当前位置: 首页 > 工具软件 > OSSEC > 使用案例 >

在CentOS7.6搭建ossec server2.8.3

芮星海
2023-12-01

环境:CentOS7.6 ossec 2.8.3
1、安装所需要的包

[root@warship src]# yum -y install iptables-services tcpdump lrzsz gcc gcc-c++ vim wget lrzsz ntpdate sysstat dstat wget unzip httpd php php-mysql mariadb mariadb-server git

2、用iptables替换firewalld


    [root@warship ~]# systemctl stop firewalld
[root@warship ~]# systemctl disable firewalld
[root@warship ~]# systemctl enable iptables
Created symlink from /etc/systemd/system/basic.target.wants/iptables.service to /usr/lib/systemd/system/iptables.service.
[root@warship ~]# vim /etc/sysconfig/iptables
*filter 
:INPUT ACCEPT [0:0] 
:FORWARD ACCEPT [0:0] 
:OUTPUT ACCEPT [0:0] 
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT 
-A INPUT -p icmp -j ACCEPT 
-A INPUT -i lo -j ACCEPT 
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT 
-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT 
-A INPUT -m state --state NEW -m tcp -p tcp --dport 3306 -j ACCEPT 
-A INPUT -m state --state NEW -m udp -p udp --dport 514 -j ACCEPT 
-A INPUT -m state --state NEW -m udp -p udp --dport 1514 -j ACCEPT 
-A INPUT -j REJECT --reject-with icmp-host-prohibited 
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
[root@warship ~]# systemctl start iptables
[root@warship ~]# iptables -nL
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:22
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:80
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:3306
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            state NEW udp dpt:514
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            state NEW udp dpt:1514
REJECT     all  --  0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
REJECT     all  --  0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination   

2、解压ossec,进入其中的src目录

[root@warship src]# make setdb
Error: PostgreSQL client libraries not installed.
Error: DB libraries not installed.
[root@warship src]# yum -y install mysql-devel
[root@warship src]# make setdb
Error: PostgreSQL client libraries not installed.
Info: Compiled with MySQL support.
cd …/
./install.sh
依次选择语言,smtp服务器,邮箱地址,最后显示

 - 系统类型是  Redhat Linux.
 - 修改启动脚本使 OSSEC HIDS 在系统启动时自动运行 

 - 已正确完成系统配置.

 - 要启动 OSSEC HIDS:
		/var/ossec/bin/ossec-control start

 - 要停止 OSSEC HIDS:
		/var/ossec/bin/ossec-control stop

 - 要查看或修改系统配置,请编辑  /var/ossec/etc/ossec.conf



    感谢使用 OSSEC HIDS.
    如果您有任何疑问,建议或您找到任何bug,
    请通过 contact@ossec.net 或邮件列表 ossec-list@ossec.net 联系我们.    
    ( http://www.ossec.net/en/mailing_lists.html ).

    您可以在 http://www.ossec.net 获得更多信息

    --- 请按 ENTER 结束安装 (下面可能有更多信息). ---


 - 为使代理能够联接服务器端, 您需要将每个代理添加到服务器.
   允许'manage_agents'来添加活删除代理:

