents. OSSEC agents are monitored by another type of OSSEC installation called an OSSEC server. After an OSSEC server is configured to monitor one or more agents, additional agents may be added or removed at any time. Monitoring of OSSEC agents can be via agent software installed on the agents or via an agentless mode. This tutorial will use the agent mode, which entails installing OSSEC agent software on the agents.
In this tutorial, you’ll learn how to install an OSSEC server and an OSSEC agent, and then configure the server and agent so that the server monitors the agent, with the server sending alerts to your email.
To complete this tutorial, you’ll need the following.
Two Ubuntu 14.04 Droplets. Make sure to take note of the IP addresses of both, which you can see on the DigitalOcean dashboard. We’ll refer to these as your_server_ip
and your_agent_ip
, respectively.
A sudo non-root user on both Droplets, which you can obtain by following the first three steps of this tutorial.
Iptables firewall enabled on both. In Linux, the latest stable release of OSSEC needs iptables for its active response feature. It does not work with ufw, the default firewall applications on Ubuntu. Follow the instructions in How To Set Up a Firewall Using Iptables on Ubuntu 14.04 to set up iptables on both servers.
We will begin by downloading and verifying OSSEC on both Droplets (the server and the agent). All of the commands in this step should be executed on both Droplets, unless otherwise specified.
OSSEC is delivered as a compressed tarball. In this section, you’ll download OSSEC and its checksum file, which is used to verify that the tarball has not been tampered with. To begin, log into the server as you normally would, then update the package database.
sudo apt-get update
Install any available updates.
sudo apt-get upgrade
Finally, install the required packages.
On the server, you should install the following:
sudo apt-get install inotify-tools build-essential
On the agent, you should install the following:
sudo apt-get install build-essential
After that, on both Droplets, download OSSEC and its checksum file. You can check the project’s website for the latest version, but the ones below are the latest at the time of writing.
wget -U ossec http://www.ossec.net/files/ossec-hids-2.8.1.tar.gz
wget -U ossec http://www.ossec.net/files/ossec-hids-2.8.1-checksum.txt
After downloading both files, verify the md5sum of the compressed tarball.
md5sum -c ossec-hids-2.8.1-checksum.txt
The output should be:
ossec-hids-2.8.1.tar.gz: OK
md5sum: WARNING: 1 line is improperly formatted
Follow that by verifying the SHA1 checksum.
sha1sum -c ossec-hids-2.8.1-checksum.txt
Its output should be:
ossec-hids-2.8.1.tar.gz: OK
sha1sum: WARNING: 1 line is improperly formatted
In each case, ignore the WARNING line. The OK line is what confirms that the file is good.
In this step, we will install the OSSEC server, so these commands should only be executed on one Droplet. Before initiating installation of the server, untar it.
tar xf ossec-hids-2.8.1.tar.gz
It will be unpacked into a directory called ossec-hids-2.8.1
Change into that directory.
cd ossec-hids-2.8.1/
Then start the installation.
sudo ./install.sh
Throughout the setup process, you’ll be prompted to provide some input. In most of those cases, all you’ll need to do is press ENTER to accept the default values.
The first choice you’ll be prompted to make is select the installation language. By default, it is English (en), so press ENTER if that’s your preferred language. Otherwise, type in the 2 letters from the list of supported languages.
The next question will ask what kind of installation you want. Here, enter server.
1- What kind of installation do you want (server, agent, local, hybrid or help)? server
For the rest of the subsequent questions, you can accept the defaults, which means just pressing ENTER. For the question on email, be sure to enter a valid email address. Notifications will be sent to it.
If installation is successful, you should get this output:
- System is Debian (Ubuntu or derivative).
- Init script modified to start OSSEC HIDS during boot.
- Configuration finished properly.
...
More information can be found at http://www.ossec.net
--- Press ENTER to finish (maybe more information below). ---
Then press ENTER, and you should see this:
- In order to connect agent and server, you need to add each agent to the server.
Run the 'manage_agents' to add or remove them:
/var/ossec/bin/manage_agents
More information at:
http://www.ossec.net/en/manual.html#ma
Because the agent is not yet installed, we’ll tackle the task of adding it to the server later. For now, let’s configure the server to make sure that it can send alerts.
