Kusprayitna Blogs

Hidup untuk berbagi ilmu :: IT Linux Windows Database Oracle PHP OpenSource

Instalasi OSSEC-HIDS agent di linux

Posted by kusprayitna on July 6th, 2010

Instalasi Ossec agent

Setelah memiliki ossec-hids server, maka tahapan selanjutnya adalah menginstall osec agent di server-server lain agar setiap server dapat mengirimkan informasi ke server ossec-hids.

Tahapan instalasi ossec agent yaitu:

  1. Download source code OSSEC, pilih aplikasi yang paling update/terakhir

    # wget http://www.ossec.net/files/ossec-hids-latest.tar.gz

  2. Ekstrak file

    # tar -xzf ossec-hids*

  3. Jalankan perintah install

    # cd ossec-hids*
    # ./install.sh

  4. Ikuti perintah proses instalasi

** Para instalação em português, escolha [br].
** è¦ä½¿ç¨ä¸­æè¿¡å®è£
, 请éæ© [cn].
** Fur eine deutsche Installation wohlen Sie [de].
** Îια εγκαÏ
άÏÏ
αÏη ÏÏ
α Îλληνικά, εÏιλέξÏ
ε [el].
** For installation in English, choose [en].
** Para instalar en Español , eliga [es].
** Pour une installation en français, choisissez [fr]
** Per l’installazione in Italiano, scegli [it].
** æ¥æ¬èªã§ã¤ã³ã¹ãã¼ã«ãã¾ãï¼é¸æãã¦ä¸ãã
ï¼[jp].
** Voor installatie in het Nederlands, kies [nl].
** Aby instalowaÄ w jÄzyku Polskim, wybierz [pl].
** ÐÐ»Ñ Ð¸Ð½ÑÑÑÑкÑий по ÑÑÑановке на ÑÑÑÑком ,введиÑе [ru].
** Za instalaciju na srpskom, izaberi [sr].
** Türkçe kurulum için seçin [tr].
(en/br/cn/de/el/es/fr/it/jp/nl/pl/ru/sr/tr) [en]:

OSSEC HIDS v2.4.1 Installation Script - http://www.ossec.net

You are about to start the installation process of the OSSEC HIDS.
You must have a C compiler pre-installed in your system.
If you have any questions or comments, please send an e-mail
to dcid@ossec.net (or daniel.cid@gmail.com).

- System: Linux mailx.uii.ac.id 2.6.18-164.el5PAE
- User: root
- Host: mailx.uii.ac.id

-- Press ENTER to continue or Ctrl-C to abort. --

1- What kind of installation do you want (server, agent, local or help)? agent

- Agent(client) installation chosen.

2- Setting up the installation environment.

- Choose where to install the OSSEC HIDS [/var/ossec]:

- Installation will be made at  /var/ossec .

3- Configuring the OSSEC HIDS.

3.1- What's the IP Address of the OSSEC HIDS server?: 192.168.200.33

- Adding Server IP 192.168.200.33

3.2- Do you want to run the integrity check daemon? (y/n) [y]: y

- Running syscheck (integrity check daemon).

3.3- Do you want to run the rootkit detection engine? (y/n) [y]: y

- Running rootcheck (rootkit detection).

3.4 - Do you want to enable active response? (y/n) [y]: y

3.5- Setting the configuration to analyze the following logs:
-- /var/log/messages
-- /var/log/secure
-- /var/log/maillog

- If you want to monitor any other file, just change
the ossec.conf and add a new localfile entry.
Any questions about the configuration can be answered
by visiting us online at http://www.ossec.net .

--- Press ENTER to continue ---

.....

.....

.....

- System is Redhat Linux.
- Init script modified to start OSSEC HIDS during boot.

- Configuration finished properly.

- To start OSSEC HIDS:
/var/ossec/bin/ossec-control start

- To stop OSSEC HIDS:
/var/ossec/bin/ossec-control stop

- The configuration can be viewed or modified at /var/ossec/etc/ossec.conf

Thanks for using the OSSEC HIDS.
If you have any question, suggestion or if you find any bug,
contact us at contact@ossec.net or using our public maillist at
ossec-list@ossec.net
( http://www.ossec.net/main/support/ ).

More information can be found at http://www.ossec.net

---  Press ENTER to finish (maybe more information below). ---

- You first need to add this agent to the server so they
can communicate with each other. When you have done so,
you can run the 'manage_agents' tool to import the
authentication key from the server.