   /var/ossec/bin/manage_agents

   详细信息请参考: 
   http://www.ossec.net/en/manual.html#ma

配置mariadb

[root@warship ossec-hids-2.8.3]# mysql -uroot
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 2
Server version: 5.5.60-MariaDB MariaDB Server
Copyright © 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type ‘help;’ or ‘\h’ for help. Type ‘\c’ to clear the current input statement.
MariaDB [(none)]> update user set password=password(“111111”) where user=“root”;
ERROR 1046 (3D000): No database selected
MariaDB [(none)]> SET PASSWORD FOR ‘root’@‘localhost’ = PASSWORD(‘111111’);
Query OK, 0 rows affected (0.00 sec)
MariaDB [(none)]> create database ossec;
Query OK, 1 row affected (0.00 sec)
MariaDB [(none)]> grant INSERT,SELECT,UPDATE,CREATE,DELETE,EXECUTE on ossec.* to ossec@localhost identified by ‘ossec’;
Query OK, 0 rows affected (0.00 sec)
MariaDB [(none)]> flush privileges;
Query OK, 0 rows affected (0.00 sec)
MariaDB [(none)]> quit
Bye
[root@warship ossec-hids-2.8.3]# mysql -uossec -possec -D ossec < src/os_dbd/mysql.schema
[root@warship ossec-hids-2.8.3]# vim /var/ossec/etc/ossec.conf
首先在文件开头配置能使用的smtp服务器和邮件地址
在remote项设置监控的客户端服务器的地址范围
<remote>
<connection>syslog</connection>
<allowed-ips>192.168.238.0/24</allowed-ips>
</remote>
在最后添加
<ossec_config>
<database_output>
localhost
ossec
ossec
ossec
mysql
</database_output>
</ossec_config>
[root@warship ossec-hids-2.8.3]# /var/ossec/bin/ossec-control restart
ossec-monitord not running …
ossec-logcollector not running …
ossec-remoted not running …
ossec-syscheckd not running …
ossec-analysisd not running …
ossec-maild not running …
ossec-execd not running …
ossec-dbd not running …
OSSEC HIDS v2.8.3 Stopped
Starting OSSEC HIDS v2.8.3 (by Trend Micro Inc.)…
Started ossec-dbd…
Started ossec-maild…
Started ossec-execd…
Started ossec-analysisd…
Started ossec-logcollector…
Started ossec-remoted…
Started ossec-syscheckd…
Started ossec-monitord…
Completed.
这样ossec server端安装完成

3、安装web界面

[root@warship ~]# git clone https://github.com/ossec/ossec-wui.git
Cloning into ‘ossec-wui’…
remote: Enumerating objects: 205, done.
remote: Total 205 (delta 0), reused 0 (delta 0), pack-reused 205
Receiving objects: 100% (205/205), 216.96 KiB | 160.00 KiB/s, done.
Resolving deltas: 100% (69/69), done.
[root@warship ~]# ls
anaconda-ks.cfg ossec-hids-2.8.3 ossec-hids-2.8.3.tar.gz ossec-wui
[root@warship ~]# mv ossec-wui* /var/www/htdocs/ossec-wui
mv: cannot move ‘ossec-wui’ to ‘/var/www/htdocs/ossec-wui’: No such file or directory
[root@warship ~]# ls /var/www/
cgi-bin html
[root@warship ~]# mv ossec-wui* /var/www/html/ossec
[root@warship ~]# ls /var/www/html/ossec-wui
CONTRIB css htaccess_def.txt img index.php js lib LICENSE ossec_conf.php README README.search setup.sh site
[root@warship ossec-wui]# ./setup.sh
Setting up ossec ui…
Username: admin
New password: #设为1
Re-type new password:
Adding password for user admin
Enter your web server user name (e.g. apache, www, nobody, www-data, …)
apache
You must restart your web server after this setup is done.
[root@warship ~]# vim /etc/httpd/conf.d/ossec.conf

Alias /ossec/ “/var/www/html/ossec/”

<Directory /var/www/html/ossec>
Order deny,allow
Deny from all
Allow from 192.168.238.0/24

Options FollowSymLinks
AllowOverride None
Order deny,allow
allow from all

Options -MultiViews
AuthName “OSSEC AUTH”
AuthType Basic
AuthUserFile /var/www/html/ossec/.htpasswd
Require valid-user
</Directory>

