Ossec 安装并配置邮件通知
目录
1. 介绍
OSSEC 是一个完全开源的免费的服务器入侵检测工具,它支持多个平台,包括Linux, Solaris, AIX, HP-UX, BSD, Windows, Mac and VMware ESX;提供预留的入侵规则并提供相关的定制选项,也支持自定义安全规则,规则触发后的行动支持邮件通知,数据库写入,系统日志写入,2.9.0版本及之后的支持将告警信息写入到一个JSON格式的文件。更进一步的了解,请查阅官网:OSSEC.
2. 软硬件环境
OSSEC是基于C/S架构的,分为Server和Agent两部分,这里的部署使用三台虚拟机,一台虚拟机运行Server,另外两台台虚拟机只运行Agent。详细的环境信息如下:
项
虚拟机1(Server)
虚拟机2(Agent)
虚拟机3(Agent)
硬件信息
CPU:8核 RAM:16G 硬盘:100G
CPU:4核 RAM:4G 硬盘:100G
CPU:2核 RAM:2G 硬盘:100G
IP地址
172.16.11.141
172.16.11.197
172.16.11.198
操作系统
Centos7
Centos7
Centos7
主机名
master
ansible1
ansible2
软件版本
Ossec2.8.1 MySQL8.0
Ossec2.8.1
Ossec2.8.1
3. 安装步骤
3.1 Server
Ossec安装
在虚拟机1(Server)的主机上操作:
wget https://github.com/ossec/ossec-hids/archive/2.8.1.tar.gz #下载ossec的2.8.1版本,目前最新的版本为3.6.0,笔者尝试过安装这个版本,
#发现agent无法连接上server端,github也有相关的issue,详见:https://github.com/ossec/ossec-hids/issues/1869tar -zxvf 2.8.1.tar.gz #解压
mv ossec-hids-2.8.1/ ossec-hids #重命名文件夹
cd ossec-hids/ #进入文件夹
export OSSEC_SOURCE=$(pwd) #设置目录变量
yum -y install mysql-devel postgresql-devel zlib-devel pcre2-devel make gcc zlib-devel pcre2-devel sqlite-devel openssl-devel libevent-devel #下载所需编译工具包
ln -s /usr/lib64/mysql/libmysqlclient.so.18 /usr/lib/libmysqlclient.so.18 #创建软链接链接MySQL库
ln -s /usr/lib64/mysql/libmysqlclient.so.18 /usr/lib64/libmysqlclient.so.18 #创建软链接链接MySQL库cd src
make setdb #开启数据库支持,该指令有以下输出:
#Info: Compiled with MySQL support.
#Info: Compiled with PostgreSQL support.
#如果是3.6.0版本,这个指令不存在,详见:https://github.com/ossec/ossec-hids/issues/1905
cd ../install.sh #执行编辑安装脚本进行安装具体的安装脚本交互如下:
** Para instalação em português, escolha [br].
** 要使用中文进行安装, 请选择 [cn].
** Fur eine deutsche Installation wohlen Sie [de].
** Για εγκατάσταση στα Ελληνικά, επιλέξτε [el].
** For installation in English, choose [en].
** Para instalar en Español , eliga [es].
** Pour une installation en français, choisissez [fr]
** A Magyar nyelvű telepítéshez válassza [hu].
** Per l'installazione in Italiano, scegli [it].
** 日本語でインストールします.選択して下さい.[jp].
** Voor installatie in het Nederlands, kies [nl].
** Aby instalować w języku Polskim, wybierz [pl].
** Для инструкций по установке на русском ,введите [ru].
** Za instalaciju na srpskom, izaberi [sr].
** Türkçe kurulum için seçin [tr].
(en/br/cn/de/el/es/fr/hu/it/jp/nl/pl/ru/sr/tr) [en]: en #选择语言OSSEC HIDS v2.8 Installation Script - http://www.ossec.net
You are about to start the installation process of the OSSEC HIDS.
You must have a C compiler pre-installed in your system.
If you have any questions or comments, please send an e-mail
to dcid@ossec.net (or daniel.cid@gmail.com).System: Linux master 3.10.0-1127.18.2.el7.x86_64
User: root
Host: master
-- Press ENTER to continue or Ctrl-C to abort. --
1- What kind of installation do you want (server, agent, local, hybrid or help)? server #安装server端
- Server installation chosen.
2- Setting up the installation environment.
Choose where to install the OSSEC HIDS [/var/ossec]:
- Installation will be made at /var/ossec .
3- Configuring the OSSEC HIDS.
