How To Monitor OSSEC Agents Using an OSSEC Server on Ubuntu 14.04

Introduction

OSSEC is an open-source, host-based intrusion detection system (HIDS) that performs log analysis, integrity checking, Windows registry monitoring, rootkit detection, time-based alerting, and active response. It’s the application to install on your server if you want to keep an eye on what’s happening inside it. OSSEC is supported on Windows and all Unix-like operating systems; however, the Droplets used in this tutorial are both running Ubuntu 14.04.

OSSEC can be installed to monitor just the server it is installed on, which is a local installation in OSSEC parlance. The two previous tutorials on OSSEC are examples of local OSSEC installations: How To Install and Configure OSSEC Security Notifications on Ubuntu 14.04 and How To Install and Configure OSSEC on FreeBSD 10.1.

OSSEC can also be used to monitor thousands of other servers, called OSSEC agents. OSSEC agents are monitored by another type of OSSEC installation called an OSSEC server. After an OSSEC server is configured to monitor one or more agents, additional agents may be added or removed at any time. Monitoring of OSSEC agents can be via agent software installed on the agents or via an agentless mode. This tutorial will use the agent mode, which entails installing OSSEC agent software on the agents.

In this tutorial, you’ll learn how to install an OSSEC server and an OSSEC agent, and then configure the server and agent so that the server monitors the agent, with the server sending alerts to your email.

Prerequisites

To complete this tutorial, you’ll need the following.

• Two Ubuntu 14.04 Droplets. Make sure to take note of the IP addresses of both, which you can see on the DigitalOcean dashboard. We’ll refer to these as your_server_ip and your_agent_ip, respectively.

• A sudo non-root user on both Droplets, which you can obtain by following the first three steps of this tutorial.

• Iptables firewall enabled on both. In Linux, the latest stable release of OSSEC needs iptables for its active response feature. It does not work with ufw, the default firewall applications on Ubuntu. Follow the instructions in How To Set Up a Firewall Using Iptables on Ubuntu 14.04 to set up iptables on both servers.

Step 1 — Download and Verify OSSEC on the Server and Agent

We will begin by downloading and verifying OSSEC on both Droplets (the server and the agent). All of the commands in this step should be executed on both Droplets, unless otherwise specified.

OSSEC is delivered as a compressed tarball. In this section, you’ll download OSSEC and its checksum file, which is used to verify that the tarball has not been tampered with. To begin, log into the server as you normally would, then update the package database.

sudo apt-get update

Install any available updates.

sudo apt-get upgrade

Finally, install the required packages.

On the server, you should install the following:

sudo apt-get install inotify-tools build-essential

On the agent, you should install the following:

sudo apt-get install build-essential

After that, on both Droplets, download OSSEC and its checksum file. You can check the project’s website for the latest version, but the ones below are the latest at the time of writing.

wget -U ossec http://www.ossec.net/files/ossec-hids-2.8.1.tar.gz

wget -U ossec http://www.ossec.net/files/ossec-hids-2.8.1-checksum.txt

After downloading both files, verify the md5sum of the compressed tarball.

md5sum -c ossec-hids-2.8.1-checksum.txt

The output should be:

ossec-hids-2.8.1.tar.gz: OK
md5sum: WARNING: 1 line is improperly formatted

Follow that by verifying the SHA1 checksum.

sha1sum -c ossec-hids-2.8.1-checksum.txt

Its output should be:

ossec-hids-2.8.1.tar.gz: OK
sha1sum: WARNING: 1 line is improperly formatted

In each case, ignore the WARNING line. The OK line is what confirms that the file is good.

Step 2 — Install the OSSEC Server

In this step, we will install the OSSEC server, so these commands should only be executed on one Droplet. Before initiating installation of the server, untar it.

tar xf ossec-hids-2.8.1.tar.gz

It will be unpacked into a directory called ossec-hids-2.8.1 Change into that directory.

cd ossec-hids-2.8.1/

Then start the installation.

sudo ./install.sh

Throughout the setup process, you’ll be prompted to provide some input. In most of those cases, all you’ll need to do is press ENTER to accept the default values.

The first choice you’ll be prompted to make is select the installation language. By default, it is English (en), so press ENTER if that’s your preferred language. Otherwise, type in the 2 letters from the list of supported languages.

The next question will ask what kind of installation you want. Here, enter server.

1- What kind of installation do you want (server, agent, local, hybrid or help)? server

For the rest of the subsequent questions, you can accept the defaults, which means just pressing ENTER. For the question on email, be sure to enter a valid email address. Notifications will be sent to it.

