Performing server agent installations

This section of the chapter excerpt covers performing server agent installations of the OSSEC HIDS.

This Content Component encountered an error

By Rory Bray, Daniel Cid and Andrew Hay

Service provider takeaway: Open source security (OSSEC) is a commonly used host-based intrusion detection software that detects unauthorized activity on any particular computer. This section of the chapter excerpt from the book OSSEC Host-Based Intrusion Detection Guide covers peforming server agent installations of the OSSEC HIDS.

Download the .pdf of the chapter here.

Server-agent installations are meant for a central controller with multiple agents, which is ideal for providing protection among networked hosts. It provides some advantages over simply having local installations on each host. This is because the server performs all log analysis for agents connected to it. Active responses are initiated from the server, but can be executed on an agent or all agents simultaneously.

Because Windows hosts can only be agents, a server is always required prior to installing the OSSEC HIDS on Microsoft Windows. Windows installations are covered separately in this chapter, after a Unix server-agent setup.

The server and agent installations proceed similar to the local installation, except that the server is configured to listen for communication from the agents.

Installing the server

As with the local install type, server installations can only be done on Linux- and BSD-based operating systems, including Mac OS X. After the initial screen and language selection, we start by choosing server installation in step 1 and then a directory location in step 2. Defaults are shown in square braces and can be accepted by pressing Enter, or customized similar to the following:

1- What kind of installation do you want (server, agent, local or help)? server
- Server installation chosen.
2- Setting up the installation environment.
- Choose where to install the OSSEC HIDS [/var/ossec]: /var/ossec
- Installation will be made at /var/ossec .

Step 3, and the corresponding sub steps, deal with notifications and alerts. At this point, you must decide which features you want to enable. You can alter any of the choices later in the ossec.conf file or by reinstalling the OSSEC HIDS.
3- Configuring the OSSEC HIDS.
3.1- Do you want e-mail notification? (y/n) [y]: y
- What's your e-mail address? root@localhost
- We found your SMTP server as: 127.0.0.1

- Do you want to use it? (y/n) [y]: y
-- -- Using SMTP server: 127.0.0.1

The integrity check daemon is responsible for monitoring and reporting changes in system files. The rootkit detection engine regularly performs tests looking for evidence of an installed rootkit. These features are very important on most HIDS solutions and should be enabled. As with the local installation, these services, after being tuned, provide fine-grained protections.

3.2- Do you want to run the integrity check daemon? (y/n) [y]: y
- Running syscheck (integrity check daemon).
3.3- Do you want to run the rootkit detection engine? (y/n) [y]: y
- Running rootcheck (rootkit detection).

Active response is a very powerful tool for taking automated actions to prevent intrusion or reduce the extent of an intrusion. Often, an active response can block invasive activity much more quickly than you or your attacker can respond. If misconfigured, however, active response can also lock you out of your system or interrupt vital services. By default, the OSSEC HIDS active response is quite safe and we recommend enabling it. Be sure, however, to have at least one or two well-trusted IP addresses in the white list so that you can always access the system.

3.4- Active response allows you to execute a specific command based on the events received. For example, you can block an IP address or disable access for a specific user.
More information at:
http://www.ossec.net/en/manual.html#active-response
- Do you want to enable active response? (y/n) [y]: y
- Active response enabled.
- By default, we can enable the host-deny and the firewall-drop responses. The first one will add a host to the /etc/hosts.deny and the second one will block the host on iptables (if linux) or on ipfilter (if Solaris, FreeBSD or NetBSD).
- They can be used to stop SSHD brute force scans, portscans and some other forms of attacks. You can also add them to block on snort events, for example.
- Do you want to enable the firewall-drop response? (y/n) [y]: y
- firewall-drop enabled (local) for levels >= 6
- Default white list for the active response:
- 192.168.65.2
- Do you want to add more IPs to the white list? (y/n)? [n]: n

With a server installation, the OSSEC HIDS can receive alerts through an encrypted channel (port 1514) or through syslog (port 514). Enabling remote syslog allows the OSSEC HIDS to receive alerts using syslog. Typically, it is better to use encryption for the transport of any security related information; you can choose to disable remote syslog for this reason.
Remote syslog can be enabled or disabled at any time in the main configuration file. For the moment, leave it enabled. The significance of providing remote syslog becomes clear after the rule-tuning and log analysis sections of this book.

3.5- Do you want to enable remote syslog (port 514 udp)? (y/n) [y]: y
- Remote syslog enabled.
3.6- Setting the configuration to analyze the following logs:
-- /var/log/messages
-- /var/log/auth.log
-- /var/log/syslog
-- /var/log/mail.info
- If you want to monitor any other file, just change the ossec.conf and add a new localfile entry. Any questions about the configuration can be answered by visiting us online at http://www.ossec.net .
-- -- Press ENTER to continue -- --

After you press Enter, the OSSEC HIDS is compiled, installed, and configured with the options you specified. When the installation is complete, the installer script provides you with some final information. You should make note of the information and take any recommended actions. For example, for the OSSEC HIDS to use the OpenBSD pf firewall, a few lines must be added to the /etc/pf.conf.