3.1- Do you want e-mail notification? (y/n) [y]: y #开启邮件通知
What's your e-mail address? 1769128867@qq.com #收件人邮箱
What's your SMTP server ip/host? 127.0.0.1 #SMTP邮箱服务器的地址
3.2- Do you want to run the integrity check daemon? (y/n) [y]: y #开启完整性检查守护进程
Running syscheck (integrity check daemon).
3.3- Do you want to run the rootkit detection engine? (y/n) [y]: y #开启rootkit检查引擎功能
Running rootcheck (rootkit detection).
3.4- Active response allows you to execute a specific
command based on the events received. For example,
you can block an IP address or disable access for
a specific user.
More information at:
http://www.ossec.net/en/manual.html#active-responseDo you want to enable active response? (y/n) [y]: y #开启存活响应
- Active response enabled.
By default, we can enable the host-deny and the
firewall-drop responses. The first one will add
a host to the /etc/hosts.deny and the second one
will block the host on iptables (if linux) or on
ipfilter (if Solaris, FreeBSD or NetBSD).They can be used to stop SSHD brute force scans,
portscans and some other forms of attacks. You can
also add them to block on snort events, for example.Do you want to enable the firewall-drop response? (y/n) [y]: n #关闭防火墙响应功能
- firewall-drop disabled.
Default white list for the active response:
- 119.29.29.29
Do you want to add more IPs to the white list? (y/n)? [n]: n #无需添加白名单
3.5- Do you want to enable remote syslog (port 514 udp)? (y/n) [y]: y #开启远程的syslog
Remote syslog enabled.
3.6- Setting the configuration to analyze the following logs:
-- /var/log/messages
-- /var/log/secure
-- /var/log/maillog
-- /var/log/httpd/error_log (apache log)
-- /var/log/httpd/access_log (apache log)- If you want to monitor any other file, just change
the ossec.conf and add a new localfile entry.
Any questions about the configuration can be answered
by visiting us online at http://www.ossec.net .
--- Press ENTER to continue ---
- If you want to monitor any other file, just change
5- Installing the system
Running the Makefile
INFO: Little endian set.
…….省略编译输出……..- System is Redhat Linux.
Init script modified to start OSSEC HIDS during boot.
Configuration finished properly.
To start OSSEC HIDS:
/var/ossec/bin/ossec-control startTo stop OSSEC HIDS:
/var/ossec/bin/ossec-control stopThe configuration can be viewed or modified at /var/ossec/etc/ossec.conf
Thanks for using the OSSEC HIDS.
If you have any question, suggestion or if you find any bug,
contact us at contact@ossec.net or using our public maillist at
ossec-list@ossec.net
( http://www.ossec.net/main/support/ ).More information can be found at http://www.ossec.net
--- Press ENTER to finish (maybe more information below). ---
- In order to connect agent and server, you need to add each agent to the server.
Run the 'manage_agents' to add or remove them:
/var/ossec/bin/manage_agents
More information at:
http://www.ossec.net/en/manual.html#ma至此,服务器端已经安装成功,可以先添加agent端的信息,使用
manage_agents添加agent:- In order to connect agent and server, you need to add each agent to the server.
/var/ossec/bin/manage_agents
具体的添加agent脚本交互如下:
- OSSEC HIDS v2.8 Agent manager. *
- The following options are available: *
(A)dd an agent (A).
(E)xtract key for an agent (E).
(L)ist already added agents (L).
(R)emove an agent (R).
(Q)uit.
Choose your action: A,E,L,R or Q: A #选择添加一个agent操作- Adding a new agent (use '\q' to return to the main menu).
Please provide the following:
- A name for the new agent: ansible1 #agent的显示名称
- The IP Address of the new agent: 172.16.11.197 #agent的IP
- An ID for the new agent[001]: 001 #agent的IP
Agent information:
ID:001
Name:ansible1
IP Address:172.16.11.197
Confirm adding it?(y/n): y #确定
Agent added.
- OSSEC HIDS v2.8 Agent manager. *
- The following options are available: *
(A)dd an agent (A).
(E)xtract key for an agent (E).
(L)ist already added agents (L).
(R)emove an agent (R).
(Q)uit.
Choose your action: A,E,L,R or Q: E #选择提取agent key操作Available agents:
ID: 001, Name: ansible1, IP: 172.16.11.197
Provide the ID of the agent to extract the key (or '\q' to quit): 001Agent key information for '001' is:
MDAxIGFuc2libGUxIDE3Mi4xNi4xMS4xOTcgNDAxNTZlNTk0Y2JjYWZhMWZmNWQ2OWMwZjYxMjUyMmRmMWMxODNjZGI5Zjg3Y2NlMjVmODNkNWQ1ZjdlNDM5YQ==** Press ENTER to return to the main menu.
