开源入侵检测系统OSSEC的搭建及使用
环境centos7
官网
Linux下载地址
https://github.com/ossec/ossechids/archive/2.9.4.tar.gz
wget https://github.com/ossec/ossec-hids/archive/2.9.4.tar.gz
tar -xzvf 2.9.4.tar.gz
cd ossec-hids-2.9.4
./install.sh
选择语言 cn
确认安装好了gcc编译器按enter
选择单机模式,local
root@vultr:~/ossec-hids-2.9.4# ./install.sh
** Para instalação em português, escolha [br].
** 要使用中文进行安装, 请选择 [cn].
** Fur eine deutsche Installation wohlen Sie [de].
** Για εγκατάσταση στα Ελληνικά, επιλέξτε [el].
** For installation in English, choose [en].
** Para instalar en Español , eliga [es].
** Pour une installation en français, choisissez [fr]
** A Magyar nyelvű telepítéshez válassza [hu].
** Per l’installazione in Italiano, scegli [it].
** 日本語でインストールします.選択して下さい.[jp].
** Voor installatie in het Nederlands, kies [nl].
** Aby instalować w języku Polskim, wybierz [pl].
** Для инструкций по установке на русском ,введите [ru].
** Za instalaciju na srpskom, izaberi [sr].
** Türkçe kurulum için seçin [tr].
(en/br/cn/de/el/es/fr/hu/it/jp/nl/pl/ru/sr/tr) [en]: cn
OSSEC HIDS v2.9.4 安装脚本 - http://www.ossec.net
您将开始 OSSEC HIDS 的安装.
请确认在您的机器上已经正确安装了 C 编译器.
系统类型: Linux vultr.guest 3.13.0-149-generic
用户: root
主机: vultr.guest
– 按 ENTER 继续或 Ctrl-C 退出. –
1- 您希望哪一种安装 (server, agent, local or help)? local
- 选择了 Local 类型的安装.
2- 正在初始化安装环境.
请选择 OSSEC HIDS 的安装路径 [/var/ossec]:
- OSSEC HIDS 将安装在 /var/ossec .
3- 正在配置 OSSEC HIDS.
3.1- 您希望收到e-mail告警吗? (y/n) [y]: n
— Email告警没有启用 .
3.2- 您希望运行系统完整性检测模块吗? (y/n) [y]: y
系统完整性检测模块将被部署.
3.3- 您希望运行 rootkit检测吗? (y/n) [y]: y
rootkit检测将被部署.
strings: ‘/usr/bin/mail’: No such file
3.4- 关联响应允许您在分析已接收事件的基础上执行一个
已定义的命令.
例如,你可以阻止某个IP地址的访问或禁止某个用户的访问权限.
更多的信息,您可以访问:
http://www.ossec.net/en/manual.html#active-response
- 您希望开启联动(active response)功能吗? (y/n) [y]:
接下来,全部选择默认
系统完整性检测模块将被部署.
3.3- 您希望运行 rootkit检测吗? (y/n) [y]: y
- rootkit检测将被部署.
strings: ‘/usr/bin/mail’: No such file
3.4- 关联响应允许您在分析已接收事件的基础上执行一个
已定义的命令.
例如,你可以阻止某个IP地址的访问或禁止某个用户的访问权限.
更多的信息,您可以访问:
http://www.ossec.net/en/manual.html#active-response
您希望开启联动(active response)功能吗? (y/n) [y]: y
- 关联响应已开启
默认情况下, 我们开启了主机拒绝和防火墙拒绝两种响应.
第一种情况将添加一个主机到 /etc/hosts.deny.
第二种情况将在iptables(linux)或ipfilter(Solaris,
FreeBSD 或 NetBSD)中拒绝该主机的访问.
该功能可以用以阻止 SSHD 暴力攻击, 端口扫描和其他
一些形式的攻击. 同样你也可以将他们添加到其他地方,
例如将他们添加为 snort 的事件.
您希望开启防火墙联动(firewall-drop)功能吗? (y/n) [y]: y
- 防火墙联动(firewall-drop)当事件级别 >= 6 时被启动
联动功能默认的白名单是:
- 108.61.10.10
您希望添加更多的IP到白名单吗? (y/n)? [n]: n
3.6- 设置配置文件以分析一下日志:
– /var/log/auth.log
– /var/log/syslog
– /var/log/dpkg.log
– /var/log/snort/alert (snort-full file)
– /var/log/nginx/access.log (apache log)
– /var/log/nginx/error.log (apache log)
-如果你希望监控其他文件, 只需要在配置文件ossec.conf中
添加新的一项.
