{"id":18428,"date":"2016-01-28T15:23:55","date_gmt":"2016-01-28T21:23:55","guid":{"rendered":"https:\/\/www.rosehosting.com\/blog\/?p=18428"},"modified":"2022-12-12T05:04:59","modified_gmt":"2022-12-12T11:04:59","slug":"install-ossec-on-ubuntu-14-04","status":"publish","type":"post","link":"https:\/\/www.rosehosting.com\/blog\/install-ossec-on-ubuntu-14-04\/","title":{"rendered":"Install OSSEC on Ubuntu 14.04"},"content":{"rendered":"
This article is the first part of the full tutorial for installing OSSEC server\/agent on an Ubuntu 14.04 VPS<\/a><\/strong>. This part covers the installation of OSSEC 2.8.3 (the latest stable version when this tutorial was written), it’s Web UI installation and shows how to enable MySQL support for OSSEC.<\/p>\n OSSEC is an Open Source Host-based Intrusion Detection System. It mixes together all the aspects of HIDS (host-based intrusion detection) and Security Incident Management (SIM)\/Security Information and Event Management (SIEM) together in a simple, powerful, and open source solution.<\/p>\n OSSEC’s key benefits are:<\/p>\n OSSEC performs log analysis, file integrity checking, policy monitoring, rootkit detection, real-time alerting and active response. Check the operating systems and log formats<\/a> that OSSEC supports.<\/p>\n REQUIREMENTS<\/strong><\/p>\n We will be using our SSD 1 Linux VPS<\/a> Hosting plan for this tutorial.<\/p>\n Log in to your server via SSH:<\/p>\n Before starting, enter the below command to check whether you have the proper version of Ubuntu installed on your machine:<\/p>\n It should give you the underneath output:<\/p>\n UPDATE THE SYSTEM<\/strong><\/p>\n Make sure your server is fully up to date:<\/p>\n Now install Apache, MySQL, PHP and some needed modules with the below command:<\/p>\n INSTALL OSSEC<\/strong><\/p>\n Enter the \/opt<\/strong> directory:<\/p>\n Download OSSEC:<\/p>\n Unpack the archive and enter the unpacked directory:<\/p>\n Enable the MySQL database support:<\/p>\n Go back to the previous directory:<\/p>\n Now, start the OSSEC installation script and follow the easy instructions:<\/p>\n Underneath is the output of the entire\u00a0installation procedure and the features that we enabled. Of course you choose which options to enable\/disable, but we recommend you to follow the output below. You can press enter if you want to go with the default choice (which is put in brackets) for every question asked.<\/p>\n Press enter.<\/p>\n Now press enter to continue with the installation which shouldn’t take more than 2 minutes. After everything is completed you will get:<\/p>\n Start OSSEC:<\/p>\n The next\u00a0step\u00a0is to create a MySQL user and database for OSSEC. Enter MySQL as root:<\/p>\n OSSEC provides a schema for the database and it’s located in the src\/os_dbd\/ directory. Therefore, import it into your newly created ossec database:<\/p>\n Enter the ossecuser password when prompted.<\/p>\n Now add the database config to OSSEC config file:<\/p>\n You can put the above lines anywhere in the <ossec_config> block. Save and exit the file. Then, enable the database and restart OSSEC:<\/p>\n INSTALL OSSEC WEB UI<\/strong><\/p>\n Install the OSSEC Web UI in Apache’s default document root. Enter the directory:<\/p>\n Download the latest OSSEC WUI and unpack the archive:<\/p>\n Rename the directory to ossec:<\/p>\n Create a tmp directory inside and set the correct files ownership and permissions:<\/p>\n You can now access the web UI by opening your favorite web browser and navigating to http:\/\/your_server_IP\/ossec\/<\/strong><\/p>\n Congratulations, you have successfully installed OSSEC server and it’s web user interface on an Ubuntu 14.04 VPS<\/a>. For more information please check OSSEC thorough documentation<\/a>.