………再重复操作添加agent2并记下agent key后面配置agent时需要使用。………MySQL数据库配置
MySQL数据库的安装这里就不在列出,可以参考我上次安装zabbix服务时的安装进行操作,链接:MySQL安装。MySQL数据安装完成后,需要新建数据库和导入Ossec软件使用的数据库表结构。
mysql -u root -p
#输入root用户的密码mysql> create database ossec character set utf8 collate utf8_bin; #创建数据库
mysql> create user ossec identified by 'QCgOvUJ7&CsdG4m'; #创建数据库连接用户 mysql> grant all privileges on ossec. to ossec;
mysql> flush privileges;数据库用户新建成功后,再导入数据库的表结构,MySQL数据库的表结构文件在源码包下的
src/os_dbd/mysql.schema,使用mysql工具进行导入:mysql -uossec -pQCgOvUJ7&Cs*dG4m ossec < $OSSEC_SOURCE/src/os_dbd/mysql.schema #导入MySQL数据库表结构
数据库导入完成后,还需要配置
ossec的配置文件,指定连接的数据库服务器和用户等信息,编辑/var/ossec/etc/ossec.conf文件,添加内容如下:127.0.0.1 ossec QCgOvUJ7&Cs*dG4m ossec mysql 注意:
<database_output>标签是放在<ossec_config>标签里面,参见官方文档:Configuring MySQL。保存文件后,还需要启动数据库支持:/var/ossec/bin/ossec-control enable database
启动ossec
/var/ossec/bin/ossec-control start
启动后,通过查看
/var/ossec/logs/ossec.log日志,可以看到已经连接上了数据库,如下所示:
添加agent方法
添加agent需要填写agent的IP、ID和主机名。执行如下脚本进行导入:
/var/ossec/bin/manage_agents
具体的脚本交互如下:
- OSSEC HIDS v2.8 Agent manager. *
- The following options are available: *
(A)dd an agent (A).
(E)xtract key for an agent (E).
(L)ist already added agents (L).
(R)emove an agent (R).
(Q)uit.
Choose your action: A,E,L,R or Q: A #进行添加agent操作- Adding a new agent (use '\q' to return to the main menu).
Please provide the following:
- A name for the new agent: ansible1 #主机名
- The IP Address of the new agent: 172.16.11.197 #IP地址
- An ID for the new agent[001]: 001 #ID号
Agent information:
ID:001
Name:ansible01
IP Address:172.16.11.197Confirm adding it?(y/n): y
Agent added.
- OSSEC HIDS v2.8 Agent manager. *
- The following options are available: *
(A)dd an agent (A).
(E)xtract key for an agent (E).
(L)ist already added agents (L).
(R)emove an agent (R).
(Q)uit.
Choose your action: A,E,L,R or Q: EAvailable agents:
ID: 001, Name: ansible1, IP: 172.16.11.197
Provide the ID of the agent to extract the key (or '\q' to quit): 001Agent key information for '001' is:
MDAxIGFuc2libGUxIDE3Mi4xNi4xMS4xOTcgNDAxNTZlNTk0Y2JjYWZhMWZmNWQ2OWMwZjYxMjUyMmRmMWMxODNjZGI5Zjg3Y2NlMjVmODNkNWQ1ZjdlNDM5YQ==** Press ENTER to return to the main menu.
- OSSEC HIDS v2.8 Agent manager. *
- The following options are available: *
(A)dd an agent (A).
(E)xtract key for an agent (E).
(L)ist already added agents (L).
(R)emove an agent (R).
(Q)uit.
Choose your action: A,E,L,R or Q: Q** You must restart OSSEC for your changes to take effect.
manage_agents: Exiting ..
