Ossec 安裝並配置郵件通知
1. 介紹
OSSEC 是一個完全開源的免費的服務器入侵檢測工具,它支持多個平台,包括Linux, Solaris, AIX, HP-UX, BSD, Windows, Mac and VMware ESX;提供預留的入侵規則並提供相關的定制選項,也支持自定義安全規則,規則觸發后的行動支持郵件通知,數據庫寫入,系統日志寫入,2.9.0版本及之后的支持將告警信息寫入到一個JSON格式的文件。更進一步的了解,請查閱官網:OSSEC.
2. 軟硬件環境
OSSEC是基於C/S架構的,分為Server和Agent兩部分,這里的部署使用三台虛擬機,一台虛擬機運行Server,另外兩台台虛擬機只運行Agent。詳細的環境信息如下:
| 項 | 虛擬機1(Server) | 虛擬機2(Agent) | 虛擬機3(Agent) |
|---|---|---|---|
| 硬件信息 | CPU:8核 RAM:16G 硬盤:100G | CPU:4核 RAM:4G 硬盤:100G | CPU:2核 RAM:2G 硬盤:100G |
| IP地址 | 172.16.11.141 | 172.16.11.197 | 172.16.11.198 |
| 操作系統 | Centos7 | Centos7 | Centos7 |
| 主機名 | master | ansible1 | ansible2 |
| 軟件版本 | Ossec2.8.1 MySQL8.0 | Ossec2.8.1 | Ossec2.8.1 |
3. 安裝步驟
3.1 Server
- Ossec安裝
在虛擬機1(Server)的主機上操作:
wget https://github.com/ossec/ossec-hids/archive/2.8.1.tar.gz #下載ossec的2.8.1版本,目前最新的版本為3.6.0,筆者嘗試過安裝這個版本,
#發現agent無法連接上server端,github也有相關的issue,詳見:https://github.com/ossec/ossec-hids/issues/1869
tar -zxvf 2.8.1.tar.gz #解壓
mv ossec-hids-2.8.1/ ossec-hids #重命名文件夾
cd ossec-hids/ #進入文件夾
export OSSEC_SOURCE=$(pwd) #設置目錄變量
yum -y install mysql-devel postgresql-devel zlib-devel pcre2-devel make gcc zlib-devel pcre2-devel sqlite-devel openssl-devel libevent-devel #下載所需編譯工具包
ln -s /usr/lib64/mysql/libmysqlclient.so.18 /usr/lib/libmysqlclient.so.18 #創建軟鏈接鏈接MySQL庫
ln -s /usr/lib64/mysql/libmysqlclient.so.18 /usr/lib64/libmysqlclient.so.18 #創建軟鏈接鏈接MySQL庫
cd src
make setdb #開啟數據庫支持,該指令有以下輸出:
#Info: Compiled with MySQL support.
#Info: Compiled with PostgreSQL support.
#如果是3.6.0版本,這個指令不存在,詳見:https://github.com/ossec/ossec-hids/issues/1905
cd ../install.sh #執行編輯安裝腳本進行安裝
具體的安裝腳本交互如下:
** Para instalação em português, escolha [br].
** 要使用中文進行安裝, 請選擇 [cn].
** Fur eine deutsche Installation wohlen Sie [de].
** Για εγκατάσταση στα Ελληνικά, επιλέξτε [el].
** For installation in English, choose [en].
** Para instalar en Español , eliga [es].
** Pour une installation en français, choisissez [fr]
** A Magyar nyelvű telepítéshez válassza [hu].
** Per l'installazione in Italiano, scegli [it].
** 日本語でインストールします.選択して下さい.[jp].
** Voor installatie in het Nederlands, kies [nl].
** Aby instalować w języku Polskim, wybierz [pl].
** Для инструкций по установке на русском ,введите [ru].
** Za instalaciju na srpskom, izaberi [sr].
** Türkçe kurulum için seçin [tr].
(en/br/cn/de/el/es/fr/hu/it/jp/nl/pl/ru/sr/tr) [en]: en #選擇語言
OSSEC HIDS v2.8 Installation Script - http://www.ossec.net
You are about to start the installation process of the OSSEC HIDS.
You must have a C compiler pre-installed in your system.
If you have any questions or comments, please send an e-mail
to dcid@ossec.net (or daniel.cid@gmail.com).