If installation is successful, you should get this output:

- System is Debian (Ubuntu or derivative).
 - Init script modified to start OSSEC HIDS during boot.

 - Configuration finished properly.

...

    More information can be found at http://www.ossec.net

    ---  Press ENTER to finish (maybe more information below). ---

Then press ENTER, and you should see this:

- In order to connect agent and server, you need to add each agent to the server.
   Run the 'manage_agents' to add or remove them:

   /var/ossec/bin/manage_agents

   More information at:
   http://www.ossec.net/en/manual.html#ma

Step 3 — Configure the OSSEC Server

Because the agent is not yet installed, we’ll tackle the task of adding it to the server later. For now, let’s configure the server to make sure that it can send alerts.

Here we are going to configure the OSSEC server’s email settings and make sure that it can send alerts to the specified email. To access and modify OSSEC’s files and directories, you need to switch to the root user.

sudo su

Now that you’re root, cd into the directory where OSSEC’s configuration file lives.

cd /var/ossec/etc

The configuration file is ossec.conf. First, make a backup copy.

cp ossec.conf ossec.conf.00

Then open the original. Here, we use the nano text editor, but you can use whichever you prefer.

nano ossec.conf

The email settings are at the top of the file. Here are descriptions of the fields you will change, followed by a sample ossec.conf file.

• <email_to> is the email you gave during installation. Alerts will be sent to that email address.
• <email_from> is where OSSEC’s alerts would appear to be coming from. Change that to a valid email address to reduce the odds of your emails being tagged as spam by your email provider’s SMTP server.
• If you have your own email server and it’s on the same host as the one the OSSEC server is installed on, you may change the <smtp_server> setting to localhost.

Note that <email_to> and <email_from> can be the same. Here’s what that section will look like when you’re done; substitute the variables in red with your own.

<global>
    <email_notification>yes</email_notification>
    <email_to>sammy@example.com</email_to>
    <smtp_server>mail.example.com.</smtp_server>
    <email_from>sammy@example.com</email_from>
</global>

After modifying the email settings, save and close the file. Then start OSSEC.

/var/ossec/bin/ossec-control start

Check your inbox for an email that says that OSSEC has started. Check your spam folder if you don’t see the email.

Step 4 — Install the OSSEC Agent

In this section, you’ll learn how to install the OSSEC agent on your second Droplet. This will be similar to installing the server. Before initiating installation of the agent, untar it.

tar xf ossec-hids-2.8.1.tar.gz

It will be unpacked into a directory called ossec-hids-2.8.1 Change into that directory.

cd ossec-hids-2.8.1/

Then start the installation.

sudo ./install.sh

Most of the prompts are the same as before, but a few are different. When asked:

1- What kind of installation do you want (server, agent, local, hybrid or help)? agent

The answer should be agent. And when asked:

3.1- What's the IP Address or hostname of the OSSEC HIDS server?:your_server_ip

Type in the IP address of the OSSEC server, which you obtained earlier. This is the IP address of the other Droplet (the one where the OSSEC server was installed).

For the other questions, accept the defaults by pressing ENTER like you did during the installation of the OSSEC server. After installation, you should get this output:

- System is Debian (Ubuntu or derivative).
 - Init script modified to start OSSEC HIDS during boot.

 - Configuration finished properly.

...

    More information can be found at http://www.ossec.net

    ---  Press ENTER to finish (maybe more information below). ---

And after pressing ENTER again, you should see:

- You first need to add this agent to the server so they
   can communicate with each other. When you have done so,
   you can run the 'manage_agents' tool to import the
   authentication key from the server.

   /var/ossec/bin/manage_agents

   More information at:
   http://www.ossec.net/en/manual.html#ma

Now the agent and server have been installed, but they can’t communicate yet.

Step 5 — Add Agent to Server and Extract Its Key

On the OSSEC server, start the process of adding the agent.

Note: You should still be operating as root from in Step 3, so you do not need to use sudo in any of these commands.

/var/ossec/bin/manage_agents

You will then be presented the options shown below. Choose a to add an agent.

   (A)dd an agent (A).
   (E)xtract key for an agent (E).
   (L)ist already added agents (L).
   (R)emove an agent (R).
   (Q)uit.
Choose your action: A,E,L,R or Q: a

Then you’ll be prompted to specify a name for the agent, its IP address, and an ID. Make the name unique, because it will help you in filtering alerts received from the server. For the ID, you may accept the default by pressing ENTER.

When you enter all three fields, enter y to confirm.

