开源入侵检测系统OSSEC的搭建及使用

环境centos7

官网

http://www.ossec.net/

Linux下载地址

https://github.com/ossec/ossechids/archive/2.9.4.tar.gz

wget https://github.com/ossec/ossec-hids/archive/2.9.4.tar.gz

tar -xzvf 2.9.4.tar.gz

cd ossec-hids-2.9.4

./install.sh

选择语言 cn

确认安装好了gcc编译器按enter
选择单机模式，local

root@vultr:~/ossec-hids-2.9.4# ./install.sh

** Para instalação em português, escolha [br].

** 要使用中文进行安装, 请选择 [cn].

** Fur eine deutsche Installation wohlen Sie [de].

** Για εγκατάσταση στα Ελληνικά, επιλέξτε [el].

** For installation in English, choose [en].

** Para instalar en Español , eliga [es].

** Pour une installation en français, choisissez [fr]

** A Magyar nyelvű telepítéshez válassza [hu].

** Per l’installazione in Italiano, scegli [it].

** 日本語でインストールします．選択して下さい．[jp].

** Voor installatie in het Nederlands, kies [nl].

** Aby instalować w języku Polskim, wybierz [pl].

** Для инструкций по установке на русском ,введите [ru].

** Za instalaciju na srpskom, izaberi [sr].

** Türkçe kurulum için seçin [tr].

(en/br/cn/de/el/es/fr/hu/it/jp/nl/pl/ru/sr/tr) [en]: cn

OSSEC HIDS v2.9.4 安装脚本 - http://www.ossec.net

您将开始 OSSEC HIDS 的安装.

请确认在您的机器上已经正确安装了 C 编译器.

• 系统类型: Linux vultr.guest 3.13.0-149-generic

• 用户: root

• 主机: vultr.guest

  – 按 ENTER 继续或 Ctrl-C 退出. –

1- 您希望哪一种安装 (server, agent, local or help)? local

• 选择了 Local 类型的安装.

2- 正在初始化安装环境.

• 请选择 OSSEC HIDS 的安装路径 [/var/ossec]:

  • OSSEC HIDS 将安装在 /var/ossec .

3- 正在配置 OSSEC HIDS.

3.1- 您希望收到e-mail告警吗? (y/n) [y]: n

— Email告警没有启用 .

3.2- 您希望运行系统完整性检测模块吗? (y/n) [y]: y

• 系统完整性检测模块将被部署.

  3.3- 您希望运行 rootkit检测吗? (y/n) [y]: y

• rootkit检测将被部署.

strings: ‘/usr/bin/mail’: No such file

3.4- 关联响应允许您在分析已接收事件的基础上执行一个

   已定义的命令. 

   例如,你可以阻止某个IP地址的访问或禁止某个用户的访问权限. 

   更多的信息,您可以访问: 

   http://www.ossec.net/en/manual.html#active-response 

• 您希望开启联动(active response)功能吗? (y/n) [y]:

接下来，全部选择默认

系统完整性检测模块将被部署.

3.3- 您希望运行 rootkit检测吗? (y/n) [y]: y

• rootkit检测将被部署.

strings: ‘/usr/bin/mail’: No such file

3.4- 关联响应允许您在分析已接收事件的基础上执行一个

   已定义的命令. 

   例如,你可以阻止某个IP地址的访问或禁止某个用户的访问权限. 

   更多的信息,您可以访问: 

   http://www.ossec.net/en/manual.html#active-response 

• 您希望开启联动(active response)功能吗? (y/n) [y]: y

  • 关联响应已开启

• 默认情况下, 我们开启了主机拒绝和防火墙拒绝两种响应.

  第一种情况将添加一个主机到 /etc/hosts.deny.

  第二种情况将在iptables(linux)或ipfilter(Solaris,

  FreeBSD 或 NetBSD）中拒绝该主机的访问.

• 该功能可以用以阻止 SSHD 暴力攻击, 端口扫描和其他

  一些形式的攻击. 同样你也可以将他们添加到其他地方,

  例如将他们添加为 snort 的事件.

• 您希望开启防火墙联动(firewall-drop)功能吗? (y/n) [y]: y

  • 防火墙联动(firewall-drop)当事件级别 >= 6 时被启动

• 联动功能默认的白名单是:

  • 108.61.10.10

• 您希望添加更多的IP到白名单吗? (y/n)? [n]: n

  3.6- 设置配置文件以分析一下日志:

  – /var/log/auth.log

  – /var/log/syslog

  – /var/log/dpkg.log

  – /var/log/snort/alert (snort-full file)

  – /var/log/nginx/access.log (apache log)

  – /var/log/nginx/error.log (apache log)

-如果你希望监控其他文件, 只需要在配置文件ossec.conf中

添加新的一项.

