CentOS 6.4 使用OSSEC加固系统安全配置,centosossec
CentOS 6.4 使用OSSEC加固系统安全配置,centosossec
ossec官方网站http://www.ossec.net/
ossec帮助文档http://ossec-docs.readthedocs.org/en/latest/manual/index.html
OSSEC是一个开源的基于主机的入侵检测系统,执行日志分析,文件完整性检查,政策监控,rootkit检测,实时报警和积极响应。
它可以运行在大多数的操作系统,包括Linux,MacOS的时,Solaris,HP-UX,AIX和Windows
最新稳定版为2.8 下载页面http://www.ossec.net/?page_id=19
Ossec部署方式为C/S,以下server:192.168.22.240 client:192.168.22.241
先关闭selinux,安装常用包
环境 CentOS release 6.4(Final) x86_64
关闭selinuxSELINUX=disabled
yuminstallgccgcc-c++vimwgetlrzszntpdatesysstatdstatwgetunzip-y
安装服务端
Ip 192.168.22.240
yuminstallmysqlmysql-servermysql-develhttpdphpphp-mysql–y
tar-xzfossec-hids-2.8.tar.gz
cdossec-hids-2.8
cdsrc/
#makesetdb
Error:PostgreSQLclientlibrariesnotinstalled.
Info:CompiledwithMySQLsupport.#ossec支持mysql数据库
#cd..
#./install.sh
下面是安装过程,如果输入错误,按住Ctrl+Backspace
en#选择语言
Enter#继续
Server#安装为server
/usr/local/ossec#安装目录
3.1-Doyouwante-mailnotification?(y/n)[y]:y
-What'syoure-mailaddress?Your_mail@163.com
-What'syourSMTPserverip/host?127.0.0.1
Enter#Runningsyscheck(integritycheckdaemon)
Enter#Runningrootcheck(rootkitdetection)
Enter#Activeresponseenabled
Enter#firewall-dropenabled(local)forlevels>=6
DoyouwanttoaddmoreIPstothewhitelist?(y/n)?[n]:y#设置ip白名单
-IPs(spaceseparated):
3.5-Doyouwanttoenableremotesyslog(port514udp)?(y/n)[y]:Enter
Enter#开始安装
安装完成的配置文件及选项:
/usr/local/ossec/bin/ossec-controlstart
/usr/local/ossec/bin/ossec-controlstop
/usr/local/ossec/etc/ossec.conf
/usr/local/ossec/bin/manage_agents
#/usr/local/ossec/bin/ossec-control--help
Usage:/usr/local/ossec/bin/ossec-control{start|stop|restart|status|enable|disable}
#/usr/local/ossec/bin/ossec-controlenable--help
Invalidenableoption.
Enableoptions:database,client-syslog,agentless,debug
Usage:/usr/local/ossec/bin/ossec-controlenable[database|client-syslog|agentless|debug]
#/usr/local/ossec/bin/ossec-controlenabledatabase
#servicemysqldstart
#/usr/bin/mysql_secure_installation
#mysql-uroot-p
mysql>createdatabaseossec;
mysql>grantINSERT,SELECT,UPDATE,CREATE,DELETE,EXECUTEonossec.*toossec@localhostidentifiedby'ossec';
mysql>flushprivileges;
mysql>q
[root@localhost ossec-hids-2.8]# mysql -uossec -p ossec < src/os_dbd/mysql.schema
Enter password:
vim /usr/local/ossec/etc/ossec.conf #在最后添加,wq! 强制保存
<ossec_config>
<database_output>
<hostname>localhost</hostname>
<username>ossec</username>
<password>ossec</password>
<database>ossec</database>
<type>mysql</type>
</database_output>
</ossec_config>
添加128行内容,允许此网段的日志
<remote>
127<connection>syslog</connection>
128<allowed-ips>192.168.22.0/24</allowed-ips>
129</remote>
/usr/local/ossec/bin/ossec-controlrestart
此时,邮箱已经收到邮件了
下面添加agent客户端
#/usr/local/ossec/bin/manage_agents
(A)ddanagent(A).
(E)xtractkeyforanagent(E).
(L)istalreadyaddedagents(L).
(R)emoveanagent(R).
(Q)uit.
#下面依次:
A#add
Pleaseprovidethefollowing:
*Anameforthenewagent:agent1
*TheIPAddressofthenewagent:192.168.22.241
*AnIDforthenewagent[001]:001
Agentinformation:
ID:001
Name:agent1
IPAddress:192.168.22.241
Confirmaddingit?(y/n):y
Agentadded.
****************************************
*OSSECHIDSv2.8Agentmanager.*
*Thefollowingoptionsareavailable:*
****************************************
(A)ddanagent(A).
(E)xtractkeyforanagent(E).
(L)istalreadyaddedagents(L).
(R)emoveanagent(R).
(Q)uit.
Chooseyouraction:A,E,L,RorQ:E
Availableagents:
ID:001,Name:agent1,IP:192.168.22.241
ProvidetheIDoftheagenttoextractthekey(or'q'toquit):001
Agentkeyinformationfor'001'is:
MDAxIGFnZW50MSAxOTIuMTY4LjIyLjI0MSBmYTcxYWE1ZWQxYTg0YTM3MDcwNTFkMGRkMDY4NTcyNDQ5NDY2MWRkYTI3ZTMxZsNhZDd3YmFjZjddZTFkMmNj