Here we are going to configure the OSSEC server’s email settings and make sure that it can send alerts to the specified email. To access and modify OSSEC’s files and directories, you need to switch to the root user.
sudo su
Now that you’re root, cd
into the directory where OSSEC’s configuration file lives.
cd /var/ossec/etc
The configuration file is ossec.conf
. First, make a backup copy.
cp ossec.conf ossec.conf.00
Then open the original. Here, we use the nano
text editor, but you can use whichever you prefer.
nano ossec.conf
The email settings are at the top of the file. Here are descriptions of the fields you will change, followed by a sample ossec.conf
file.
Note that <email_to> and <email_from> can be the same. Here’s what that section will look like when you’re done; substitute the variables in red with your own.
<global>
<email_notification>yes</email_notification>
<email_to>sammy@example.com</email_to>
<smtp_server>mail.example.com.</smtp_server>
<email_from>sammy@example.com</email_from>
</global>
After modifying the email settings, save and close the file. Then start OSSEC.
/var/ossec/bin/ossec-control start
Check your inbox for an email that says that OSSEC has started. Check your spam folder if you don’t see the email.
In this section, you’ll learn how to install the OSSEC agent on your second Droplet. This will be similar to installing the server. Before initiating installation of the agent, untar it.
tar xf ossec-hids-2.8.1.tar.gz
It will be unpacked into a directory called ossec-hids-2.8.1
Change into that directory.
cd ossec-hids-2.8.1/
Then start the installation.
sudo ./install.sh
Most of the prompts are the same as before, but a few are different. When asked:
1- What kind of installation do you want (server, agent, local, hybrid or help)? agent
The answer should be agent. And when asked:
3.1- What's the IP Address or hostname of the OSSEC HIDS server?:your_server_ip
Type in the IP address of the OSSEC server, which you obtained earlier. This is the IP address of the other Droplet (the one where the OSSEC server was installed).
For the other questions, accept the defaults by pressing ENTER like you did during the installation of the OSSEC server. After installation, you should get this output:
- System is Debian (Ubuntu or derivative).
- Init script modified to start OSSEC HIDS during boot.
- Configuration finished properly.
...
More information can be found at http://www.ossec.net
--- Press ENTER to finish (maybe more information below). ---
And after pressing ENTER again, you should see:
- You first need to add this agent to the server so they
can communicate with each other. When you have done so,
you can run the 'manage_agents' tool to import the
authentication key from the server.
/var/ossec/bin/manage_agents
More information at:
http://www.ossec.net/en/manual.html#ma
Now the agent and server have been installed, but they can’t communicate yet.
On the OSSEC server, start the process of adding the agent.
Note: You should still be operating as root from in Step 3, so you do not need to use sudo
in any of these commands.
/var/ossec/bin/manage_agents
You will then be presented the options shown below. Choose a to add an agent.
(A)dd an agent (A).
(E)xtract key for an agent (E).
(L)ist already added agents (L).
(R)emove an agent (R).
(Q)uit.
Choose your action: A,E,L,R or Q: a
Then you’ll be prompted to specify a name for the agent, its IP address, and an ID. Make the name unique, because it will help you in filtering alerts received from the server. For the ID, you may accept the default by pressing ENTER.
When you enter all three fields, enter y to confirm.
- Adding a new agent (use '\q' to return to the main menu).
Please provide the following:
* A name for the new agent: agentUbuntu
* The IP Address of the new agent: your_agent_ip
* An ID for the new agent[001]:
Agent information:
ID:001
Name:agentUbuntu
IP Address:111.111.111.111
Confirm adding it?(y/n): y
Agent added.
After that, you’ll be returned to the main menu. Now you have to extract the agent’s key, which will be echoed to the screen. (It will be different from the one in the example below.) Make sure you copy it, because you’ll have to enter it for the agent.
...
Choose your action: A,E,L,R or Q: e
Available agents:
ID: 001, Name: agentUbuntu, IP: 111.111.111.111
Provide the ID of the agent to extract the key (or '\q' to quit): 001
Agent key information for '001' is:
MDAxIGFnZW50VWJ1bnyEwNjI5MjI4ODBhMDkzMzA4MR1IXXwNC4yMzYuMjIyLjI1MSBiMTI2U3MTI4YWYzYzg4M2YyNTRlYzM5M2FmNGVhNDYTIwNDE3NDI1NWVkYmQw
** Press ENTER to return to the main menu.
After pressing ENTER, you’ll be returned to the main menu again. Type q to quit.