任何关于配置的疑问您都可以在 http://www.ossec.net 找到答案.

— 按 ENTER 以继续 —

然后安装成功

Ossec常用文件

报警日志

/var/ossec/logs/alerts

里面的alerts.log

就是检测到的入侵行为的告警日志

动态响应报警日志

/var/ossec/logs/active-responses.log

核心配置文件为：

/root/ossec-hids-2.9.4/etc/ossec.conf

文件结构为：

[root@vultr logs]# cat /root/ossec-hids-2.9.4/etc/ossec.conf

yes 

[email protected] 

smtp.example.com. 

[email protected]. 

 

no 

#这些就是各类规则

rules_config.xml 

sshd_rules.xml 

syslog_rules.xml 

pix_rules.xml 

named_rules.xml 

pure-ftpd_rules.xml 

proftpd_rules.xml 

web_rules.xml 

web_appsec_rules.xml 

apache_rules.xml 

ids_rules.xml 

squid_rules.xml 

firewall_rules.xml 

postfix_rules.xml 

sendmail_rules.xml 

spamd_rules.xml 
msauth_rules.xml 

attack_rules.xml 

dropbear_rules.xml 

sysmon_rules.xml 

opensmtpd_rules.xml 

 

7200 



 

/etc,/usr/bin,/usr/sbin 

/bin,/sbin,/boot 



 

/etc/mtab 

/etc/hosts.deny 

/etc/mail/statistics 

/etc/random-seed 

/etc/adjtime 

/etc/httpd/logs 

/etc/ssl/private.key 

#Rookit检测

/var/ossec/etc/shared/rootkit_files.txt 

/var/ossec/etc/shared/rootkit_trojans.txt 

127.0.0.1 

::1 

192.168.2.1  #这些是白名单 

192.168.2.190 

192.168.2.32 

192.168.2.10 

secure 
 #动态响应配置 

 

host-deny 

local 

6 

600 

规则文件夹在

/var/ossec/rules

一共有这么多的规则，我们随便看几个

apache_rules.xml ms_ftpd_rules.xml sendmail_rules.xml

apparmor_rules.xml ms-se_rules.xml smbd_rules.xml

arpwatch_rules.xml mysql_rules.xml solaris_bsm_rules.xml

asterisk_rules.xml named_rules.xml sonicwall_rules.xml

attack_rules.xml netscreenfw_rules.xml spamd_rules.xml

cimserver_rules.xml nginx_rules.xml squid_rules.xml

cisco-ios_rules.xml nsd_rules.xml sshd_rules.xml

clam_av_rules.xml openbsd_rules.xml symantec-av_rules.xml

courier_rules.xml opensmtpd_rules.xml symantec-ws_rules.xml

dovecot_rules.xml ossec_rules.xml syslog_rules.xml

dropbear_rules.xml owncloud_rules.xml sysmon_rules.xml

exim_rules.xml pam_rules.xml systemd_rules.xml

firewalld_rules.xml php_rules.xml telnetd_rules.xml

firewall_rules.xml pix_rules.xml trend-osce_rules.xml

ftpd_rules.xml policy_rules.xml unbound_rules.xml

hordeimp_rules.xml postfix_rules.xml vmpop3d_rules.xml

ids_rules.xml postgresql_rules.xml vmware_rules.xml

imapd_rules.xml proftpd_rules.xml _concentrator_rules.xml

local_rules.xml proxmox-ve_rules.xml vpopmail_rules.xml

mailscanner_rules.xml psad_rules.xml vsftpd_rules.xml

mcafee_av_rules.xml pure-ftpd_rules.xml web_appsec_rules.xml

msauth_rules.xml racoon_rules.xml web_rules.xml

ms_dhcp_rules.xml roundcube_rules.xml wordpress_rules.xml

ms-exchange_rules.xml rules_config.xml zeus_rules.xml

[root@vultr rules]# cat apache_rules.xml

apache-errorlog 

Apache messages grouped. 

30100 

^[error]  

Apache error messages grouped. 

30100 

^[warn]  

Apache warn messages grouped. 

30100 

^[notice]  

Apache notice messages grouped. 