任何关于配置的疑问您都可以在 http://www.ossec.net 找到答案.
— 按 ENTER 以继续 —
然后安装成功
Ossec常用文件
报警日志
/var/ossec/logs/alerts
里面的alerts.log
就是检测到的入侵行为的告警日志
动态响应报警日志
/var/ossec/logs/active-responses.log
核心配置文件为:
/root/ossec-hids-2.9.4/etc/ossec.conf
文件结构为:
[root@vultr logs]# cat /root/ossec-hids-2.9.4/etc/ossec.conf
<email_notification>yes</email_notification>
<email_to>daniel.cid@example.com</email_to>
<smtp_server>smtp.example.com.</smtp_server>
<email_from>ossecm@ossec.example.com.</email_from>
<!-- <email_reply_to>replyto@ossec.example.com.</email_reply_to> -->
<picviz_output>no</picviz_output>
#这些就是各类规则
<include>rules_config.xml</include>
<include>sshd_rules.xml</include>
<include>syslog_rules.xml</include>
<include>pix_rules.xml</include>
<include>named_rules.xml</include>
<include>pure-ftpd_rules.xml</include>
<include>proftpd_rules.xml</include>
<include>web_rules.xml</include>
<include>web_appsec_rules.xml</include>
<include>apache_rules.xml</include>
<include>ids_rules.xml</include>
<include>squid_rules.xml</include>
<include>firewall_rules.xml</include>
<include>postfix_rules.xml</include>
<include>sendmail_rules.xml</include>
<include>spamd_rules.xml</include>
<include>msauth_rules.xml</include>
<include>attack_rules.xml</include>
<include>dropbear_rules.xml</include>
<include>sysmon_rules.xml</include>
<include>opensmtpd_rules.xml</include>
<!-- Frequency that syscheck is executed -- default every 2 hours -->
<frequency>7200</frequency>
<!-- Directories to check (perform all possible verifications) -->
<directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories>
<directories check_all="yes">/bin,/sbin,/boot</directories>
<!-- Files/directories to ignore -->
<ignore>/etc/mtab</ignore>
<ignore>/etc/hosts.deny</ignore>
<ignore>/etc/mail/statistics</ignore>
<ignore>/etc/random-seed</ignore>
<ignore>/etc/adjtime</ignore>
<ignore>/etc/httpd/logs</ignore>
<nodiff>/etc/ssl/private.key</nodiff>
#Rookit检测
<rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files>
<rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans>
<white_list>127.0.0.1</white_list>
<white_list>::1</white_list>
<white_list>192.168.2.1</white_list> #这些是白名单
<white_list>192.168.2.190</white_list>
<white_list>192.168.2.32</white_list>
<white_list>192.168.2.10</white_list>
<connection>secure</connection>
<!-- Active Response Config -->#动态响应配置
<!-- This response is going to execute the host-deny
- command for every event that fires a rule with
- level (severity) >= 6.
- The IP is going to be blocked for 600 seconds.
-->
<command>host-deny</command>
<location>local</location>
<level>6</level>
<timeout>600</timeout>
规则文件夹在
/var/ossec/rules
一共有这么多的规则,我们随便看几个
apache_rules.xml ms_ftpd_rules.xml sendmail_rules.xml
apparmor_rules.xml ms-se_rules.xml smbd_rules.xml
arpwatch_rules.xml mysql_rules.xml solaris_bsm_rules.xml
asterisk_rules.xml named_rules.xml sonicwall_rules.xml
attack_rules.xml netscreenfw_rules.xml spamd_rules.xml
cimserver_rules.xml nginx_rules.xml squid_rules.xml
cisco-ios_rules.xml nsd_rules.xml sshd_rules.xml
clam_av_rules.xml openbsd_rules.xml symantec-av_rules.xml
courier_rules.xml opensmtpd_rules.xml symantec-ws_rules.xml
dovecot_rules.xml ossec_rules.xml syslog_rules.xml
dropbear_rules.xml owncloud_rules.xml sysmon_rules.xml
exim_rules.xml pam_rules.xml systemd_rules.xml
firewalld_rules.xml php_rules.xml telnetd_rules.xml
firewall_rules.xml pix_rules.xml trend-osce_rules.xml
ftpd_rules.xml policy_rules.xml unbound_rules.xml
hordeimp_rules.xml postfix_rules.xml vmpop3d_rules.xml
ids_rules.xml postgresql_rules.xml vmware_rules.xml
imapd_rules.xml proftpd_rules.xml vpn_concentrator_rules.xml
local_rules.xml proxmox-ve_rules.xml vpopmail_rules.xml
mailscanner_rules.xml psad_rules.xml vsftpd_rules.xml
mcafee_av_rules.xml pure-ftpd_rules.xml web_appsec_rules.xml
msauth_rules.xml racoon_rules.xml web_rules.xml
ms_dhcp_rules.xml roundcube_rules.xml wordpress_rules.xml
ms-exchange_rules.xml rules_config.xml zeus_rules.xml
[root@vultr rules]# cat apache_rules.xml
<decoded_as>apache-errorlog</decoded_as>
<description>Apache messages grouped.</description>
<if_sid>30100</if_sid>
<match>^[error] </match>
<description>Apache error messages grouped.</description>
