OSSEC: Ubuntu 18.04: Difference between revisions
From OnnoCenterWiki
Jump to navigationJump to search
Onnowpurbo (talk | contribs) No edit summary |
Onnowpurbo (talk | contribs) |
||
| (10 intermediate revisions by the same user not shown) | |||
| Line 5: | Line 5: | ||
apt -y install build-essential make zlib1g-dev libpcre2-dev libz-dev libssl-dev libevent-dev | apt -y install build-essential make zlib1g-dev libpcre2-dev libz-dev libssl-dev libevent-dev | ||
==Download & Install== | |||
sudo su | |||
cd /usr/local/src | |||
wget https://github.com/ossec/ossec-hids/archive/3.6.0.tar.gz | |||
tar zxvf 3.6.0.tar.gz | |||
cd /usr/local/src/ossec-hids-3.6.0 | |||
./install.sh | |||
==Cuplikan Proses Instalasi== | |||
'''CATATAN:''' | |||
* Sebagian besar cukup tekan '''ENTER''' | |||
* Jika notifikasi email di enable, kita perlu memasukan email address. | |||
* Pilih Bahasa: '''[en]''' | |||
OSSEC HIDS v3.6.0 Installation Script - http://www.ossec.net | |||
You are about to start the installation process of the OSSEC HIDS. | |||
You must have a C compiler pre-installed in your system. | |||
- System: Linux ubuntu 4.15.0-20-generic | |||
- User: root | |||
- Host: ubuntu | |||
'''ENTER''' | |||
1- What kind of installation do you want (server, agent, local, hybrid or help)? | |||
'''server''' | |||
'''hybrid''' | |||
2- Setting up the installation environment. | |||
'''ENTER''' [/var/ossec] | |||
3- Configuring the OSSEC HIDS. | |||
3.1- Do you want e-mail notification? (y/n) [y]: '''ENTER''' | |||
- What's your e-mail address? '''email@address.anda''' | |||
- We found your SMTP server as: smtp.server.anda | |||
- Do you want to use it? (y/n) [y]: '''ENTER''' | |||
3.2- Do you want to run the integrity check daemon? (y/n) [y]: '''ENTER''' | |||
- Running syscheck (integrity check daemon). | |||
3.3- Do you want to run the rootkit detection engine? (y/n) [y]: '''ENTER''' | |||
3.4- Active response allows you to execute a specific | |||
command based on the events received. For example, | |||
you can block an IP address or disable access for | |||
a specific user. | |||
More information at: | |||
http://www.ossec.net/en/manual.html#active-response | |||
- Do you want to enable active response? (y/n) [y]: ''''ENTER''' | |||
- Active response enabled. | |||
- By default, we can enable the host-deny and the | |||
firewall-drop responses. The first one will add | |||
a host to the /etc/hosts.deny and the second one | |||
will block the host on iptables (if linux) or on | |||
ipfilter (if Solaris, FreeBSD or NetBSD). | |||
- They can be used to stop SSHD brute force scans, | |||
portscans and some other forms of attacks. You can | |||
also add them to block on snort events, for example. | |||
- Do you want to enable the firewall-drop response? (y/n) [y]: '''ENTER''' | |||
- firewall-drop enabled (local) for levels >= 6 | |||
- | |||
- 127.0.0.53 | |||
- Do you want to add more IPs to the white list? (y/n)? [n]: '''ENTER''' | |||
3.5- Do you want to enable remote syslog (port 514 udp)? (y/n) [y]: | |||
- Remote syslog enabled. | |||
3.6- Setting the configuration to analyze the following logs: | |||
-- /var/log/auth.log | |||
-- /var/log/syslog | |||
-- /var/log/dpkg.log | |||
- If you want to monitor any other file, just change | |||
the ossec.conf and add a new localfile entry. | |||
Any questions about the configuration can be answered | |||
by visiting us online at http://www.ossec.net . | |||
==Selesai Compile== | |||
- Configuration finished properly. | |||
- To start OSSEC HIDS: | |||
/var/ossec/bin/ossec-control start | |||
- To stop OSSEC HIDS: | |||
/var/ossec/bin/ossec-control stop | |||
- The configuration can be viewed or modified at /var/ossec/etc/ossec.conf | |||
Thanks for using the OSSEC HIDS. | |||
If you have any question, suggestion or if you find any bug, | |||
contact us at https://github.com/ossec/ossec-hids or using | |||
our public maillist at | |||
https://groups.google.com/forum/#!forum/ossec-list | |||
More information can be found at http://www.ossec.net | |||
==Run== | |||
Run | |||
