Your site been hacked? Suspect malicious traffic on your servers? You fear a recent plugin to your wordpress introduced a volunerability? Attacks can ome from everywhere, but your protection might be closer than you think. Check out OSSEC, the Open Source SECurity agent. OSSEC is a scalable, multi-platform, open source Host-based Intrusion Detection System, abbreviated HIDS.
I will focus on how to install OSSEC from source on Ubuntu Linux. Much of these instructions will work on other Linux systems, though some package names might be different.
Why not install it from a package manager? Because I tried, but it wouldn’t fly for me, so I ended up doing a source installation anyway.
OSSEC depends on various libraries, and there are certain functions needed during installation, and during operations. Always keep your package manager up to date to get the latest versions of any dependencies before you start installation.
We need to get the latest source code for this, the following command does just that.
VER=$(curl -s https://api.github.com/repos/ossec/ossec-hids/releases/latest|grep tag_name|cut -d '"' -f 4)
tar xvf $VER.tar.gz
The installer starts by asking a series of questions, such as language, your email address, etc. On the question about installation, I selected local, this creates a standalone installation. I am not going to go through all the questions, they are well explained on screen, and most likely you would like the default values. After the last question, the script tells you to press ENTER to continue to compilation.
Run the following command to test that your installation was successful:
sudo /var/ossec/bin/ossec-control start
Notice that the executables are located under /var/ossec/bin instead of in /usr/bin or /usr/sbin. This is a deliberate security action, the entire installation of OSSEC is by default placed in /var/ossec with limited access permisions. Keeping the OSSEC executable away from $PATH and making the configurations only accessible for root will make it difficult for malicious code to alter anything in the configurations.
The rule files in /var/ossec/rules are meant to be controlled by OSSEC, and updated threats or version updates might overwrite these files. Any local rules overriding the default global rules should be placed in /var/ossec/rules/local_rules.xml. Edits to any other rules might get lost.
(He/Him) Aun aka Skippern is a long time geek, nerd, and h4x0r. Autodedact programer, map nerd, music lover, tech lover, retro. Former a master mariner, but forced ashore and turned IoT technician.
Skippern is from one planet, consider himself dual nationality, lived in three countries, worked on four continets.