CentOS 6.4 使用OSSEC加固系统安全配置,centosossec

CentOS 6.4 使用OSSEC加固系统安全配置,centosossec

ossec官方网站http://www.ossec.net/

ossec帮助文档http://ossec-docs.readthedocs.org/en/latest/manual/index.html

OSSEC是一个开源的基于主机的入侵检测系统，执行日志分析，文件完整性检查，政策监控，rootkit检测，实时报警和积极响应。

它可以运行在大多数的操作系统，包括Linux，MacOS的时，Solaris，HP-UX，AIX和Windows

最新稳定版为2.8 下载页面http://www.ossec.net/?page_id=19

Ossec部署方式为C/S，以下server：192.168.22.240 client：192.168.22.241

先关闭selinux，安装常用包

环境 CentOS release 6.4(Final) x86_64

关闭selinuxSELINUX=disabled

yuminstallgccgcc-c++vimwgetlrzszntpdatesysstatdstatwgetunzip-y

安装服务端

Ip 192.168.22.240

yuminstallmysqlmysql-servermysql-develhttpdphpphp-mysql–y

tar-xzfossec-hids-2.8.tar.gz

cdossec-hids-2.8

cdsrc/

#makesetdb

Error:PostgreSQLclientlibrariesnotinstalled.

Info:CompiledwithMySQLsupport.#ossec支持mysql数据库

#cd..

#./install.sh

下面是安装过程，如果输入错误，按住Ctrl+Backspace

en#选择语言

Enter#继续

Server#安装为server

/usr/local/ossec#安装目录

3.1-Doyouwante-mailnotification?(y/n)[y]:y

-What'syoure-mailaddress?Your_mail@163.com

-What'syourSMTPserverip/host?127.0.0.1

Enter#Runningsyscheck(integritycheckdaemon)

Enter#Runningrootcheck(rootkitdetection)

Enter#Activeresponseenabled

Enter#firewall-dropenabled(local)forlevels>=6

DoyouwanttoaddmoreIPstothewhitelist?(y/n)?[n]:y#设置ip白名单

-IPs(spaceseparated):

3.5-Doyouwanttoenableremotesyslog(port514udp)?(y/n)[y]:Enter

Enter#开始安装

安装完成的配置文件及选项：

/usr/local/ossec/bin/ossec-controlstart

/usr/local/ossec/bin/ossec-controlstop

/usr/local/ossec/etc/ossec.conf

/usr/local/ossec/bin/manage_agents

#/usr/local/ossec/bin/ossec-control--help

Usage:/usr/local/ossec/bin/ossec-control{start|stop|restart|status|enable|disable}

#/usr/local/ossec/bin/ossec-controlenable--help

Invalidenableoption.

Enableoptions:database,client-syslog,agentless,debug

Usage:/usr/local/ossec/bin/ossec-controlenable[database|client-syslog|agentless|debug]

#/usr/local/ossec/bin/ossec-controlenabledatabase

#servicemysqldstart

#/usr/bin/mysql_secure_installation

#mysql-uroot-p

mysql>createdatabaseossec;

mysql>grantINSERT,SELECT,UPDATE,CREATE,DELETE,EXECUTEonossec.*toossec@localhostidentifiedby'ossec';

mysql>flushprivileges;

mysql>q

[root@localhost ossec-hids-2.8]# mysql -uossec -p ossec < src/os_dbd/mysql.schema

Enter password:

vim /usr/local/ossec/etc/ossec.conf #在最后添加，wq! 强制保存

<ossec_config>

<database_output>

<hostname>localhost</hostname>

<username>ossec</username>

<password>ossec</password>

<database>ossec</database>

<type>mysql</type>

</database_output>

</ossec_config>

添加128行内容，允许此网段的日志

<remote>

127<connection>syslog</connection>

128<allowed-ips>192.168.22.0/24</allowed-ips>

129</remote>

/usr/local/ossec/bin/ossec-controlrestart

此时，邮箱已经收到邮件了

下面添加agent客户端

#/usr/local/ossec/bin/manage_agents

(A)ddanagent(A).

(E)xtractkeyforanagent(E).

(L)istalreadyaddedagents(L).

(R)emoveanagent(R).

(Q)uit.

#下面依次：

A#add

Pleaseprovidethefollowing:

*Anameforthenewagent:agent1

*TheIPAddressofthenewagent:192.168.22.241

*AnIDforthenewagent[001]:001

Agentinformation:

ID:001

Name:agent1

IPAddress:192.168.22.241

Confirmaddingit?(y/n):y

Agentadded.

****************************************

*OSSECHIDSv2.8Agentmanager.*

*Thefollowingoptionsareavailable:*

****************************************

(A)ddanagent(A).

(E)xtractkeyforanagent(E).

(L)istalreadyaddedagents(L).

(R)emoveanagent(R).

(Q)uit.