<if_sid>30100</if_sid>
<match>^[warn] </match>
<description>Apache warn messages grouped.</description>
<if_sid>30100</if_sid>
<match>^[notice] </match>
<description>Apache notice messages grouped.</description>
<if_sid>30103</if_sid>
<match>exit signal Segmentation Fault</match>
<description>Apache segmentation fault.</description>
<info type="link">http://www.securityfocus.com/infocus/1633</info>
<group>service_availability,</group>
<if_sid>30101</if_sid>
<match>denied by server configuration</match>
<description>Attempt to access forbidden file or directory.</description>
<group>access_denied,</group>
<if_sid>30101</if_sid>
<match>Directory index forbidden by rule</match>
<description>Attempt to access forbidden directory index.</description>
<group>access_denied,</group>
<if_sid>30101</if_sid>
<match>Client sent malformed Host header</match>
<description>Code Red attack.</description>
<info type="link">http://www.cert.org/advisories/CA-2001-19.html</info>
<info type="text">CERT: Advisory CA-2001-19 "Code Red" Worm Exploiting Buffer Overflow In IIS Indexing Service DLL</info>
<group>automatic_attack,</group>
<if_sid>30102</if_sid>
<match>authentication failed</match>
<description>User authentication failed.</description>
<group>authentication_failed,</group>
<if_sid>30101</if_sid>
<regex>user \S+ not found|user \S+ in realm \.* not found</regex>
<description>Attempt to login using a non-existent user.</description>
<group>invalid_login,</group>
<if_sid>30101</if_sid>
<match>authentication failure</match>
<description>User authentication failed.</description>
<group>authentication_failed,</group>
<if_sid>30101</if_sid>
<match>File does not exist: |</match>
<match>failed to open stream: No such file or directory|</match>
<match>Failed opening </match>
<description>Attempt to access an non-existent file (those are reported on the access.log).</description>
<group>unknown_resource,</group>
<if_sid>30101</if_sid>
<match>Invalid URI in request</match>
<description>Invalid URI (bad client request).</description>
<group>invalid_request,</group>
<if_matched_sid>30115</if_matched_sid>
<same_source_ip />
<description>Multiple Invalid URI requests from </description>
<description>same source.</description>
<group>invalid_request,</group>
<if_sid>30101</if_sid>
<match>File name too long|request failed: URI too long</match>
<description>Invalid URI, file name too long.</description>
<group>invalid_request,</group>
<if_sid>30101</if_sid>
<match>mod_security: Access denied|ModSecurity: Access denied</match>
<description>Access attempt blocked by Mod Security.</description>
<group>access_denied,</group>
<if_matched_sid>30118</if_matched_sid>
<same_source_ip />
<description>Multiple attempts blocked by Mod Security.</description>
<group>access_denied,</group>
<if_sid>30101</if_sid>
<match>Resource temporarily unavailable:</match>
<description>Apache without resources to run.</description>
<group>service_availability,</group>
<match>^mod_security-message: </match>
<description>Modsecurity alert.</description>
<if_sid>30200</if_sid>
<match>^mod_security-message: Access denied </match>
<description>Modsecurity access denied.</description>
<group>access_denied,</group>
<if_matched_sid>30201</if_matched_sid>
<description>Multiple attempts blocked by Mod Security.</description>
<group>access_denied,</group>
<if_sid>30100</if_sid>
<regex> [\S*:error] </regex>
<description>Apache error messages grouped.</description>
<if_sid>30100</if_sid>
<regex> [\S+:warn] </regex>
<description>Apache warn messages grouped.</description>
<if_sid>30100</if_sid>
<regex> [\S+:notice] </regex>
<description>Apache notice messages grouped.</description>
<if_sid>30303</if_sid>
<match>exit signal Segmentation Fault</match>
<description>Apache segmentation fault.</description>
<info type="link">http://www.securityfocus.com/infocus/1633</info>
<group>service_availability,</group>
<if_sid>30301</if_sid>
<id>AH01630</id>
<description>Attempt to access forbidden file or directory.</description>
<group>access_denied,</group>
<if_sid>30301</if_sid>
<id>AH01276</id>
<description>Attempt to access forbidden directory index.</description>
<group>access_denied,</group>
<if_sid>30301</if_sid>
<id>AH00550</id>
<description>Client sent malformed Host header. Possible Code Red attack.</description>
<info type="link">http://www.cert.org/advisories/CA-2001-19.html</info>
<info type="text">CERT: Advisory CA-2001-19 "Code Red" Worm Exploiting Buffer Overflow In IIS Indexing Service DLL</info>
<group>automatic_attack,</group>
<if_sid>30301</if_sid>
<id>AH01617|AH01807|AH01694|AH01695|AH02009|AH02010</id>
<description>User authentication failed.</description>
<group>authentication_failed,</group>
<if_sid>30301</if_sid>
<id>AH01618|AH01808|AH01790</id>
<description>Attempt to login using a non-existent user.</description>
<group>invalid_login,</group>
<if_matched_sid>30309</if_matched_sid>
<same_source_ip/>
<description>Multiple authentication failures with invalid user.</description>
<group>authentication_failures,</group>
<if_sid>30301</if_sid>
<match>File does not exist: |</match>
<match>failed to open stream: No such file or directory|</match>
<match>Failed opening </match>
<description>Attempt to access an non-existent file (those are reported on the access.log).</description>
<group>unknown_resource,</group>
<if_sid>30301</if_sid>
<id>AH00126</id>
<description>Invalid URI (bad client request).</description>
<group>invalid_request,</group>
<if_matched_sid>30315</if_matched_sid>
<same_source_ip />
<description>Multiple Invalid URI requests from </description>
<description>same source.</description>
<group>invalid_request,</group>
<if_sid>30301</if_sid>
<id>AH00565</id>
<description>Invalid URI, file name too long.</description>
<group>invalid_request,</group>
<if_sid>30301</if_sid>
<match>PHP Notice:</match>
<description>PHP Notice in Apache log</description>
<if_sid>30301</if_sid>
<id>AH00036</id>
<match>File name too long: </match>
<description>File name too long.</description>
<if_sid>30301</if_sid>
<match>Permission denied: | client denied by server configuration: </match>
<description>Permission denied.</description>
<if_sid>30301</if_sid>
<id>AH02811</id>
<match>script not found </match>
<description>A script cannot be accessed.</description>
<if_sid>30301</if_sid>
<match>ModSecurity: Warning</match>
<description>ModSecurity Warning messages grouped</description>
<if_sid>30301</if_sid>
<match>ModSecurity: Access denied</match>
<description>ModSecurity Access denied messages grouped</description>
<if_sid>30301</if_sid>
<match>ModSecurity: Audit log:</match>
<description>ModSecurity Audit log messages grouped</description>
<if_sid>30402</if_sid>
<match>with code 403</match>
<description>ModSecurity rejected a query</description>
规则通过match匹配访问apache出现的关键字来定义规则的效果如:
<if_sid>30301</if_sid>
<id>AH01630</id>
<description>Attempt to access forbidden file or directory.</description>
<group>access_denied,</group>
rule id为30305,意为当用户试图访问一个不存在的文件或目录时,该规则生效,那么可能该用户就是一个攻击者
常用命令
启动
/var/ossec/bin/ossec-control start
/var/ossec/bin/ossec-control stop
客户端管理
/var/ossec/bin/manage_agents
测试规则
/var/ossec/bin/ossec-logtest
这里,演示添加一个检测ssh暴力破解的规则
Ssh登录日志的特征为:程序名称以sshd开头
vim syslog_rules.xml
找到这一部分
<match>FAILED LOGIN |authentication failure|</match>
<match>Authentication failed for|invalid password for|</match>
<match>LOGIN FAILURE|auth failure: |authentication error|</match>
<match>authinternal failed|Failed to authorize|</match>
<match>Wrong password given for|login failed|Auth: Login incorrect|</match>
<match>Failed to authenticate user</match>
<group>authentication_failed,</group>
<description>User authentication failure.</description>
<match>more authentication failures;|REPEATED login failures</match>
<description>User missed the password more than one time</description>
<group>authentication_failed,</group><ossec_config>
<email_notification>no</email_notification>
vim /var/ossec/etc/ossec.conf
<include>rules_config.xml</include>
<include>pam_rules.xml</include>
<include>sshd_rules.xml</include>
<include>telnetd_rules.xml</include>
<include>syslog_rules.xml</include>
我们看下这个告警日志,就知道规则生效了
[root@vultr alerts]# cat alerts.log
** Alert 1531039434.0: mail - ossec,
2018 Jul 08 08:43:54 vultr->ossec-monitord
Rule: 502 (level 3) -> ‘Ossec server started.’
ossec: Ossec started.
** Alert 1531039489.151: - syslog,sshd,
2018 Jul 08 08:44:49 guest->/var/log/secure
Rule: 5702 (level 5) -> ‘Reverse lookup error (bad ISP or attack).’
Src IP: 118.212.136.13
Jul 8 08:44:49 guest sshd[8279]: reverse mapping checking getaddrinfo for 13.136.212.118.adsl-pool.jx.chinaunicom.com [118.212.136.13] failed - POSSIBLE BREAK-IN ATTEMPT!
** Alert 1531039491.499: - pam,syslog,authentication_failed,
2018 Jul 08 08:44:51 guest->/var/log/secure
Rule: 5503 (level 5) -> ‘User login failed.’
Src IP: 118.212.136.13
User: root
Jul 8 08:44:51 guest sshd[8279]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=118.212.136.13 user=root
** Alert 1531039495.832: - syslog,sshd,authentication_failed,
2018 Jul 08 08:44:55 guest->/var/log/secure
Rule: 5716 (level 5) -> ‘SSHD authentication failed.’
Src IP: 118.212.136.13
User: root
Jul 8 08:44:53 guest sshd[8279]: Failed password for root from 118.212.136.13 port 8073 ssh2
** Alert 1531039501.1121: - syslog,sshd,authentication_failed,
2018 Jul 08 08:45:01 guest->/var/log/secure
Rule: 5716 (level 5) -> ‘SSHD authentication failed.’
Src IP: 118.212.136.13
User: root
Jul 8 08:45:00 guest sshd[8279]: Failed password for root from 118.212.136.13 port 8073 ssh2
** Alert 1531039503.1411: - syslog,sshd,authentication_failed,
2018 Jul 08 08:45:03 guest->/var/log/secure
Rule: 5716 (level 5) -> ‘SSHD authentication failed.’
Src IP: 118.212.136.13
User: root
Jul 8 08:45:03 guest sshd[8279]: Failed password for root from 118.212.136.13 port 8073 ssh2
** Alert 1531039505.1701: mail - syslog,access_control,authentication_failed,
2018 Jul 08 08:45:05 guest->/var/log/secure
Rule: 2502 (level 10) -> ‘User missed the password more than one time’
Src IP: 118.212.136.13
User: root
Jul 8 08:45:04 guest sshd[8279]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=118.212.136.13 user=root
** Alert 1531039674.2069: - syslog,sshd,
2018 Jul 08 08:47:54 guest->/var/log/secure
Rule: 5702 (level 5) -> ‘Reverse lookup error (bad ISP or attack).’
Src IP: 118.212.136.15
Jul 8 08:47:53 guest sshd[8452]: reverse mapping checking getaddrinfo for 15.136.212.118.adsl-pool.jx.chinaunicom.com [118.212.136.15] failed - POSSIBLE BREAK-IN ATTEMPT!
** Alert 1531039678.2418: mail - syslog,fts,authentication_success
2018 Jul 08 08:47:58 guest->/var/log/secure
Rule: 10100 (level 4) -> ‘First time user logged in.’
Src IP: 118.212.136.15
User: root
Jul 8 08:47:57 guest sshd[8452]: Accepted password for root from 118.212.136.15 port 48713 ssh2
** Alert 1531039678.2716: - pam,syslog,authentication_success,
2018 Jul 08 08:47:58 guest->/var/log/secure
Rule: 5501 (level 3) -> ‘Login session opened.’
Jul 8 08:47:57 guest sshd[8452]: pam_unix(sshd:session): session opened for user root by (uid=0)