之后重启ossec server生效

4、安装analogi插件
下载插件,之后

[root@warship ~]# unzip master.zip
Archive: master.zip
31f0906d374e0f97b0fa2ff8e0ab3d8ffd27ea79
creating: analogi-master/
extracting: analogi-master/.gitignore
inflating: analogi-master/INSTALL.txt
inflating: analogi-master/LICENSE.txt
inflating: analogi-master/README.md
inflating: analogi-master/README.txt
inflating: analogi-master/about.php
creating: analogi-master/amcharts/
inflating: analogi-master/amcharts/amcharts.js
inflating: analogi-master/colours.php
inflating: analogi-master/config.php
inflating: analogi-master/databasetest.php
inflating: analogi-master/db_icinga.php
inflating: analogi-master/db_ossec.php.new
inflating: analogi-master/db_ossec2.php
inflating: analogi-master/detail.php
inflating: analogi-master/detail2csv.php
inflating: analogi-master/footer.php
inflating: analogi-master/functions.php
inflating: analogi-master/header.php
creating: analogi-master/images/
extracting: analogi-master/images/arrow_down.png
extracting: analogi-master/images/arrow_refresh_small.png
extracting: analogi-master/images/arrow_up.png
inflating: analogi-master/images/dragIcon.gif
inflating: analogi-master/images/dragIconH.gif
extracting: analogi-master/images/help.png
extracting: analogi-master/images/lens.png
inflating: analogi-master/index.php
inflating: analogi-master/ip_info.php
inflating: analogi-master/management.php
inflating: analogi-master/massmonitoring.php
inflating: analogi-master/newsfeed.php
inflating: analogi-master/page_refresh.php
creating: analogi-master/php/
inflating: analogi-master/php/detail_graph.php
inflating: analogi-master/php/index_graph.php
inflating: analogi-master/php/index_graph_icinga.php
inflating: analogi-master/php/management_age.php
inflating: analogi-master/php/management_agentcheckin.php
inflating: analogi-master/php/management_commonrules.php
inflating: analogi-master/php/management_databasesize.php
inflating: analogi-master/php/management_sourcelevel.php
inflating: analogi-master/php/management_timevolume.php
inflating: analogi-master/php/massmonitoring_grouptime.php
inflating: analogi-master/php/massmonitoring_hostsubstr.php
inflating: analogi-master/php/massmonitoring_locationtime.php
inflating: analogi-master/php/newsfeed_threat.php
inflating: analogi-master/php/newsfeed_threat2.php
inflating: analogi-master/php/newsfeed_trend.php
inflating: analogi-master/php/newsfeed_trendip.php
inflating: analogi-master/php/topid.php
inflating: analogi-master/php/toplocation.php
inflating: analogi-master/php/toprare.php
inflating: analogi-master/sortable.js
inflating: analogi-master/style.css
inflating: analogi-master/test.php
inflating: analogi-master/top.php
[root@warship ~]# ls
anaconda-ks.cfg analogi-master master.zip ossec-hids-2.8.3 ossec-hids-2.8.3.tar.gz
[root@warship ~]# mv analogi-master/ /var/www/html/ossec/analogi
[root@warship html]# cd ossec/
[root@warship ossec]# ls
analogi css img js LICENSE README setup.sh tmp
CONTRIB htaccess_def.txt index.php lib ossec_conf.php README.search site
[root@warship ossec]# cd analogi/
[root@warship analogi]# cp db_ossec.php.new db_ossec.php
[root@warship ~]# vim /var/www/html/ossec/analogi/db_ossec.php
将mariadb的地址,用户名,密码,数据库填入
配置apache文件
[root@warship ~]# vim /etc/httpd/conf.d/analogi.conf
Alias /analogi/ “/var/www/html/ossec/analogi/”

<Directory /var/www/html/ossec/analogi>
Order deny,allow
Deny from all
Allow from 192.168.238.0/24