<\/p>\n In the second part of this tutorial we will cover the OSSEC agent installation on another machine and we will install the Analogi Web Dashboard which gives a better and more informative interface when compared to the standard Web UI.<\/p>\n Of course you don\u2019t have to do any of this if you use one of our Linux VPS Hosting<\/a> services, in which case you can simply ask our expert Linux admins to do this for you. They are available 24\u00d77 and will take care of your request immediately.<\/p>\n PS<\/strong>.<\/span><\/span> If you liked this post please share it with your friends on the social networks using the buttons on the left or simply leave a reply below. Thanks.<\/p>\n","protected":false},"excerpt":{"rendered":" This article is the first part of the full tutorial for installing OSSEC server\/agent on an Ubuntu 14.04 VPS. This … <\/p>\n\n
# ssh root@server_ip<\/pre>\n
# lsb_release -a<\/pre>\n
Distributor ID: Ubuntu\r\nDescription: Ubuntu 14.04.3 LTS\r\nRelease: 14.04\r\nCodename: trusty<\/pre>\n
# apt-get update && apt-get upgrade<\/pre>\n
# apt-get install mysql-server libmysqlclient-dev mysql-client apache2 php5 libapache2-mod-php5 php5-mysql php5-curl php5-gd php5-intl php-pear php5-imagick php5-imap php5-mcrypt php5-memcache php5-ming php5-ps php5-pspell php5-recode php5-snmp php5-sqlite php5-tidy php5-xmlrpc php5-xsl<\/pre>\n
# cd \/opt<\/pre>\n
# wget https:\/\/bintray.com\/artifact\/download\/ossec\/ossec-hids\/ossec-hids-2.8.3.tar.gz<\/pre>\n
# tar -xzf ossec-hids-2.8.3.tar.gz\r\n\r\n# cd ossec-hids-2.8.3<\/pre>\n
# cd src\r\n\r\n# make setdb<\/pre>\n
# cd ..\/<\/pre>\n
# .\/install.sh<\/pre>\n
OSSEC HIDS v2.8.3 Installation Script - http:\/\/www.ossec.net\r\n\r\n You are about to start the installation process of the OSSEC HIDS.\r\n You must have a C compiler pre-installed in your system.\r\n If you have any questions or comments, please send an e-mail\r\n to dcid@ossec.net (or daniel.cid@gmail.com).\r\n\r\n - System: Linux vps 2.6.32-042stab113.11\r\n - User: root\r\n - Host: vps.rosehosting.com\r\n\r\n\r\n -- Press ENTER to continue or Ctrl-C to abort. --<\/pre>\n
1- What kind of installation do you want (server, agent, local, hybrid or help)? server\r\n\r\n - Server installation chosen.\r\n\r\n2- Setting up the installation environment.\r\n\r\n - Choose where to install the OSSEC HIDS [\/var\/ossec]:\r\n\r\n - Installation will be made at \/var\/ossec .\r\n\r\n3- Configuring the OSSEC HIDS.\r\n\r\n 3.1- Do you want e-mail notification? (y\/n) [y]:\r\n\r\n - What's your e-mail address? user@example.com\r\n - What's your SMTP server ip\/host? smtp.example.com\r\n\r\n 3.2- Do you want to run the integrity check daemon? (y\/n) [y]:\r\n\r\n - Running syscheck (integrity check daemon).\r\n\r\n 3.3- Do you want to run the rootkit detection engine? (y\/n) [y]:\r\n\r\n - Running rootcheck (rootkit detection).\r\n\r\n 3.4- Active response allows you to execute a specific\r\n command based on the events received. For example,\r\n you can block an IP address or disable access for\r\n a specific user.\r\n More information at:\r\n http:\/\/www.ossec.net\/en\/manual.html#active-response\r\n\r\n - Do you want to enable active response? (y\/n) [y]:\r\n\r\n - Active response enabled.\r\n\r\n - By default, we can enable the host-deny and the\r\n firewall-drop responses. The first one will add\r\n a host to the \/etc\/hosts.deny and the second one\r\n will block the host on iptables (if linux) or on\r\n ipfilter (if Solaris, FreeBSD or NetBSD).