Chooseyouraction:A,E,L,RorQ:E

Availableagents:

ID:001,Name:agent1,IP:192.168.22.241

ProvidetheIDoftheagenttoextractthekey(or'q'toquit):001

Agentkeyinformationfor'001'is:

MDAxIGFnZW50MSAxOTIuMTY4LjIyLjI0MSBmYTcxYWE1ZWQxYTg0YTM3MDcwNTFkMGRkMDY4NTcyNDQ5NDY2MWRkYTI3ZTMxZsNhZDd3YmFjZjddZTFkMmNj

#安装agent的时候需要这个秘钥

**PressENTERtoreturntothemainmenu.

Chooseyouraction:A,E,L,RorQ:Q

# netstat -unlp|grep ossec #ossec通信是用udp 514,1514端口，

udp000.0.0.0:5140.0.0.0:*4511/ossec-remoted

udp000.0.0.0:15140.0.0.0:*4513/ossec-remoted

vim/etc/sysconfig/iptables#开启iptables的端口

-AINPUT-mstate--stateNEW-mudp-pudp--dport514-jACCEPT

-AINPUT-mstate--stateNEW-mudp-pudp--dport1514-jACCEPT

serviceiptablesrestart

安装客户端

Ip 192.168.22.241

#tar-xzfossec-hids-2.8.tar.gz

#cdossec-hids-2.8

#./install.sh

Y#默认为en

Enter#开始安装

Agent#作为代理

/usr/local/ossec#安装目录

192.168.22.240#添加server的ip

Enter#Runningsyscheck(integritycheckdaemon)

Enter#Runningrootcheck(rootkitdetection)

Enter#activeresponse

3.5-Settingtheconfigurationtoanalyzethefollowinglogs:

--/var/log/messages

--/var/log/secure

--/var/log/maillog

--/var/log/nginx/error.log(apachelog)

Enter#开始安装

安装后的配置，先不用执行

/usr/local/ossec/bin/ossec-controlstart

/usr/local/ossec/bin/ossec-controlstop

/usr/local/ossec/etc/ossec.conf

/usr/local/ossec/bin/manage_agents

设置agent

#/usr/local/ossec/bin/manage_agents

****************************************

*OSSECHIDSv2.8Agentmanager.*

*Thefollowingoptionsareavailable:*

****************************************

(I)mportkeyfromtheserver(I).

(Q)uit.

Chooseyouraction:IorQ:I

*ProvidetheKeygeneratedbytheserver.

*Thebestapproachistocutandpasteit.

***OBS:Donotincludespacesornewlines.

Pasteithere(or'q'toquit):

MDAxIGFnZW50MSAxOTIuMTY4LjIyLjI0zSBmYTcxYWE1ZWQxYTg0YTM3MDcwNTFkMGRkMDY4NTcyNDQ5NDY2MWRkYTI3ZTMxZTNdZDc3YmFjZjdmZTFk5mNj

Agentinformation:

ID:001

Name:agent1

IPAddress:192.168.22.241

Confirmaddingit?(y/n):y

Added.

**PressENTERtoreturntothemainmenu.

Chooseyouraction:IorQ:Q

#/usr/local/ossec/bin/ossec-controlrestart

Ossec的日志

/usr/local/ossec/logs/ossec.log

安装web界面

ossec-wui界面

cd/var/www

unzipossec-wui-master.zip

mvossec-wui-masterhtml/ossec

cdhtml/ossec/

#catossec_conf.php

/*Ossecdirectory*/

#$ossec_dir="/var/ossec";

$ossec_dir="/usr/local/ossec";

#./setup.sh

Settingupossecui...

Username:ossec

Newpassword:

Re-typenewpassword:

Addingpasswordforuserossec

Enteryourwebserverusername(e.g.apache,www,nobody,www-data,...)

apache

EnteryourOSSECinstalldirectorypath(e.g./var/ossec)

/usr/local/ossec

Youmustrestartyourwebserverafterthissetupisdone.

Setupcompletedsuccessfuly.

#vim/etc/httpd/conf.d/ossec.conf

<Directory/var/www/html/ossec>

Orderdeny,allow

Denyfromall

Allowfrom192.168.22.0/24

OptionsFollowSymLinks#外网访问配置，把上面注释或删除

AllowOverrideNone#外网访问配置

Orderdeny,allow#外网访问配置

allowfromall#外网访问配置

Options-MultiViews

AuthName"OSSECAUTH"

AuthTypeBasic

AuthUserFile/var/www/html/ossec/.htpasswd

Requirevalid-user

</Directory>

别忘了把iptables的80打开

-AINPUT-mstate--stateNEW-mtcp-ptcp--dport80-jACCEPT

chownapache:apache*

servicehttpdrestart

analogi界面

cd/var/www/html

wgethttps://github.com/ECSC/analogi/archive/master.zip

unzipanalogi-master.zip

mvanalogi-masterossec/analogi

chownapache.apache-Rossec

cdossec/analogi

cpdb_ossec.php.newdb_ossec.php

vimdb_ossec.php

define('DB_USER_O','ossec');

define('DB_PASSWORD_O','ossec');

define('DB_HOST_O','localhost');

define('DB_NAME_O','ossec');

vim/etc/httpd/conf.d/analogi.conf

<Directory/var/www/html/analogi>

Orderdeny,allow

Denyfromall

Allowfrom192.168.22.0/24

OptionsFollowSymLinks#外网访问配置，把上面注释或删除

AllowOverrideNone#外网访问配置

Orderdeny,allow#外网访问配置

allowfromall#外网访问配置

</Directory>

#servicehttpdrestart

查看状态信息

#/usr/local/ossec/bin/agent_control-lc

OSSECHIDSagent_control.Listofavailableagents:

ID:000,Name:localhost.localdomain(server),IP:127.0.0.1,Active/Local

ID:001,Name:agent1,IP:192.168.22.241,Active

#/usr/local/ossec/bin/list_agents-a

agent1-192.168.22.241isavailable.

#/usr/local/ossec/bin/ossec-controlstatus

ossec-monitordisrunning...

ossec-logcollectorisrunning...

ossec-remotedisrunning...

ossec-syscheckdisrunning...

ossec-analysisdisrunning...

ossec-maildisrunning...

ossec-execdisrunning...

ossec-dbdisrunning...

OSSEC的图形界面

analogi图形界面

收到ossec发送的邮件

本文出自 “金戈铁马行飞燕” 博客，请务必保留此出处http://bbotte.blog.51cto.com/6205307/1539285