You now have a working server installation of the OSSEC HIDS. All binaries, scripts, and configurations for the OSSEC HIDS are in the installation directory you specified. To verify hat everything is ok, start the OSSEC HIDS and complete the installation.
# /opt/ossec/bin/ossec-control start
Before moving on to setting up agents, remember that the OSSEC HIDS server needs to receive communication from agents on port 1514 and possibly 514. You must ensure that the firewall or packet filter on the server host machine allows this traffic. Each operating system and software distribution provides a way to do this. You must enable inbound UDP traffic on ports 1514 and 514 from any subnets where agents are installed. The firewall rule must maintain connection state because the agent expects responses from the server.

Managing agents

Before moving on to another install type, let's review the key management in the OSSEC HIDS. Agents must be able to identify themselves to the server, and the server must be able to validate the identity of the agent. This ensures that illicit messages aren't processed by the server when sent from non-agent hosts.

The server-agent traffic is encrypted and validated using pre-shared keys. These keys must be generated on the server and then imported on the agent side. The procedure is the same regardless of the agent platform. All agent key management is done using the manage_agents utility in the OSSEC HIDS bin directory.

You must create a key for each agent by adding the agent using the manage_agents utility.
Run the utility and then choose Add an agent by entering A.

# /opt/ossec/bin/manage_agents
****************************************
* OSSEC HIDS v1.4 Agent manager. *
* The following options are available: *
****************************************
(A)dd an agent (A).
(E)xtract key for an agent (E).
(L)ist already added agents (L).
(R)emove an agent (R).
(Q)uit.
Choose your action: A,E,L,R or Q: A

You are prompted for host details and an identifier for the agent. The IP address, not the hostname, of the agent host must be provided. The ID can be any number you choose, but it must be numeric. The name can be any identifying text that is meaningful to you, without spaces, but typically it makes most sense to use the hostname.

- Adding a new agent (use 'q' to return to the main menu).
Please provide the following:
* A name for the new agent: mars
* The IP Address of the new agent: 192.168.65.40
* An ID for the new agent[001]: 001
Agent information:
ID:001
Name:mars
IP Address:192.168.65.40
Confirm adding it?(y/n): y
Agent added.

Repeat this procedure for each agent you must install. After you are done creating keys, restart the OSSEC HIDS service, using /var/ossec/bin/ossec-control, so that the OSSEC HIDS can read the updated keys and permitted agent IP addresses. Failure to restart the OSSEC HIDS server might result in connection failures for the agents. After the OSSEC HIDS software is installed on the agents, you will return to the server to retrieve the keys for each agent using the same manage_agents utility.

Installing agents

Agent installation on Unix/Linux/BSD platforms is performed similar to the other install types. The only notable difference is that you must provide the server IP address. After installation, the agent does not start properly until the key, which is generated on the server, is imported.

For Microsoft Windows, the installation is also simple, but it is performed using a graphical installer. Importing the key from the server to the agent typically requires Secure Shell (SSH) access to the server, so make sure the Windows host has an SSH client.

Installing the Unix agent

The same installation procedure used for local and server installations is used for an agent installation on Unix- and Linux-based hosts. Start by choosing agent installation in step 1 and then a directory location in step 2. The defaults are shown in square brackets and can be accepted by pressing Enter, or customized as in this case. You will notice that the agent install has fewer options to configure. This is because the server does much of the work.

1- What kind of installation do you want (server, agent, local or help)? agent
- Agent(client) installation chosen.
2- Setting up the installation environment.
- Choose where to install the OSSEC HIDS [/var/ossec]: /opt/ossec
- Installation will be made at /opt/ossec .
3- Configuring the OSSEC HIDS.
3.1- What's the IP Address of the OSSEC HIDS server?: 192.168.65.20
- Adding Server IP 192.168.65.20
3.2- Do you want to run the integrity check daemon? (y/n) [y]: y
- Running syscheck (integrity check daemon).
3.3- Do you want to run the rootkit detection engine? (y/n) [y]: y
- Running rootcheck (rootkit detection).

On the agent installation, notice that the only options for active response are enable or disable. Enabling active response on an agent allows the server to initiate responses that are executed on this agent. We recommend enabling for all agents.