30103 

exit signal Segmentation Fault 

Apache segmentation fault. 

http://www.securityfocus.com/infocus/1633 

service_availability, 

30101 

denied by server configuration 

Attempt to access forbidden file or directory. 

access_denied, 

30101 

Directory index forbidden by rule 

Attempt to access forbidden directory index. 

access_denied, 

30101 

Client sent malformed Host header 

Code Red attack. 

http://www.cert.org/advisories/CA-2001-19.html 

CERT: Advisory CA-2001-19 "Code Red" Worm Exploiting Buffer Overflow In IIS Indexing Service DLL 

automatic_attack, 

30102 

authentication failed 

User authentication failed. 

authentication_failed, 

30101 

user \S+ not found|user \S+ in realm \.* not found 

Attempt to login using a non-existent user. 

invalid_login, 

30101 

authentication failure 

User authentication failed. 

authentication_failed, 

30101 

File does not exist: | 

failed to open stream: No such file or directory| 

Failed opening  

Attempt to access an non-existent file (those are reported on the access.log). 

unknown_resource, 

30101 

Invalid URI in request 

Invalid URI (bad client request). 

invalid_request, 

30115 

 

Multiple Invalid URI requests from  

same source. 

invalid_request, 

30101 

File name too long|request failed: URI too long 

Invalid URI, file name too long. 

invalid_request, 

30101 

mod_security: Access denied|ModSecurity: Access denied 

Access attempt blocked by Mod Security. 

access_denied, 

30118 

 

Multiple attempts blocked by Mod Security. 

access_denied, 

30101 

Resource temporarily unavailable: 

Apache without resources to run. 

service_availability, 

^mod_security-message:  

Modsecurity alert. 

30200 

^mod_security-message: Access denied  

Modsecurity access denied. 

access_denied, 

30201 

Multiple attempts blocked by Mod Security. 

access_denied, 

30100 

 [\S*:error]  

Apache error messages grouped. 

30100 

 [\S+:warn]  

Apache warn messages grouped. 

30100 

 [\S+:notice]  

Apache notice messages grouped. 

30303 

exit signal Segmentation Fault 

Apache segmentation fault. 

http://www.securityfocus.com/infocus/1633 

service_availability, 

30301 

AH01630 

Attempt to access forbidden file or directory. 

access_denied, 

30301 

AH01276 

Attempt to access forbidden directory index. 

access_denied, 

30301 

AH00550 

Client sent malformed Host header. Possible Code Red attack. 

http://www.cert.org/advisories/CA-2001-19.html 

CERT: Advisory CA-2001-19 "Code Red" Worm Exploiting Buffer Overflow In IIS Indexing Service DLL 

automatic_attack, 

30301 

AH01617|AH01807|AH01694|AH01695|AH02009|AH02010 

User authentication failed. 

authentication_failed, 

30301 

AH01618|AH01808|AH01790 

Attempt to login using a non-existent user. 

invalid_login, 

30309 

 

Multiple authentication failures with invalid user. 

authentication_failures, 

30301 

File does not exist: | 

failed to open stream: No such file or directory| 

Failed opening  

Attempt to access an non-existent file (those are reported on the access.log). 

unknown_resource, 

30301 

AH00126 

Invalid URI (bad client request). 

invalid_request, 

30315 

 

Multiple Invalid URI requests from  

same source. 

invalid_request, 

30301 

AH00565 

Invalid URI, file name too long. 

invalid_request, 

30301 

PHP Notice: 

PHP Notice in Apache log 

30301 

AH00036 

File name too long:  

File name too long. 

30301 

Permission denied: | client denied by server configuration:  

Permission denied. 

30301 

AH02811 

script not found  

A script cannot be accessed. 

30301 

ModSecurity: Warning 

ModSecurity Warning messages grouped 

30301 

ModSecurity: Access denied 

ModSecurity Access denied messages grouped 

30301 

ModSecurity: Audit log: 

ModSecurity Audit log messages grouped 

30402 

with code 403 

ModSecurity rejected a query 

规则通过match匹配访问apache出现的关键字来定义规则的效果如：

30301 

AH01630 

Attempt to access forbidden file or directory. 

access_denied, 

rule id为30305，意为当用户试图访问一个不存在的文件或目录时，该规则生效，那么可能该用户就是一个攻击者

常用命令

启动

/var/ossec/bin/ossec-control start

/var/ossec/bin/ossec-control stop

客户端管理

/var/ossec/bin/manage_agents

测试规则

/var/ossec/bin/ossec-logtest

这里，演示添加一个检测ssh暴力破解的规则

Ssh登录日志的特征为：程序名称以sshd开头

vim syslog_rules.xml

找到这一部分

FAILED LOGIN |authentication failure| 

Authentication failed for|invalid password for| 

LOGIN FAILURE|auth failure: |authentication error| 

authinternal failed|Failed to authorize| 

Wrong password given for|login failed|Auth: Login incorrect| 

Failed to authenticate user 

authentication_failed, 

User authentication failure. 