添加agent完成后,记得要重启
ossec服务。注意,这里的添加了agent操作并不是已经可以使用ossec服务了,还需要后面的agent通过导入agent key后并启动agent进程才会真正完成。/var/ossec/bin/ossec-control restart
3.2 Agent
在虚拟机2(Agent)和虚拟机3(Agent)上执行以下同样的操作:
wget https://github.com/ossec/ossec-hids/archive/2.8.1.tar.gz #下载ossec的2.8.1版本,目前最新的版本为3.6.0,笔者尝试过安装,发现agent无法连接上server端,
#github也有相关的issue,详见:https://github.com/ossec/ossec-hids/issues/1869
tar -zxvf 2.8.1.tar.gz #解压
mv ossec-hids-2.8.1/ ossec-hids #重命名文件夹
cd ossec-hids/ #进入文件夹
yum -y install mysql-devel postgresql-devel zlib-devel pcre2-devel make gcc zlib-devel pcre2-devel sqlite-devel openssl-devel libevent-devel #下载所需编译工具包
./install.sh #执行编辑安装脚本进行安装具体的安装脚本交互如下:
** Para instalação em português, escolha [br].
** 要使用中文进行安装, 请选择 [cn].
** Fur eine deutsche Installation wohlen Sie [de].
** Για εγκατάσταση στα Ελληνικά, επιλέξτε [el].
** For installation in English, choose [en].
** Para instalar en Español , eliga [es].
** Pour une installation en français, choisissez [fr]
** A Magyar nyelvű telepítéshez válassza [hu].
** Per l'installazione in Italiano, scegli [it].
** 日本語でインストールします.選択して下さい.[jp].
** Voor installatie in het Nederlands, kies [nl].
** Aby instalować w języku Polskim, wybierz [pl].
** Для инструкций по установке на русском ,введите [ru].
** Za instalaciju na srpskom, izaberi [sr].
** Türkçe kurulum için seçin [tr].
(en/br/cn/de/el/es/fr/hu/it/jp/nl/pl/ru/sr/tr) [en]: en #选择语言
OSSEC HIDS v2.8 Installation Script - http://www.ossec.net
You are about to start the installation process of the OSSEC HIDS.
You must have a C compiler pre-installed in your system.
If you have any questions or comments, please send an e-mail
to dcid@ossec.net (or daniel.cid@gmail.com).
- System: Linux ansible1 3.10.0-1127.18.2.el7.x86_64
- User: root
- Host: ansible1
-- Press ENTER to continue or Ctrl-C to abort. --
1- What kind of installation do you want (server, agent, local, hybrid or help)? agent #安装agent端
- Agent(client) installation chosen.
2- Setting up the installation environment.
- Choose where to install the OSSEC HIDS [/var/ossec]:
- Installation will be made at /var/ossec .
3- Configuring the OSSEC HIDS.
3.1- What's the IP Address or hostname of the OSSEC HIDS server?: 172.16.11.141 #填写服务端的IP或者域名
- Adding Server IP 172.16.11.141
3.2- Do you want to run the integrity check daemon? (y/n) [y]: y #开启完整性检查守护进程
- Running syscheck (integrity check daemon).
3.3- Do you want to run the rootkit detection engine? (y/n) [y]: y #开启root检查功能
- Running rootcheck (rootkit detection).
3.4 - Do you want to enable active response? (y/n) [y]: y #开启存活响应
3.5- Setting the configuration to analyze the following logs:
-- /var/log/messages
-- /var/log/secure
-- /var/log/maillog
-- /var/log/nginx/access.log (apache log)
-- /var/log/nginx/error.log (apache log)
- If you want to monitor any other file, just change
the ossec.conf and add a new localfile entry.
Any questions about the configuration can be answered
by visiting us online at http://www.ossec.net .
--- Press ENTER to continue ---
5- Installing the system
- Running the Makefile
INFO: Little endian set.
························
······省略编译输出········
························
- System is Redhat Linux.
- Init script modified to start OSSEC HIDS during boot.
- Configuration finished properly.
- To start OSSEC HIDS:
/var/ossec/bin/ossec-control start
- To stop OSSEC HIDS:
/var/ossec/bin/ossec-control stop
- The configuration can be viewed or modified at /var/ossec/etc/ossec.conf
Thanks for using the OSSEC HIDS.
If you have any question, suggestion or if you find any bug,
contact us at contact@ossec.net or using our public maillist at
ossec-list@ossec.net
( http://www.ossec.net/main/support/ ).
More information can be found at http://www.ossec.net
--- Press ENTER to finish (maybe more information below). ---
- You first need to add this agent to the server so they
can communicate with each other. When you have done so,
you can run the 'manage_agents' tool to import the
authentication key from the server.
/var/ossec/bin/manage_agents
More information at:
http://www.ossec.net/en/manual.html#ma 现在可以看到Agent端已经安装完成了,安装脚本会默认安装在/var/ossec目录下。Agent端的配置首先需要在Server端添加此Agent主机,添加Agent和提取密钥请回看Server部分。添加完成后,提取并拷贝此客户端的验证密钥到agent端,然后运行进行导入:
/var/ossec/bin/manage_agents脚本交互:
****************************************
* OSSEC HIDS v2.8 Agent manager. *
* The following options are available: *
****************************************
(I)mport key from the server (I).