/var/ossec/bin/ossec-control start | |||
Stop | |||
/var/ossec/bin/ossec-control stop | |||
Konfigurasi di | |||
/var/ossec/etc/ossec.conf | |||
==Log== | |||
Log penting yang di catat oleh OSSEC HIDS dapat di baca di | |||
/var/ossec/logs/ | |||
File yang berisi hal yang penting antara lain adalah | |||
/var/ossec/logs/active-responses.log | |||
/var/ossec/logs/alerts/alerts.log | |||
==Pranala Menarik== | ==Pranala Menarik== | ||
* [[IDS]] | * [[IDS]] | ||
* [[OSSEC]] | |||
* [[OSSEC: Ubuntu 18.04]] | |||
* [[OSSEC: whitelisting]] | |||
Latest revision as of 00:36, 30 March 2020
Install Pendukung
sudo su apt update apt -y install build-essential make zlib1g-dev libpcre2-dev libz-dev libssl-dev libevent-dev
Download & Install
sudo su cd /usr/local/src wget https://github.com/ossec/ossec-hids/archive/3.6.0.tar.gz tar zxvf 3.6.0.tar.gz cd /usr/local/src/ossec-hids-3.6.0 ./install.sh
Cuplikan Proses Instalasi
CATATAN:
- Sebagian besar cukup tekan ENTER
- Jika notifikasi email di enable, kita perlu memasukan email address.
- Pilih Bahasa: [en]
OSSEC HIDS v3.6.0 Installation Script - http://www.ossec.net You are about to start the installation process of the OSSEC HIDS. You must have a C compiler pre-installed in your system. - System: Linux ubuntu 4.15.0-20-generic - User: root - Host: ubuntu
ENTER
1- What kind of installation do you want (server, agent, local, hybrid or help)?
server hybrid
2- Setting up the installation environment.
ENTER [/var/ossec]
3- Configuring the OSSEC HIDS.
3.1- Do you want e-mail notification? (y/n) [y]: ENTER
- What's your e-mail address? email@address.anda
- We found your SMTP server as: smtp.server.anda
- Do you want to use it? (y/n) [y]: ENTER
3.2- Do you want to run the integrity check daemon? (y/n) [y]: ENTER
- Running syscheck (integrity check daemon).
3.3- Do you want to run the rootkit detection engine? (y/n) [y]: ENTER
3.4- Active response allows you to execute a specific
command based on the events received. For example,
you can block an IP address or disable access for
a specific user.
More information at:
http://www.ossec.net/en/manual.html#active-response
- Do you want to enable active response? (y/n) [y]: 'ENTER
- Active response enabled.
- By default, we can enable the host-deny and the
firewall-drop responses. The first one will add
a host to the /etc/hosts.deny and the second one
will block the host on iptables (if linux) or on
ipfilter (if Solaris, FreeBSD or NetBSD).
- They can be used to stop SSHD brute force scans,
portscans and some other forms of attacks. You can
also add them to block on snort events, for example.
- Do you want to enable the firewall-drop response? (y/n) [y]: ENTER
- firewall-drop enabled (local) for levels >= 6
-
- 127.0.0.53
- Do you want to add more IPs to the white list? (y/n)? [n]: ENTER
3.5- Do you want to enable remote syslog (port 514 udp)? (y/n) [y]: - Remote syslog enabled. 3.6- Setting the configuration to analyze the following logs: -- /var/log/auth.log -- /var/log/syslog -- /var/log/dpkg.log - If you want to monitor any other file, just change the ossec.conf and add a new localfile entry. Any questions about the configuration can be answered by visiting us online at http://www.ossec.net .
Selesai Compile
- Configuration finished properly.
- To start OSSEC HIDS:
/var/ossec/bin/ossec-control start
- To stop OSSEC HIDS:
/var/ossec/bin/ossec-control stop
- The configuration can be viewed or modified at /var/ossec/etc/ossec.conf
Thanks for using the OSSEC HIDS.
If you have any question, suggestion or if you find any bug,
contact us at https://github.com/ossec/ossec-hids or using
our public maillist at
https://groups.google.com/forum/#!forum/ossec-list
More information can be found at http://www.ossec.net
Run
Run
/var/ossec/bin/ossec-control start
Stop
/var/ossec/bin/ossec-control stop
Konfigurasi di
/var/ossec/etc/ossec.conf
Log
Log penting yang di catat oleh OSSEC HIDS dapat di baca di
/var/ossec/logs/
File yang berisi hal yang penting antara lain adalah
/var/ossec/logs/active-responses.log /var/ossec/logs/alerts/alerts.log