3.4 - Do you want to enable active response? (y/n) [y]: y
3.5- Setting the confi guration to analyze the following logs:
-- /var/log/messages
-- /var/log/authlog
-- /var/log/secure
-- /var/log/xferlog
-- /var/log/maillog
- If you want to monitor any other fi le, just change
the ossec.conf and add a new localfi le entry.
Any questions about the confi guration can be answered
by visiting us online at http://www.ossec.net .
-- -- Press ENTER to continue -- --

After you press Enter, the OSSEC HIDS is compiled, installed, and configured with the options you specified. When the installation is complete, the installer script provides you with some final information. You should make note of the information and take any recommended actions. For example, for the OSSEC HIDS to use the OpenBSD pf firewall, a few lines must be added to the /etc/pf.conf script.
Before starting the OSSEC HIDS agent, the key generated on the server must be imported.
The manage_agents utility is used to import the keys. Because the keys are on the server, the normal method for retrieving the keys is to connect to the server using SSH and run the manage_agents utility.

From the manage agents menu, enter e to extract a key. You are provided with a list of already configured agents. Choose your agent by entering the correct ID. The key is displayed so you can copy it to your clipboard.

# /opt/ossec/bin/manage_agents
****************************************
* OSSEC HIDS v1.3 Agent manager. *
* The following options are available: *
****************************************
(A)dd an agent (A).
(E)xtract key for an agent (E).
(L)ist already added agents (L).
(R)emove an agent (R).
(Q)uit.
Choose your action: A,E,L,R or Q: e
Available agents:
ID: 001, Name: mars, IP: 192.168.65.40
Provide the ID of the agent to extract the key (or 'q' to quit): 001
Agent key information for '001' is:
MDAxIG1hcnMgMTkyLjE2OC42NS40MCBmY2UzMjM4OTc1ODgzYTU4ZWM3YTRkYWJiZTJmMjQ2Y2ViODhmMzl
mYjE3MmI4OGUzMTE0MDczMzVhYjk2OTRh
** Press ENTER to return to the main menu.

Exit from the manage_agents utility on the server by entering q from the menu, exit the
SSH session, and return to the agent host. To import the key, run the manage_agents utility on the agent host. The menu for agents is much simpler, because importing keys is the only option. Enter i to import and then paste the key value previously saved to your clipboard.

# /opt/ossec/bin/manage_agents
****************************************
* OSSEC HIDS v1.3 Agent manager. *
* The following options are available: *
****************************************
(I)mport key from the server (I).
(Q)uit.
Choose your action: I or Q: i
* Provide the Key generated by the server.
* The best approach is to cut and paste it.
*** OBS: Do not include spaces or new lines.
Paste it here (or 'q' to quit):
MDAxIG1hcnMgMTkyLjE2OC42NS40MCBmY2UzMjM4OTc1ODgzYTU4ZWM3YTRkYWJiZTJmMjQ2Y2ViODhmMzl
mYjE3MmI4OGUzMTE0MDczMzVhYjk2OTRh
Agent information:
ID:001
Name:mars
IP Address:192.168.65.40
Confirm adding it?(y/n): y
Added.
** Press ENTER to return to the main menu.
****************************************
* OSSEC HIDS v1.3 Agent manager. *
* The following options are available: *
****************************************
(I)mport key from the server (I).
(Q)uit.
Choose your action: I or Q: q
** You must restart the server for your changes to have effect.
manage_agents: Exiting ..

Now that the agent installation is complete, we can start the OSSEC HIDS service by running the following command:
# /opt/ossec/bin/ossec-control start

The agent starts and connects to the server. You can verify this by checking the agent logs (/var/ossec/logs/ossec.log) and finding messages similar to the following near the end of the file:
2007/10/10 23:25:48 ossec-agentd: Connecting to server (192.168.65.20:1514).
2007/10/10 23:25:48 ossec-agentd(4102): Connected to the server.


OSSEC Host-Based Intrusion Detection Guide
  Introduction
  Downloading OSSEC HIDS
  Performing local installation
  Performing server agent installations
  Installing the Windows agent
  Streamlining the installations
  Summary and FAQs

About the book

OSSEC Host-Based Intrusion Detection Guide explains how to grow revenue, reduce administrative costs, and improve client retention by adopting a customer-focused business framework. Learn to build and use customer hubs and associated technologies, secure and protect confidential corporate and customer information, provide personalized services, and set up an effective data governance team. Purchase the book from Syngress Publishing.

Printed with permission from Syngress, a division of Elsevier. Copyright 2008. "OSSEC Host-Based Intrusion Detection Guide" by Rory Bray, Daniel Cid and Andrew Hay. For more information about this title and other similar books, please visit www.elsevierdirect.com.

This was first published in August 2008

Dig deeper on Network security products, technologies, services

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

MicroscopeUK

SearchCloudProvider

SearchSecurity

SearchStorage

SearchNetworking

SearchCloudComputing

SearchConsumerization

SearchDataManagement

SearchBusinessAnalytics

Close