- System: Linux master 3.10.0-1127.18.2.el7.x86_64
- User: root
- Host: master
-- Press ENTER to continue or Ctrl-C to abort. --
1- What kind of installation do you want (server, agent, local, hybrid or help)? server #安裝server端
- Server installation chosen.
2- Setting up the installation environment.
- Choose where to install the OSSEC HIDS [/var/ossec]:
- Installation will be made at /var/ossec .
3- Configuring the OSSEC HIDS.
3.1- Do you want e-mail notification? (y/n) [y]: y #開啟郵件通知
- What's your e-mail address? 1769128867@qq.com #收件人郵箱
- What's your SMTP server ip/host? 127.0.0.1 #SMTP郵箱服務器的地址
3.2- Do you want to run the integrity check daemon? (y/n) [y]: y #開啟完整性檢查守護進程
- Running syscheck (integrity check daemon).
3.3- Do you want to run the rootkit detection engine? (y/n) [y]: y #開啟rootkit檢查引擎功能
- Running rootcheck (rootkit detection).
3.4- Active response allows you to execute a specific
command based on the events received. For example,
you can block an IP address or disable access for
a specific user.
More information at:
http://www.ossec.net/en/manual.html#active-response
- Do you want to enable active response? (y/n) [y]: y #開啟存活響應
- Active response enabled.
- By default, we can enable the host-deny and the
firewall-drop responses. The first one will add
a host to the /etc/hosts.deny and the second one
will block the host on iptables (if linux) or on
ipfilter (if Solaris, FreeBSD or NetBSD).
- They can be used to stop SSHD brute force scans,
portscans and some other forms of attacks. You can
also add them to block on snort events, for example.
- Do you want to enable the firewall-drop response? (y/n) [y]: n #關閉防火牆響應功能
- firewall-drop disabled.
- Default white list for the active response:
- 119.29.29.29
- Do you want to add more IPs to the white list? (y/n)? [n]: n #無需添加白名單
3.5- Do you want to enable remote syslog (port 514 udp)? (y/n) [y]: y #開啟遠程的syslog
- Remote syslog enabled.
3.6- Setting the configuration to analyze the following logs:
-- /var/log/messages
-- /var/log/secure
-- /var/log/maillog
-- /var/log/httpd/error_log (apache log)
-- /var/log/httpd/access_log (apache log)
- If you want to monitor any other file, just change
the ossec.conf and add a new localfile entry.
Any questions about the configuration can be answered
by visiting us online at http://www.ossec.net .
--- Press ENTER to continue ---
5- Installing the system
- Running the Makefile
INFO: Little endian set.
.......省略編譯輸出........
- System is Redhat Linux.
- Init script modified to start OSSEC HIDS during boot.
- Configuration finished properly.
- To start OSSEC HIDS:
/var/ossec/bin/ossec-control start
- To stop OSSEC HIDS:
/var/ossec/bin/ossec-control stop
- The configuration can be viewed or modified at /var/ossec/etc/ossec.conf
Thanks for using the OSSEC HIDS.
If you have any question, suggestion or if you find any bug,
contact us at contact@ossec.net or using our public maillist at
ossec-list@ossec.net
( http://www.ossec.net/main/support/ ).
More information can be found at http://www.ossec.net
--- Press ENTER to finish (maybe more information below). ---
- In order to connect agent and server, you need to add each agent to the server.
Run the 'manage_agents' to add or remove them:
/var/ossec/bin/manage_agents
More information at:
http://www.ossec.net/en/manual.html#ma
至此,服務器端已經安裝成功,可以先添加agent端的信息,使用manage_agents添加agent:
/var/ossec/bin/manage_agents
具體的添加agent腳本交互如下:
****************************************
* OSSEC HIDS v2.8 Agent manager. *
* The following options are available: *
****************************************
(A)dd an agent (A).
(E)xtract key for an agent (E).
(L)ist already added agents (L).
(R)emove an agent (R).
(Q)uit.
Choose your action: A,E,L,R or Q: A #選擇添加一個agent操作
- Adding a new agent (use '\q' to return to the main menu).
Please provide the following:
* A name for the new agent: ansible1 #agent的顯示名稱
* The IP Address of the new agent: 172.16.11.197 #agent的IP
* An ID for the new agent[001]: 001 #agent的IP
Agent information:
ID:001
Name:ansible1
IP Address:172.16.11.197
Confirm adding it?(y/n): y #確定
Agent added.
****************************************
* OSSEC HIDS v2.8 Agent manager. *
* The following options are available: *
****************************************
(A)dd an agent (A).
