CentOS 6.4 使用OSSEC加固系统安全配置
时间:2015-01-16 00:33 来源:linux.it.net.cn 作者:IT
关闭selinux SELINUX=disabled
yum install gcc gcc-c++ vim wget lrzsz ntpdate sysstat dstat wget unzip -y
yum install mysql mysql-server mysql-devel httpd php php-mysql –y
tar -xzf ossec-hids-2.8.tar.gz
cd ossec-hids-2.8
cd src/
# make setdb
Error: PostgreSQL client libraries notinstalled.
Info: Compiled with MySQL support. #ossec支持mysql数据库
# cd ..
# ./install.sh
en #选择语言
Enter #继续
Server #安装为server
/usr/local/ossec #安装目录
3.1- Do you want e-mail notification? (y/n)[y]: y
-What's your e-mail address? Your_mail@163.com
-What's your SMTP server ip/host? 127.0.0.1
Enter # Running syscheck (integrity check daemon)
Enter # Running rootcheck (rootkit detection)
Enter #Active response enabled
Enter # firewall-drop enabled (local) for levels >= 6
Do you want to add more IPs to the whitelist? (y/n)? [n]: y #设置ip白名单
-IPs (space separated):
3.5- Do you want to enable remote syslog(port 514 udp)? (y/n) [y]:Enter
Enter #开始安装
/usr/local/ossec/bin/ossec-control start
/usr/local/ossec/bin/ossec-control stop
/usr/local/ossec/etc/ossec.conf
/usr/local/ossec/bin/manage_agents
# /usr/local/ossec/bin/ossec-control --help
Usage: /usr/local/ossec/bin/ossec-control{start|stop|restart|status|enable|disable}
# /usr/local/ossec/bin/ossec-control enable--help
Invalid enable option.
Enable options: database, client-syslog,agentless, debug
Usage: /usr/local/ossec/bin/ossec-controlenable [database|client-syslog|agentless|debug]
# /usr/local/ossec/bin/ossec-control enable database
# service mysqld start
# /usr/bin/mysql_secure_installation
# mysql -uroot -p
mysql> create database ossec;
mysql> grant INSERT,SELECT,UPDATE,CREATE,DELETE,EXECUTE on ossec.* to ossec@localhost identified by 'ossec';
mysql> flush privileges;
mysql> \q
<ossec_config>
<database_output>
<hostname>localhost</hostname>
<username>ossec</username>
<password>ossec</password>
<database>ossec</database>
<type>mysql</type>
</database_output>
</ossec_config>
<remote>
127 <connection>syslog</connection>
128<allowed-ips>192.168.22.0/24</allowed-ips>
129 </remote>
/usr/local/ossec/bin/ossec-control restart
# /usr/local/ossec/bin/manage_agents
(A)dd an agent (A).
(E)xtract key for an agent (E).
(L)ist already added agents (L).
(R)emove an agent (R).
(Q)uit.
#下面依次:
A #add
Please provide the following:
*A name for the new agent: agent1
*The IP Address of the new agent: 192.168.22.241
*An ID for the new agent[001]: 001
Agent information:
ID:001
Name:agent1
IPAddress:192.168.22.241
Confirm adding it?(y/n): y
Agent added.
****************************************
* OSSEC HIDS v2.8 Agent manager. *
* The following options are available: *
****************************************
(A)dd an agent (A).
(E)xtract key for an agent (E).
(L)ist already added agents (L).
(R)emove an agent (R).
(Q)uit.
Choose your action: A,E,L,R or Q: E
Available agents:
ID: 001, Name: agent1, IP: 192.168.22.241
Provide the ID of the agent to extract thekey (or '\q' to quit): 001
Agent key information for '001' is:
MDAxIGFnZW50MSAxOTIuMTY4LjIyLjI0MSBmYTcxYWE1ZWQxYTg0YTM3MDcwNTFkMGRkMDY4NTcyNDQ5NDY2MWRkYTI3ZTMxZsNhZDd3YmFjZjddZTFkMmNj