#安装agent的时候需要这个秘钥
**PressENTERtoreturntothemainmenu.
Chooseyouraction:A,E,L,RorQ:Q
# netstat -unlp|grep ossec #ossec通信是用udp 514,1514端口,
udp000.0.0.0:5140.0.0.0:*4511/ossec-remoted
udp000.0.0.0:15140.0.0.0:*4513/ossec-remoted
vim/etc/sysconfig/iptables#开启iptables的端口
-AINPUT-mstate--stateNEW-mudp-pudp--dport514-jACCEPT
-AINPUT-mstate--stateNEW-mudp-pudp--dport1514-jACCEPT
serviceiptablesrestart
安装客户端
Ip 192.168.22.241
#tar-xzfossec-hids-2.8.tar.gz
#cdossec-hids-2.8
#./install.sh
Y#默认为en
Enter#开始安装
Agent#作为代理
/usr/local/ossec#安装目录
192.168.22.240#添加server的ip
Enter#Runningsyscheck(integritycheckdaemon)
Enter#Runningrootcheck(rootkitdetection)
Enter#activeresponse
3.5-Settingtheconfigurationtoanalyzethefollowinglogs:
--/var/log/messages
--/var/log/secure
--/var/log/maillog
--/var/log/nginx/error.log(apachelog)
Enter#开始安装
安装后的配置,先不用执行
/usr/local/ossec/bin/ossec-controlstart
/usr/local/ossec/bin/ossec-controlstop
/usr/local/ossec/etc/ossec.conf
/usr/local/ossec/bin/manage_agents
设置agent
#/usr/local/ossec/bin/manage_agents
****************************************
*OSSECHIDSv2.8Agentmanager.*
*Thefollowingoptionsareavailable:*
****************************************
(I)mportkeyfromtheserver(I).
(Q)uit.
Chooseyouraction:IorQ:I
*ProvidetheKeygeneratedbytheserver.
*Thebestapproachistocutandpasteit.
***OBS:Donotincludespacesornewlines.
Pasteithere(or'q'toquit):
MDAxIGFnZW50MSAxOTIuMTY4LjIyLjI0zSBmYTcxYWE1ZWQxYTg0YTM3MDcwNTFkMGRkMDY4NTcyNDQ5NDY2MWRkYTI3ZTMxZTNdZDc3YmFjZjdmZTFk5mNj
Agentinformation:
ID:001
Name:agent1
IPAddress:192.168.22.241
Confirmaddingit?(y/n):y
Added.
**PressENTERtoreturntothemainmenu.
Chooseyouraction:IorQ:Q
#/usr/local/ossec/bin/ossec-controlrestart
Ossec的日志
/usr/local/ossec/logs/ossec.log
安装web界面
ossec-wui界面
cd/var/www
unzipossec-wui-master.zip
mvossec-wui-masterhtml/ossec
cdhtml/ossec/
#catossec_conf.php
/*Ossecdirectory*/
#$ossec_dir="/var/ossec";
$ossec_dir="/usr/local/ossec";
#./setup.sh
Settingupossecui...
Username:ossec
Newpassword:
Re-typenewpassword:
Addingpasswordforuserossec
Enteryourwebserverusername(e.g.apache,www,nobody,www-data,...)
apache
EnteryourOSSECinstalldirectorypath(e.g./var/ossec)
/usr/local/ossec
Youmustrestartyourwebserverafterthissetupisdone.
Setupcompletedsuccessfuly.
#vim/etc/httpd/conf.d/ossec.conf
<Directory/var/www/html/ossec>
Orderdeny,allow
Denyfromall
Allowfrom192.168.22.0/24
OptionsFollowSymLinks#外网访问配置,把上面注释或删除
AllowOverrideNone#外网访问配置
Orderdeny,allow#外网访问配置
allowfromall#外网访问配置
Options-MultiViews
AuthName"OSSECAUTH"
AuthTypeBasic
AuthUserFile/var/www/html/ossec/.htpasswd
Requirevalid-user
</Directory>
别忘了把iptables的80打开
-AINPUT-mstate--stateNEW-mtcp-ptcp--dport80-jACCEPT
chownapache:apache*
servicehttpdrestart
analogi界面
cd/var/www/html
wgethttps://github.com/ECSC/analogi/archive/master.zip
unzipanalogi-master.zip
mvanalogi-masterossec/analogi
chownapache.apache-Rossec
cdossec/analogi
cpdb_ossec.php.newdb_ossec.php
vimdb_ossec.php
define('DB_USER_O','ossec');
define('DB_PASSWORD_O','ossec');
define('DB_HOST_O','localhost');
define('DB_NAME_O','ossec');
vim/etc/httpd/conf.d/analogi.conf
<Directory/var/www/html/analogi>
Orderdeny,allow
Denyfromall
Allowfrom192.168.22.0/24
OptionsFollowSymLinks#外网访问配置,把上面注释或删除
AllowOverrideNone#外网访问配置
Orderdeny,allow#外网访问配置
allowfromall#外网访问配置
</Directory>
#servicehttpdrestart
查看状态信息
#/usr/local/ossec/bin/agent_control-lc
OSSECHIDSagent_control.Listofavailableagents:
ID:000,Name:localhost.localdomain(server),IP:127.0.0.1,Active/Local
ID:001,Name:agent1,IP:192.168.22.241,Active
#/usr/local/ossec/bin/list_agents-a
agent1-192.168.22.241isavailable.
#/usr/local/ossec/bin/ossec-controlstatus
ossec-monitordisrunning...
ossec-logcollectorisrunning...
ossec-remotedisrunning...
ossec-syscheckdisrunning...
ossec-analysisdisrunning...
ossec-maildisrunning...
ossec-execdisrunning...
ossec-dbdisrunning...
OSSEC的图形界面
analogi图形界面
收到ossec发送的邮件
本文出自 “金戈铁马行飞燕” 博客,请务必保留此出处http://bbotte.blog.51cto.com/6205307/1539285
评论暂时关闭