more authentication failures;|REPEATED login failures 

User missed the password more than one time 

authentication_failed, 

no 

vim /var/ossec/etc/ossec.conf

rules_config.xml 

pam_rules.xml 

sshd_rules.xml 

telnetd_rules.xml 

syslog_rules.xml 

我们看下这个告警日志，就知道规则生效了

[root@vultr alerts]# cat alerts.log

** Alert 1531039434.0: mail - ossec,

2018 Jul 08 08:43:54 vultr->ossec-monitord

Rule: 502 (level 3) -> ‘Ossec server started.’

ossec: Ossec started.

** Alert 1531039489.151: - syslog,sshd,

2018 Jul 08 08:44:49 guest->/var/log/secure

Rule: 5702 (level 5) -> ‘Reverse lookup error (bad ISP or attack).’

Src IP: 118.212.136.13

Jul 8 08:44:49 guest sshd[8279]: reverse mapping checking getaddrinfo for 13.136.212.118.adsl-pool.jx.chinaunicom.com [118.212.136.13] failed - POSSIBLE BREAK-IN ATTEMPT!

** Alert 1531039491.499: - pam,syslog,authentication_failed,

2018 Jul 08 08:44:51 guest->/var/log/secure

Rule: 5503 (level 5) -> ‘User login failed.’

Src IP: 118.212.136.13

User: root

Jul 8 08:44:51 guest sshd[8279]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=118.212.136.13 user=root

** Alert 1531039495.832: - syslog,sshd,authentication_failed,

2018 Jul 08 08:44:55 guest->/var/log/secure

Rule: 5716 (level 5) -> ‘SSHD authentication failed.’

Src IP: 118.212.136.13

User: root

Jul 8 08:44:53 guest sshd[8279]: Failed password for root from 118.212.136.13 port 8073 ssh2

** Alert 1531039501.1121: - syslog,sshd,authentication_failed,

2018 Jul 08 08:45:01 guest->/var/log/secure

Rule: 5716 (level 5) -> ‘SSHD authentication failed.’

Src IP: 118.212.136.13

User: root

Jul 8 08:45:00 guest sshd[8279]: Failed password for root from 118.212.136.13 port 8073 ssh2

** Alert 1531039503.1411: - syslog,sshd,authentication_failed,

2018 Jul 08 08:45:03 guest->/var/log/secure

Rule: 5716 (level 5) -> ‘SSHD authentication failed.’

Src IP: 118.212.136.13

User: root

Jul 8 08:45:03 guest sshd[8279]: Failed password for root from 118.212.136.13 port 8073 ssh2

** Alert 1531039505.1701: mail - syslog,access_control,authentication_failed,

2018 Jul 08 08:45:05 guest->/var/log/secure

Rule: 2502 (level 10) -> ‘User missed the password more than one time’

Src IP: 118.212.136.13

User: root

Jul 8 08:45:04 guest sshd[8279]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=118.212.136.13 user=root

** Alert 1531039674.2069: - syslog,sshd,

2018 Jul 08 08:47:54 guest->/var/log/secure

Rule: 5702 (level 5) -> ‘Reverse lookup error (bad ISP or attack).’

Src IP: 118.212.136.15

Jul 8 08:47:53 guest sshd[8452]: reverse mapping checking getaddrinfo for 15.136.212.118.adsl-pool.jx.chinaunicom.com [118.212.136.15] failed - POSSIBLE BREAK-IN ATTEMPT!

** Alert 1531039678.2418: mail - syslog,fts,authentication_success

2018 Jul 08 08:47:58 guest->/var/log/secure

Rule: 10100 (level 4) -> ‘First time user logged in.’

Src IP: 118.212.136.15

User: root

Jul 8 08:47:57 guest sshd[8452]: Accepted password for root from 118.212.136.15 port 48713 ssh2

** Alert 1531039678.2716: - pam,syslog,authentication_success,

2018 Jul 08 08:47:58 guest->/var/log/secure

Rule: 5501 (level 3) -> ‘Login session opened.’

Jul 8 08:47:57 guest sshd[8452]: pam_unix(sshd:session): session opened for user root by (uid=0)