- Adding a new agent (use '\q' to return to the main menu).
  Please provide the following:
   * A name for the new agent: agentUbuntu
   * The IP Address of the new agent: your_agent_ip
   * An ID for the new agent[001]:
Agent information:
   ID:001
   Name:agentUbuntu
   IP Address:111.111.111.111

Confirm adding it?(y/n): y
Agent added.

After that, you’ll be returned to the main menu. Now you have to extract the agent’s key, which will be echoed to the screen. (It will be different from the one in the example below.) Make sure you copy it, because you’ll have to enter it for the agent.

...

Choose your action: A,E,L,R or Q: e

Available agents:
   ID: 001, Name: agentUbuntu, IP: 111.111.111.111
Provide the ID of the agent to extract the key (or '\q' to quit): 001

Agent key information for '001' is:
MDAxIGFnZW50VWJ1bnyEwNjI5MjI4ODBhMDkzMzA4MR1IXXwNC4yMzYuMjIyLjI1MSBiMTI2U3MTI4YWYzYzg4M2YyNTRlYzM5M2FmNGVhNDYTIwNDE3NDI1NWVkYmQw

** Press ENTER to return to the main menu.

After pressing ENTER, you’ll be returned to the main menu again. Type q to quit.

...

Choose your action: A,E,L,R or Q: q

** You must restart OSSEC for your changes to take effect.

manage_agents: Exiting ..

Step 6 — Import The Key From Server to Agent

This section has to be completed on the agent, and it involves importing (copying) the agent’s key extracted on the server and pasting it on the agent’s terminal. To start, change to root by typing:

sudo su

Then type:

/var/ossec/bin/manage_agents

You’ll be presented with these options:

   (I)mport key from the server (I).
   (Q)uit.
Choose your action: I or Q: i

After typing the correct option, follow the directions to copy and paste the key generated from the server.

Agent information:
   ID:001
   Name:agentUbuntu
   IP Address:104.236.222.251

Confirm adding it?(y/n): y
Added.
** Press ENTER to return to the main menu.

Back to the main menu, type q to quit:

Choose your action: I or Q: q

Step 7 — Allow UDP Port 1514 Traffic Through the Firewalls

Communication between the agent and server takes place over UDP port 1514, so you’ll have to add a rule to iptables on both ends to allow traffic through that port.

First, temporarily remove the drop rule on both the agent and the server.

sudo iptables -D INPUT -j DROP

To add the rule to the OSSEC server, enter the following, using your OSSEC agent’s IP.

iptables -A INPUT -p UDP --dport 1514 -s your_agent_ip -j ACCEPT

Then on the agent, enter the following, using your OSSEC server’s IP.

iptables -A INPUT -p UDP --dport 1514 -s your_server_ip -j ACCEPT

Next, allow all outbound traffic through the firewall on both the agent and the server.

iptables -A OUTPUT -j ACCEPT

Finally, add the drop rule again to both.

sudo iptables -A INPUT -j DROP

These rules should persist after a reboot because of iptables-persistant, which you installed during the prerequisites.

Step 8 — Restart OSSEC Agent and Server

Now that the server and agent have been configured to communicate, restart both of them to effect the changes using:

/var/ossec/bin/ossec-control restart

Aside from being able to restart the OSSEC agent from the agent itself, you can also restart it from the OSSEC server with /var/ossec/bin/agent_control -R 001, where 001 is the agent’s ID.

On the OSSEC server, you can list the active agents by typing:

/var/ossec/bin/list_agents -c

If you get an output like the one below, then you know that the server and agent are talking.

agentUbuntu-111.111.111.111 is active.

Conclusion

At this point, you should be receiving alerts from the server that contain notifications from both the server and the agent. The subject line of alerts pertaining to the agent look like OSSEC Notification - (agentUbuntu) 111.111.111.111 - Alert level 3. The body of those emails begins with OSSEC HIDS Notification.

After you have established that the server and agent can communicate, you may further customize both installations. Modifications that can be made on the OSSEC server and agent to alert on file additions and also to alert in real-time are the same you can make on a local OSSEC installation. You may consult the relevant section in How To Install and Configure OSSEC Security Notifications on Ubuntu 14.04 for steps on how to make those modifications.

If you have more than two Droplets to monitor, you can add them as OSSEC agents to the setup using the same steps given in this article. If you run into any issues while setting this up, the first place to look for clues is in the error log, located at /var/ossec/logs/ossec.log.

This article only covers the basics of setting up OSSEC in server-agent mode. More information is available at http://ossec-docs.readthedocs.org.

<ossec_config>
  <client>
    <server-ip>PUT THE SERVER IP HERE</server-ip>
  </client>