\r\n - They can be used to stop SSHD brute force scans,\r\n portscans and some other forms of attacks. You can\r\n also add them to block on snort events, for example.\r\n\r\n - Do you want to enable the firewall-drop response? (y\/n) [y]:\r\n\r\n - firewall-drop enabled (local) for levels >= 6\r\n\r\n - Default white list for the active response:\r\n - xxx.xxx.xxx.xx\r\n - xx.xxx.xx.xxx\r\n\r\n - Do you want to add more IPs to the white list? (y\/n)? [n]:\r\n\r\n 3.5- Do you want to enable remote syslog (port 514 udp)? (y\/n) [y]:\r\n\r\n - Remote syslog enabled.\r\n\r\n 3.6- Setting the configuration to analyze the following logs:\r\n -- \/var\/log\/messages\r\n -- \/var\/log\/auth.log\r\n -- \/var\/log\/syslog\r\n -- \/var\/log\/mail.info\r\n -- \/var\/log\/dpkg.log\r\n -- \/var\/log\/apache2\/error.log (apache log)\r\n -- \/var\/log\/apache2\/access.log (apache log)\r\n\r\n - If you want to monitor any other file, just change\r\n the ossec.conf and add a new localfile entry.\r\n Any questions about the configuration can be answered\r\n by visiting us online at http:\/\/www.ossec.net .\r\n\r\n\r\n --- Press ENTER to continue ---<\/pre>\n
- System is Debian (Ubuntu or derivative).\r\n - Init script modified to start OSSEC HIDS during boot.\r\n\r\n - Configuration finished properly.\r\n\r\n - To start OSSEC HIDS:\r\n \/var\/ossec\/bin\/ossec-control start\r\n\r\n - To stop OSSEC HIDS:\r\n \/var\/ossec\/bin\/ossec-control stop\r\n\r\n - The configuration can be viewed or modified at \/var\/ossec\/etc\/ossec.conf\r\n\r\n\r\n Thanks for using the OSSEC HIDS.\r\n If you have any question, suggestion or if you find any bug,\r\n contact us at contact@ossec.net or using our public maillist at\r\n ossec-list@ossec.net\r\n ( http:\/\/www.ossec.net\/main\/support\/ ).\r\n\r\n More information can be found at http:\/\/www.ossec.net\r\n\r\n --- Press ENTER to finish (maybe more information below). ---\r\n\r\n - In order to connect agent and server, you need to add each agent to the server.\r\n Run the 'manage_agents' to add or remove them:\r\n\r\n \/var\/ossec\/bin\/manage_agents<\/pre>\n
# \/var\/ossec\/bin\/ossec-control start<\/pre>\n
# mysql -u root -p\r\n\r\nmysql> create database ossec;\r\nQuery OK, 1 row affected (0.00 sec)\r\n\r\nmysql> grant all privileges on ossec.* to ossecuser@localhost identified by 'your_password';\r\nQuery OK, 0 rows affected (0.00 sec)\r\n\r\nmysql> flush privileges;\r\nQuery OK, 0 rows affected (0.00 sec)\r\n\r\nmysql> exit\r\nBye<\/pre>\n
# mysql -u ossecuser -p ossec < src\/os_dbd\/mysql.schema<\/pre>\n
# nano \/var\/ossec\/etc\/ossec.conf\r\n<\/pre>\n
<database_output>\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 <hostname>127.0.0.1<\/hostname>\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 <username>ossecuser<\/username>\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 <password>your_password<\/password>\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 <database>ossec<\/database>\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 <type>mysql<\/type>\r\n\u00a0\u00a0\u00a0 <\/database_output><\/pre>\n
# \/var\/ossec\/bin\/ossec-control enable database\r\n\r\n# \/var\/ossec\/bin\/ossec-control restart<\/pre>\n
# cd \/var\/www\/html\/<\/pre>\n
# wget https:\/\/github.com\/ossec\/ossec-wui\/archive\/master.zip\r\n\r\n# unzip master.zip<\/pre>\n
# mv ossec-wui-master\/ ossec\/<\/pre>\n
# mkdir ossec\/tmp\/\r\n\r\n# chown www-data: -R ossec\/\r\n\r\n# chmod 666 \/var\/www\/html\/ossec\/tmp<\/pre>\n