/var/ossec/bin/manage_agents

More information at:
http://www.ossec.net/en/manual.html#ma

Pada tahapan instalasi diatas, sebagai kunci ada dua, yaitu yang diinstall adalah agent dan menyebutkan alamat IP server, disini digunakan 192.168.200.33

Melakukan registrasi oosec agent ke ossec server

A. di Server

  1. Pastikan bahwa port UDB 1514 di server tidak tertutup oleh firewall
  2. Lakukan manajemen agent# /var/ossec/bin/manage-agent

    ****************************************
    * OSSEC HIDS v2.4.1 Agent manager.     *
    * The following options are available: *
    ****************************************
    (A)dd an agent (A).
    (E)xtract key for an agent (E).
    (L)ist already added agents (L).
    (R)emove an agent (R).
    (Q)uit.
    Choose your action: A,E,L,R or Q: a

    - Adding a new agent (use '\q' to return to the main menu).
    Please provide the following:
    * A name for the new agent: mailx.uii.ac.id
    * The IP Address of the new agent: 192.168.200.77
    * An ID for the new agent[022]:
    Agent information:
    ID:022
    Name:mailx.uii.ac.id
    IP Address:192.168.200.77

    Confirm adding it?(y/n): y
    Agent added.

    ****************************************
    * OSSEC HIDS v2.4.1 Agent manager.     *
    * The following options are available: *
    ****************************************
    (A)dd an agent (A).
    (E)xtract key for an agent (E).
    (L)ist already added agents (L).
    (R)emove an agent (R).
    (Q)uit.
    Choose your action: A,E,L,R or Q: e

    Available agents:
    ......
    ID: 022, Name: mailx.uii.ac.id, IP: 192.168.200.77
    Provide the ID of the agent to extract the key (or '\q' to quit): 022

    Agent key information for '022' is:
    MDIyIG1haWx4LnVpQxN2IwODQ2MjE .........
    ** Press ENTER to return to the main menu.

  3. Salin Agent key

B. di Agent

  1. Lakukan manajemen agent#  /var/ossec/bin/manage_agents

    ****************************************
    * OSSEC HIDS v2.4.1 Agent manager.     *
    * The following options are available: *
    ****************************************
    (I)mport key from the server (I).
    (Q)uit.
    Choose your action: I or Q: i

    * Provide the Key generated by the server.
    * The best approach is to cut and paste it.
    *** OBS: Do not include spaces or new lines.

    Paste it here (or '\q' to quit): MDIyIG1haWx4LnVpQxN2IwODQ2MjE .........

    Agent information:
    ID:022
    Name:mailx.uii.ac.id
    IP Address:192.168.200.77

    Confirm adding it?(y/n): y
    Added.
    ** Press ENTER to return to the main menu.

  2. Jalankan ossec agent# /var/ossec/bin/ossec-control start

    Starting OSSEC HIDS v2.4.1 (by Trend Micro Inc.)...
    Started ossec-execd...
    Started ossec-agentd...
    Started ossec-logcollector...
    Started ossec-syscheckd...
    Completed.

Hasil do OSSEC Web Interface

Trouble shooting sederhana:

  1. Saat awal pengenalan antara server dan agent, untuk memastikan jalan maka OSSEC Server harus direstart terlebih dahulu setelah
  2. Apabila dilakukan instalasi berualng-ulang di suatu server, maka di OSSEC Server lebih baik registrasinya dihapus dahulu dan didaftarkan kembali agar counter log (bukan agent id) dimulai dari nol kembali
  3. Paket yang dikirimkan OSSEC agent ke OSSEC server menyertakan informasi IP OSSEC agent, untuk itu alamat IP tidak bisa memakai DHCP atau berubah-ubah
  4. Alamat IP yang didaftarkan ke OSSEC Server membentuk mapping 1 : 1 antara server dan agent, kecuali jika agent berada di belakang firewall, maka dapat 1 : banyak.

2 Responses to “Instalasi OSSEC-HIDS agent di linux”

  1. OSSEC HIDS, memonitor log server secara tersentral | Kusprayitna Blogs Says:

    [...] Instalasi OSSEC Agent [...]

  2. Rovy Says:

    kalo seandainya kita mau menggunakan SMS pada saat pelaporan adanya penyusup, databasenya bisa di gabung tidak?

Leave a Reply

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>