...
Choose your action: A,E,L,R or Q: q
** You must restart OSSEC for your changes to take effect.
manage_agents: Exiting ..
This section has to be completed on the agent, and it involves importing (copying) the agent’s key extracted on the server and pasting it on the agent’s terminal. To start, change to root by typing:
sudo su
Then type:
/var/ossec/bin/manage_agents
You’ll be presented with these options:
(I)mport key from the server (I).
(Q)uit.
Choose your action: I or Q: i
After typing the correct option, follow the directions to copy and paste the key generated from the server.
Agent information:
ID:001
Name:agentUbuntu
IP Address:104.236.222.251
Confirm adding it?(y/n): y
Added.
** Press ENTER to return to the main menu.
Back to the main menu, type q to quit:
Choose your action: I or Q: q
Communication between the agent and server takes place over UDP port 1514, so you’ll have to add a rule to iptables on both ends to allow traffic through that port.
First, temporarily remove the drop rule on both the agent and the server.
sudo iptables -D INPUT -j DROP
To add the rule to the OSSEC server, enter the following, using your OSSEC agent’s IP.
iptables -A INPUT -p UDP --dport 1514 -s your_agent_ip -j ACCEPT
Then on the agent, enter the following, using your OSSEC server’s IP.
iptables -A INPUT -p UDP --dport 1514 -s your_server_ip -j ACCEPT
Next, allow all outbound traffic through the firewall on both the agent and the server.
iptables -A OUTPUT -j ACCEPT
Finally, add the drop rule again to both.
sudo iptables -A INPUT -j DROP
These rules should persist after a reboot because of iptables-persistant
, which you installed during the prerequisites.
Now that the server and agent have been configured to communicate, restart both of them to effect the changes using:
/var/ossec/bin/ossec-control restart
Aside from being able to restart the OSSEC agent from the agent itself, you can also restart it from the OSSEC server with /var/ossec/bin/agent_control -R 001
, where 001 is the agent’s ID.
On the OSSEC server, you can list the active agents by typing:
/var/ossec/bin/list_agents -c
If you get an output like the one below, then you know that the server and agent are talking.
agentUbuntu-111.111.111.111 is active.
At this point, you should be receiving alerts from the server that contain notifications from both the server and the agent. The subject line of alerts pertaining to the agent look like OSSEC Notification - (agentUbuntu) 111.111.111.111 - Alert level 3
. The body of those emails begins with OSSEC HIDS Notification
.
After you have established that the server and agent can communicate, you may further customize both installations. Modifications that can be made on the OSSEC server and agent to alert on file additions and also to alert in real-time are the same you can make on a local OSSEC installation. You may consult the relevant section in How To Install and Configure OSSEC Security Notifications on Ubuntu 14.04 for steps on how to make those modifications.
If you have more than two Droplets to monitor, you can add them as OSSEC agents to the setup using the same steps given in this article. If you run into any issues while setting this up, the first place to look for clues is in the error log, located at /var/ossec/logs/ossec.log
.
This article only covers the basics of setting up OSSEC in server-agent mode. More information is available at http://ossec-docs.readthedocs.org.
Thanks for learning with the DigitalOcean Community. Check out our offerings for compute, storage, networking, and managed databases.
This textbox defaults to using Markdown to format your answer.
You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!
Hey.
Great tutorial, however although following each step meticulously, when i perform /var/ossec/bin/list_agents -c - i get **No Agent available
Please could you give some advice on the next step to solve this issue
This is setup using two digital ocean ubuntu droplets one as the OSSEC server and 1 as a client
Thanks
Matt
Hello i installed OSSEC 2.9.3 and when open agent manager i got same output on server and on the agent side. Do you have any idea what be the issue maybe ? I uninstalled couple of time and i got the same again, also to notice there wasnt any checksum on 2.9.3 version
(A)dd an agent (A). (E)xtract key for an agent (E). (L)ist already added agents (L). ®emove an agent ®. (Q)uit. Choose your action: A,E,L,R or Q:
I wanted to add an additional step that I needed to do before the agent would be seen by the server.
I had to edit the following file on the agent /var/ossec/etc/ossec.conf and manually enter the server ip on the third line.
I hope this helps.