#安装agent的时候需要这个秘钥
** Press ENTER to return to the main menu.
Choose your action: A,E,L,R or Q: Q
udp 0 0 0.0.0.0:514 0.0.0.0:* 4511/ossec-remoted
udp 0 0 0.0.0.0:1514 0.0.0.0:* 4513/ossec-remoted
vim /etc/sysconfig/iptables #开启iptables的端口
-A INPUT -m state --state NEW -m udp -p udp --dport 514 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 1514 -j ACCEPT
service iptables restart
# tar -xzf ossec-hids-2.8.tar.gz
# cd ossec-hids-2.8
# ./install.sh
Y #默认为en
Enter #开始安装
Agent #作为代理
/usr/local/ossec #安装目录
192.168.22.240 #添加server的ip
Enter #Running syscheck (integrity check daemon)
Enter #Running rootcheck (rootkit detection)
Enter #active response
3.5- Setting the configuration to analyze the following logs:
-- /var/log/messages
-- /var/log/secure
-- /var/log/maillog
-- /var/log/nginx/error.log (apache log)
Enter #开始安装
/usr/local/ossec/bin/ossec-control start
/usr/local/ossec/bin/ossec-control stop
/usr/local/ossec/etc/ossec.conf
/usr/local/ossec/bin/manage_agents
# /usr/local/ossec/bin/manage_agents
****************************************
* OSSEC HIDS v2.8 Agent manager. *
* The following options are available: *
****************************************
(I)mport key from the server (I).
(Q)uit.
Choose your action: I or Q: I
* Provide the Key generated by the server.
* The best approach is to cut and paste it.
*** OBS: Do not include spaces or newlines.
Paste it here (or '\q' to quit):
MDAxIGFnZW50MSAxOTIuMTY4LjIyLjI0zSBmYTcxYWE1ZWQxYTg0YTM3MDcwNTFkMGRkMDY4NTcyNDQ5NDY2MWRkYTI3ZTMxZTNdZDc3YmFjZjdmZTFk5mNj
Agent information:
ID:001
Name:agent1
IPAddress:192.168.22.241
Confirm adding it?(y/n): y
Added.
** Press ENTER to return to the main menu.
Choose your action: I or Q: Q
# /usr/local/ossec/bin/ossec-control restart
/usr/local/ossec/logs/ossec.log
cd /var/www
unzip ossec-wui-master.zip
mv ossec-wui-master html/ossec
cd html/ossec/
# cat ossec_conf.php
/* Ossec directory */
#$ossec_dir="/var/ossec";
$ossec_dir="/usr/local/ossec";
# ./setup.sh
Setting up ossec ui...
Username: ossec
New password:
Re-type new password:
Adding password for user ossec
Enter your web server user name (e.g.apache, www, nobody, www-data, ...)
apache
Enter your OSSEC install directory path(e.g. /var/ossec)
/usr/local/ossec
You must restart your web server after thissetup is done.
Setup completed successfuly.
# vim /etc/httpd/conf.d/ossec.conf
<Directory /var/www/html/ossec>
Order deny,allow
Deny from all
Allow from 192.168.22.0/24
Options FollowSymLinks #外网访问配置,把上面注释或删除
AllowOverride None #外网访问配置
Order deny,allow #外网访问配置
allow from all #外网访问配置
Options -MultiViews
AuthName "OSSEC AUTH"
AuthType Basic
AuthUserFile /var/www/html/ossec/.htpasswd
Require valid-user
</Directory>
-A INPUT -m state --state NEW -m tcp -p tcp--dport 80 -j ACCEPT
chown apache:apache *
service httpd restart
cd /var/www/html
wget https://github.com/ECSC/analogi/archive/master.zip
unzip analogi-master.zip
mv analogi-master ossec/analogi
chown apache.apache -R ossec
cd ossec/analogi
cp db_ossec.php.new db_ossec.php
vim db_ossec.php
define ('DB_USER_O', 'ossec');
define ('DB_PASSWORD_O', 'ossec');
define ('DB_HOST_O', 'localhost');
define ('DB_NAME_O', 'ossec');
vim /etc/httpd/conf.d/analogi.conf
<Directory /var/www/html/analogi>
Order deny,allow
Deny from all
Allow from 192.168.22.0/24
Options FollowSymLinks #外网访问配置,把上面注释或删除
AllowOverride None #外网访问配置
Order deny,allow #外网访问配置
allow from all #外网访问配置
</Directory>
# service httpd restart
# /usr/local/ossec/bin/agent_control -lc
OSSEC HIDS agent_control. List of availableagents:
ID: 000, Name: localhost.localdomain (server), IP: 127.0.0.1,Active/Local
ID: 001, Name: agent1, IP: 192.168.22.241, Active
# /usr/local/ossec/bin/list_agents -a
agent1-192.168.22.241 is available.
# /usr/local/ossec/bin/ossec-control status
ossec-monitord is running...
ossec-logcollector is running...
ossec-remoted is running...
ossec-syscheckd is running...
ossec-analysisd is running...
ossec-maild is running...
ossec-execd is running...
ossec-dbd is running...
(责任编辑:IT)
(责任编辑:IT) |