Options FollowSymLinks
AllowOverride None
Order deny,allow
allow from all

</Directory>

5、添加客户端

[root@warship analogi]# /var/ossec/bin/agent_control -lc
OSSEC HIDS agent_control. List of available agents:
ID: 000, Name: warship (server), IP: 127.0.0.1, Active/Local
[root@warship analogi]# /var/ossec/bin/list_agents -a
** No agent available.
[root@warship analogi]# /var/ossec/bin/manage_agents
****************************************
* OSSEC HIDS v2.8.3 Agent manager. *
* The following options are available: *
****************************************
(A)dd an agent (A).
(E)xtract key for an agent (E).
(L)ist already added agents (L).
®emove an agent ®.
(Q)uit.
Choose your action: A,E,L,R or Q: A
Adding a new agent (use ‘\q’ to return to the main menu).
please provide the following:
* A name for the new agent: agent1
* The IP Address of the new agent: 192.168.238.1
* An ID for the new agent[001]: 001
*Agent information:
ID:001
Name:agent1
IP Address:192.168.238.1
Confirm adding it?(y/n): y
Agent added.
****************************************
* OSSEC HIDS v2.8.3 Agent manager. *
* The following options are available: *
****************************************
(A)dd an agent (A).
(E)xtract key for an agent (E).
(L)ist already added agents (L).
®emove an agent ®.
(Q)uit.
Choose your action: A,E,L,R or Q: E
Available agents:
ID: 001, Name: agent1, IP: 192.168.238.1
Provide the ID of the agent to extract the key (or ‘\q’ to quit): 001
Agent key information for ‘001’ is:
MDAxIGFnZW50MSAxOTIuMTY4LjIzOC4xIDJlNjlkNDM2NGU2MWM0ZWI4NGNhOGJjNjQxNjY2ZTFhYzgwYzBhYjllNWQ1OWU3NTRmY2U2MTZiYTBmZTBlODU=
** Press ENTER to return to the main menu.
****************************************
* OSSEC HIDS v2.8.3 Agent manager. *
* The following options are available: *
****************************************
(A)dd an agent (A).
(E)xtract key for an agent (E).
(L)ist already added agents (L).
®emove an agent ®.
(Q)uit.
Choose your action: A,E,L,R or Q: q
** You must restart OSSEC for your changes to take effect.
manage_agents: Exiting …
[root@warship analogi]#
[root@warship analogi]# /var/ossec/bin/agent_control -lc
OSSEC HIDS agent_control. List of available agents:
ID: 000, Name: warship (server), IP: 127.0.0.1, Active/Local
[root@warship analogi]# /var/ossec/bin/ossec-control restart
Deleting PID file ‘/var/ossec/var/run/ossec-remoted-21001.pid’ not used…
Killing ossec-monitord …
Killing ossec-logcollector …
Killing ossec-remoted …
Killing ossec-syscheckd …
Killing ossec-analysisd …
Killing ossec-maild …
Killing ossec-execd …
Killing ossec-dbd …
OSSEC HIDS v2.8.3 Stopped
Starting OSSEC HIDS v2.8.3 (by Trend Micro Inc.)…
Started ossec-dbd…
Started ossec-maild…
Started ossec-execd…
Started ossec-analysisd…
Started ossec-logcollector…
Started ossec-remoted…
Started ossec-syscheckd…
Started ossec-monitord…
Completed.
[root@warship analogi]# /var/ossec/bin/agent_control -lc
OSSEC HIDS agent_control. List of available agents:
ID: 000, Name: warship (server), IP: 127.0.0.1, Active/Local
[root@warship analogi]# /var/ossec/bin/agent_control -a
** Invalid argument combination.
OSSEC HIDS agent_control: Control remote agents.
Available options:
-h This help message.
-l List available (active or not) agents.
-lc List active agents.
-i Extracts information from an agent.
-R Restarts agent.
-r -a Runs the integrity/rootkit checking on all agents now.
-r -u Runs the integrity/rootkit checking on one agent now.
-b Blocks the specified ip address.
-f Used with -b, specifies which response to run.
-L List available active responses.
-s Changes the output to CSV (comma delimited).
[root@warship analogi]# /var/ossec/bin/agent_control -l
OSSEC HIDS agent_control. List of available agents:
ID: 000, Name: warship (server), IP: 127.0.0.1, Active/Local
ID: 001, Name: agent1, IP: 192.168.238.1, Never connected
List of agentless devices:

参考:
https://www.cnblogs.com/zlslch/p/8512858.html
https://blog.csdn.net/AlexTan_/article/details/51971861
https://xz.aliyun.com/t/2003#toc-7

 类似资料: