OSSEC is a free, open-source host-based intrusion detection system (HIDS). It performs log analysis, integrity checking, Windows registry monitoring, rootkit detection, time-based alerting, and active response. It provides intrusion detection for most operating systems, including Linux, OpenBSD, FreeBSD, Mac OS X, Solaris and Windows. OSSEC has a centralized, cross-platform architecture allowing multiple systems to be easily monitored and managed.
OSSEC requires gcc, libc and a working apache with php5 installation. Thanks to apt-get, you can install these in seconds. Just open a terminal and type:
sudo apt-get install build-essential apache2 libapache2-mod-php5 apache2-utils
First of all, download the needed packages from the OSSEC webpage and save them to a directory (let’s say Downloads/”:
Install OSSEC Server/Agent
Open a terminal and:
tar xfz ossec-hids-2.8.tar.gz
(en/br/cn/de/el/es/fr/hu/it/jp/nl/pl/ru/sr/tr) [en]: en
1- What kind of installation do you want (server, agent, local, hybrid or help)? local
- Choose where to install the OSSEC HIDS [/var/ossec]: Press Enter
3.1- Do you want e-mail notification? (y/n) [y]: n
3.2- Do you want to run the integrity check daemon? (y/n) [y]: Press Enter
3.3- Do you want to run the rootkit detection engine? (y/n) [y]: Press Enter
- Do you want to enable active response? (y/n) [y]: Press Enter
- Do you want to enable the firewall-drop response? (y/n) [y]: Press Enter
- Do you want to add more IPs to the white list? (y/n)? [n]: Press Enter
Run OSSEC HIDS:
sudo /var/ossec/bin/ossec-control start
Install OSSEC Web UI
tar xfz ossec-wui-0.8.tar.gz
sudo mv ossec-wui-0.8 /var/www/html/osssec-wui/
New password: enter-a-password
Re-type new password: retype-password
Adding password for user test
Enter your web server user name (e.g. apache, www, nobody, www-data, ...)
Enter your OSSEC install directory path (e.g. /var/ossec)
You must restart your web server after this setup is done.
sudo apache2ctl restart
Now open-up a browser and point it to: http://localhost/osssec-wui/
If you get a ossec directory read error, run this in a terminal (Ubuntu):
sudo chown -R www-data:www-data /var/www/html/osssec-wui/
For other distributions, check /etc/apache2/apache.conf or /etc/httpd/httpd.conf and look for User and Group directives.
That’s it! Enjoy!