Step by Step Guide to Install OSSEC HIDS on Ubuntu 20.04 LTS

OSSEC is a free & open source host-based intrusion detection tool. It runs on Linux, OpenBSD, Solaris, FreeBSD, Windows, and other systems. It works in a server or client model. It is used for log analysis, policy monitoring, file integrity checking, real-time alerting, rootkit detection and active response.

There are few steps to install OSSEC on ubuntu:

Step 1: Update the System.

apt-get update

Step 2: Install the required packages.

apt install wget unzip make gcc build-essential
apt install  php php-cli php-common libapache2-mod-php apache2-utils inotify-tools

Step 3: Download the Ossec.

wget https://github.com/ossec/ossec-hids/archive/3.1.0.tar.gz

  • Here is the command output.

  • Extract the downloaded file.

tar -xvzf 3.1.0.tar.gz

  • Change the path.

cd ossec-hids-3.1.0/

  • Run the Install script file.

sh install.sh

  • Provide the following values:

(en/br/cn/de/el/es/fr/hu/it/jp/nl/pl/ru/sr/tr) [en]: en
OSSEC HIDS v3.1.0 Installation Script - http://www.ossec.net
You are about to start the installation process of the OSSEC HIDS.
You must have a C compiler pre-installed in your system.
- System: Linux ip-172-31-43-187 5.4.0-1045
- User: root
- Host: ip-172-31-43-187
-- Press ENTER to continue or Ctrl-C to abort. --
1- What kind of installation do you want (server, agent, local, hybrid or help)? local
- Local installation chosen.
2- Setting up the installation environment.
- Choose where to install the OSSEC HIDS [/var/ossec]: /var/ossec
- Installation will be made at /var/ossec .
3- Configuring the OSSEC HIDS.
3.1- Do you want e-mail notification? (y/n) [y]: y
- What's your e-mail address? [email protected]
- We found your SMTP server as: mx01.mail.com.
- Do you want to use it? (y/n) [y]: y
--- Using SMTP server: mx01.mail.com.
3.2- Do you want to run the integrity check daemon? (y/n) [y]: y
- Running syscheck (integrity check daemon).
3.3- Do you want to run the rootkit detection engine? (y/n) [y]: y
- Running rootcheck (rootkit detection).
3.4- Active response allows you to execute a specific
command based on the events received. For example,
you can block an IP address or disable access for
a specific user.
More information at:
http://www.ossec.net/en/manual.html#active-response
- Do you want to enable active response? (y/n) [y]: y
- Active response enabled.
- By default, we can enable the host-deny and the
firewall-drop responses. The first one will add
a host to the /etc/hosts.deny and the second one
will block the host on iptables (if linux) or on
ipfilter (if Solaris, FreeBSD or NetBSD).
- They can be used to stop SSHD brute force scans,
portscans and some other forms of attacks. You can
also add them to block on snort events, for example.
- Do you want to enable the firewall-drop response? (y/n) [y]: y
- firewall-drop enabled (local) for levels >= 6
- Default white list for the active response:
- 127.0.0.53
- Do you want to add more IPs to the white list? (y/n)? [n]:
3.6- Setting the configuration to analyze theNow Ossec interface is Ready. following logs:
-- /var/log/auth.log
-- /var/log/syslog
-- /var/log/dpkg.log
-- /var/log/apache2/error.log (apache log)
-- /var/log/apache2/access.log (apache log)
- If you want to monitor any other file, just change
the ossec.conf and add a new localfile entry.
Any questions about the configuration can be answered
by visiting us online at http://www.ossec.net .
--- Press ENTER to continue ---
5- Installing the system
- Running the Makefile
CC external/cJSON/cJSON.o
LINK libcJSON.a
RANLIB libcJSON.a
cd external/zlib-1.2.11/ && ./configure && make libz.a
Checking for gcc...
Checking for shared library support...
Building shared library libz.so.1.2.11 with gcc.
Checking for size_t... Yes.

  • Here is the command output.

Step 4: Start the ossec-control.

/var/ossec/bin/ossec-control start

  • Here is the command output.

Step 5: Install OSSEC web interface.

git clone https://github.com/ossec/ossec-wui.git

  • Here is the command output.

  • Run the following command to setup Ossec login credentials.

mv ossec-wui /srv
cd /srv/ossec-wui
./setup.sh

  • Provide the username, password & web-server user name.

root@ip-172-31-43-187:/srv/ossec-wui# ./setup.sh
trap: SIGHUP: bad trap
Setting up ossec ui...
Username: admin
New password:
Re-type new password:
Adding password for user admin
Enter your web server user name (e.g. apache, www, nobody, www-data, ...)
www-data
Setup completed successfully.

  • Here is the command output.

Step 6: Configure the Apache2.

vim /etc/apache2/sites-available/ossec-wui.conf

Provide the following values:

<VirtualHost *:80>
ServerAdmin webmaster@localhost
ServerName test
ServerAlias www.test
DocumentRoot /srv/ossec-wui/
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
<Directory/srv/ossec-wui/>
Options FollowSymLinks
AllowOverride All
Require all granted
</Directory>
</VirtualHost>

  • Here is the output.

  • Enable the site.

a2ensite ossec-wui.conf

  • Enable the rewrite mode.

a2enmod rewrite

  • Restart the apache2.

systemctl restart apache2

Step 7: Access OSSEC web interface

https://server-ip

  • Here is the output.
  • Provide user-name & password.

  • Now Ossec interface is Ready.

2 responses to “Step by Step Guide to Install OSSEC HIDS on Ubuntu 20.04 LTS”

Leave a Reply