(Q)uit.
Choose your action: I or Q: I #选择”导入一个从Server端导出的key“操作
* Provide the Key generated by the server.
* The best approach is to cut and paste it.
*** OBS: Do not include spaces or new lines.
Paste it here (or '\q' to quit): MDAxIGFuc2libGUxIDE3Mi4xNi4xMS4xOTcgNDAxNTZlNTk0Y2JjYWZhMWZmNWQ2OWMwZjYxMjUyMmRmMWMxODNjZGI5Zjg3Y2NlMjVmODNkNWQ1ZjdlNDM5YQ== #粘贴key
Agent information:
ID:001
Name:ansible1
IP Address:172.16.11.197
Confirm adding it?(y/n): y #确定添加
Added.
** Press ENTER to return to the main menu. 至此,导入完成,可以启动Agent端了:
/var/ossec/bin/ossec-control start 最后,在Server端检查一下agent端是否运行正常。在Server端执行/var/ossec/bin/agent_control -l查看添加了的Agent:
[root@master ossec]# /var/ossec/bin/agent_control -l
OSSEC HIDS agent_control. List of available agents:
ID: 000, Name: master (server), IP: 127.0.0.1, Active/Local
ID: 002, Name: ansible2, IP: 172.16.11.198, Active
ID: 001, Name: ansible1, IP: 172.16.11.197, Active
List of agentless devices:3.3 配置邮件通知
配置邮件通知需要在Server端下进行操作。我这里以网易的163邮箱作为发件人,腾讯的QQ邮箱作为收件人,进行Ossec的邮件通知配置操作。
安装所需的软件包
yum install -y postfix mailx cyrus-sasl cyrus-sasl-plain #安装postfix邮件相关的软件包
配置Postfix的配置文件
/etc/postfix/main.cfcat >> /etc/postfix/main.cf << EOF
relayhost = [smtp.163.com]:25
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous
smtp_tls_CAfile = /etc/ssl/certs/ca-bundle.crt
smtp_use_tls = yes
EOF配置发送邮箱的账号和密码
echo "[smtp.163.com]:25 superlollipop@163.com:QFIANRBFCXMHEOVA" > /etc/postfix/sasl_passwd
#格式[smtp服务地址]:端口 USERNAME@gmail.com:PASSWORDpostmap /etc/postfix/sasl_passwd #更新Postfix查询表使配置生效
PASSWORD是邮箱提供商提供的第三方客户端授权码,不是登录密码,请搜索相关邮箱提供商的资料获取。postmap执行如果提示缺少libmysqlclient.so.18,需要安装MySQL的库,执行:yum install mariadb-libs安装依赖库。常见的邮箱服务器和端口,可参考文章:常用的邮箱服务器(SMTP、POP3)地址、端口更改存储文件和DB文件权限和用户组
chown root:root /etc/postfix/sasl_passwd /etc/postfix/sasl_passwd.db
chmod 0600 /etc/postfix/sasl_passwd /etc/postfix/sasl_passwd.db启动
Postfix服务systemctl start postfix
测试配置文件是否有效
echo "Test mail from postfix" | mail -s "Test Postfix" -r "superlollipop@163.com" 1769128867@qq.com
#-s subject:邮件主题;-r from-addr 发送方邮箱地址;1769128867@qq.com为收件人邮箱地址如下图所示的测试邮件截图:
配置
/var/ossec/etc/ossec.conf文件,如下所示:yes 1769128867@qq.com 127.0.0.1 superlollipop@163.com 注意:
<global>标签是放在<ossec_config>标签里面,参见官方文档:Alerts to a single E-Mail Address。重启Ossec服务
/var/ossec/bin/ossec-control restart
至此,Ossec的邮件通知已经完成,可以通过修改目录
/var/ossec/rules下的xml配置文件修改相关规则。这些规则很多都没有配置邮件通知,比如添加修改了用户密码发送邮件通知,则可以修改文件/var/ossec/rules/pam_rules.xml,如下所示:alert_by_email : password changed for User changed password. 保存文件,然后执行
/var/ossec/bin/ossec-control restart重启Ossec服务使配置更改生效。然后测试修改了Server端的root用户的密码后,接收到邮件通知,如下图所示:
4. 参考资料
手机扫一扫
移动阅读更方便
你可能感兴趣的文章