You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
## Install on 2 servers
## server 1 (main): ossec-hids-server
## server 2 (secondary): ossec-hids-agent
# https://www.ossec.net/downloads/#apt-automated-installation-on-ubuntu-and-debian
# Installs repo-config but not correctly !
wget -q -O atomic-file https://updates.atomicorp.com/installers/atomic
sh atomic-file
# installation on main
dnf -y install ossec-hids ossec-hids-server
# adjust /var/ossec/etc/ossec.conf
<ossec_config>
<global>
<email_notification>yes</email_notification>
<email_to>root@localhost</email_to>
<smtp_server>127.0.0.1</smtp_server>
<email_from>ossec@localhost</email_from>
</global>
# Start
/var/ossec/bin/ossec-control start
Testing on server 1
ssh root@localhost
# enter wrong password 3 times
# alert is logged to
cd /var/ossec/logs/alerts/
tail alerts.log
2020 Nov 11 13:48:59 server2->/var/log/auth.log
Rule: 5710 (level 5) -> 'Attempt to login using a non-existent user'
Src IP: 127.0.0.1
Nov 11 13:48:59 server2 sshd[56463]: Failed password for invalid user root from 127.0.0.1 port 44032 ssh2
** Alert 1605098949.1127: - syslog,sshd,invalid_login,authentication_failed,
2020 Nov 11 13:49:09 server2->/var/log/auth.log
Rule: 5710 (level 5) -> 'Attempt to login using a non-existent user'
Nov 11 13:49:07 server2 sshd[56463]: message repeated 2 times: [ Failed password for invalid user root from 127.0.0.1 port 44032 ssh2]
Installation server 2 (agent)
dnf install -y ossec-hids-agent
# vi /var/ossec/etc/ossec.conf
# change to ip of server 2
<!-- OSSEC example config -->
<ossec_config>
<client>
<server-ip>192.168.33.10</server-ip>
</client>
Manage Agent (server 2) on server1 (ossec-server)
/var/ossec/bin/manage_agents
****************************************
* OSSEC HIDS v3.6.0 Agent manager. *
* The following options are available: *
****************************************
(A)dd an agent (A).
(E)xtract key for an agent (E).
(L)ist already added agents (L).
(R)emove an agent (R).
(Q)uit.
Choose your action: A,E,L,R or Q: A
- Adding a new agent (use '\q' to return to the main menu).
Please provide the following:
* A name for the new agent: server1
* The IP Address of the new agent: 10.10.11.141
* An ID for the new agent[001]:
Agent information:
ID:001
Name:server2
IP Address:10.10.11.141
Confirm adding it?(y/n): y
Agent added with ID 001.
****************************************
* OSSEC HIDS v3.6.0 Agent manager. *
* The following options are available: *
****************************************
(A)dd an agent (A).
(E)xtract key for an agent (E).
(L)ist already added agents (L).
(R)emove an agent (R).
(Q)uit.
Choose your action: A,E,L,R or Q: e
Available agents:
ID: 001, Name: server2, IP: 10.10.11.141
Provide the ID of the agent to extract the key (or '\q' to quit): 1
Agent key information for '001' is:
MDAxIHNlcnZlcjEgMTAuMTAuMTEuMTQxIDkyMjAyMGQ5NzNjODE4NDM3YmIxZmU5ZDBjMmFmYmMwY2JmMmE2Y2EzNjllMGU5Y2MxNmJkYTc4OTdhYTJmNzc=
** Press ENTER to return to the main menu.
****************************************
* OSSEC HIDS v3.6.0 Agent manager. *
* The following options are available: *
****************************************
(A)dd an agent (A).
(E)xtract key for an agent (E).
(L)ist already added agents (L).
(R)emove an agent (R).
(Q)uit.
Choose your action: A,E,L,R or Q: q
** You must restart OSSEC for your changes to take effect.
manage_agents: Exiting.
manage_agents: Exiting.
root@server2:/var/ossec/logs/alerts#
# Server neu starten
/var/ossec/bin/ossec-control restart
Import Key on agent - system (server 2)
/var/ossec/bin/manage_agents
****************************************
* OSSEC HIDS v3.6.0 Agent manager. *
* The following options are available: *
****************************************
(I)mport key from the server (I).
(Q)uit.
Choose your action: I or Q: I
* Provide the Key generated by the server.
* The best approach is to cut and paste it.
*** OBS: Do not include spaces or new lines.
Paste it here (or '\q' to quit): MDAxIHNlcnZlcjEgMTAuMTAuMTEuMTQxIDkyMjAyMGQ5NzNjODE4NDM3YmIxZmU5ZDBjMmFmYmMwY2JmMmE2Y2EzNjllMGU5Y2MxNmJkYTc4OTdhYTJmNzc=
Agent information:
ID:001
Name:server2
IP Address:10.10.11.141
Confirm adding it?(y/n): y
2020/11/11 14:08:11 manage_agents: ERROR: Cannot unlink /queue/rids/sender: No such file or directory
Added.
** Press ENTER to return to the main menu.
****************************************
* OSSEC HIDS v3.6.0 Agent manager. *
* The following options are available: *
****************************************
(I)mport key from the server (I).
(Q)uit.
Choose your action: I or Q: q
** You must restart OSSEC for your changes to take effect.
manage_agents: Exiting.
manage_agents: Exiting.
root@server1:/var/ossec/etc#
### Restart agent
/var/ossec/bin/ossec-control restart
produce problem on server 2 (agent)
# enter wrong password 3 times
ssh root@localhost
validatte on server 1 (server)
you should get an email to root
please check
/var/ossec/logs/alert/alert.log
# if this is not working restart server2 and agent->server1
server1: /var/ossec/bin/ossec-control restart
server2: /var/ossec/bin/ossec-control restart
# Please retry to ssh with wrong pw 3 x !!!
Change scan config on server1 ossec.conf
# like so --> first lines
<syscheck>
<!-- Frequency that syscheck is executed -- default every 20 hours -->
<frequency>120</frequency>
<alert_new_files>yes</alert_new_files>
<!-- Directories to check (perform all possible verifications) -->
<directories check_all="yes" report_changes="yes" realtime="yes">/etc,/usr/bin,/usr/sbin</directories>
<directories check_all="yes" report_changes="yes" realtime="yes">/bin,/sbin,/boot</directories>
# Adjust local rules
root@server1:/var/ossec/rules# vi local_rules.xml
<rule id="554" level="7" overwrite="yes">
<category>ossec</category>
<decoded_as>syscheck_new_entry</decoded_as>
<description>File added to system</description>
<group>syscheck,</group>
</rule>
</group> <!-- SYSLOG,LOCAL -->
Restart hids-server (server1)
/var/ossec/bin/ossec-control restart
Optional scan immediately
#it is possible from the hids-server (server1 aka main.example)
#to do an immediate scan on the agents (server2 aka secondary.example.com)
# by restarting agent
/var/ossec/bin/agent_control -R 001