OSSEC: protect yourself from attacks

Your site been hacked? Suspect malicious traffic on your servers? You fear a recent plugin to your wordpress introduced a volunerability? Attacks can ome from everywhere, but your protection might be closer than you think. Check out OSSEC, the Open Source SECurity agent. OSSEC is a scalable, multi-platform, open source Host-based Intrusion Detection System, abbreviated HIDS.

I will focus on how to install OSSEC from source on Ubuntu Linux. Much of these instructions will work on other Linux systems, though some package names might be different.

Why not install it from a package manager? Because I tried, but it wouldn’t fly for me, so I ended up doing a source installation anyway.

Installing dependencies

OSSEC depends on various libraries, and there are certain functions needed during installation, and during operations. Always keep your package manager up to date to get the latest versions of any dependencies before you start installation.

sudo apt update

The dependencies are as follows:

sudo apt install -y wget curl unzip make gcc build-essentials libpcre2-dev libsystemd-dev libssl-dev

Install OSSEC HIDS

We need to get the latest source code for this, the following command does just that.

VER=$(curl -s https://api.github.com/repos/ossec/ossec-hids/releases/latest|grep tag_name|cut -d '"' -f 4)
wget https://github.com/ossec/ossec-hids/archive/${VER}.tar.gz
tar xvf $VER.tar.gz
cd ossec-hids-${VER}
sudo ./install.sh

The installer starts by asking a series of questions, such as language, your email address, etc. On the question about installation, I selected local, this creates a standalone installation. I am not going to go through all the questions, they are well explained on screen, and most likely you would like the default values. After the last question, the script tells you to press ENTER to continue to compilation.

Run the following command to test that your installation was successful:

sudo /var/ossec/bin/ossec-control start

Notice that the executables are located under /var/ossec/bin instead of in /usr/bin or /usr/sbin. This is a deliberate security action, the entire installation of OSSEC is by default placed in /var/ossec with limited access permisions. Keeping the OSSEC executable away from $PATH and making the configurations only accessible for root will make it difficult for malicious code to alter anything in the configurations.

Configuring OSSEC

The rule files in /var/ossec/rules are meant to be controlled by OSSEC, and updated threats or version updates might overwrite these files. Any local rules overriding the default global rules should be placed in /var/ossec/rules/local_rules.xml. Edits to any other rules might get lost.