(E)xtract key for an agent (E).
(L)ist already added agents (L).
(R)emove an agent (R).
(Q)uit.
Choose your action: A,E,L,R or Q: E #選擇提取agent key操作
Available agents:
ID: 001, Name: ansible1, IP: 172.16.11.197
Provide the ID of the agent to extract the key (or '\q' to quit): 001
Agent key information for '001' is:
MDAxIGFuc2libGUxIDE3Mi4xNi4xMS4xOTcgNDAxNTZlNTk0Y2JjYWZhMWZmNWQ2OWMwZjYxMjUyMmRmMWMxODNjZGI5Zjg3Y2NlMjVmODNkNWQ1ZjdlNDM5YQ==
** Press ENTER to return to the main menu.
.........再重復操作添加agent2並記下agent key后面配置agent時需要使用。.........
- MySQL數據庫配置
MySQL數據庫的安裝這里就不在列出,可以參考我上次安裝zabbix服務時的安裝進行操作,鏈接:MySQL安裝。MySQL數據安裝完成后,需要新建數據庫和導入Ossec軟件使用的數據庫表結構。
mysql -u root -p
#輸入root用戶的密碼
mysql> create database ossec character set utf8 collate utf8_bin; #創建數據庫
mysql> create user ossec identified by 'QCgOvUJ7&Cs*dG4m'; #創建數據庫連接用戶
mysql> grant all privileges on ossec.* to ossec;
mysql> flush privileges;
數據庫用戶新建成功后,再導入數據庫的表結構,MySQL數據庫的表結構文件在源碼包下的src/os_dbd/mysql.schema,使用mysql工具進行導入:
mysql -uossec -pQCgOvUJ7&Cs*dG4m ossec < $OSSEC_SOURCE/src/os_dbd/mysql.schema #導入MySQL數據庫表結構
數據庫導入完成后,還需要配置ossec的配置文件,指定連接的數據庫服務器和用戶等信息,編輯/var/ossec/etc/ossec.conf文件,添加內容如下:
<database_output>
<hostname>127.0.0.1</hostname> <!-- MySQL服務器IP -->
<username>ossec</username> <!-- MySQL用戶賬號 -->
<password>QCgOvUJ7&Cs*dG4m</password> <!-- MySQL用戶密碼 -->
<database>ossec</database> <!-- 數據庫模式名稱 -->
<type>mysql</type> <!-- 數據庫類型為MySQL -->
</database_output>
注意:<database_output>標簽是放在<ossec_config>標簽里面,參見官方文檔:Configuring MySQL。保存文件后,還需要啟動數據庫支持:
/var/ossec/bin/ossec-control enable database
- 啟動ossec
/var/ossec/bin/ossec-control start
啟動后,通過查看/var/ossec/logs/ossec.log日志,可以看到已經連接上了數據庫,如下所示:
- 添加agent方法
添加agent需要填寫agent的IP、ID和主機名。執行如下腳本進行導入:
/var/ossec/bin/manage_agents
具體的腳本交互如下:
****************************************
* OSSEC HIDS v2.8 Agent manager. *
* The following options are available: *
****************************************
(A)dd an agent (A).
(E)xtract key for an agent (E).
(L)ist already added agents (L).
(R)emove an agent (R).
(Q)uit.
Choose your action: A,E,L,R or Q: A #進行添加agent操作
- Adding a new agent (use '\q' to return to the main menu).
Please provide the following:
* A name for the new agent: ansible1 #主機名
* The IP Address of the new agent: 172.16.11.197 #IP地址
* An ID for the new agent[001]: 001 #ID號
Agent information:
ID:001
Name:ansible01
IP Address:172.16.11.197
Confirm adding it?(y/n): y
Agent added.
****************************************
* OSSEC HIDS v2.8 Agent manager. *
* The following options are available: *
****************************************
(A)dd an agent (A).
(E)xtract key for an agent (E).
(L)ist already added agents (L).
(R)emove an agent (R).
(Q)uit.
Choose your action: A,E,L,R or Q: E
Available agents:
ID: 001, Name: ansible1, IP: 172.16.11.197
Provide the ID of the agent to extract the key (or '\q' to quit): 001
Agent key information for '001' is:
MDAxIGFuc2libGUxIDE3Mi4xNi4xMS4xOTcgNDAxNTZlNTk0Y2JjYWZhMWZmNWQ2OWMwZjYxMjUyMmRmMWMxODNjZGI5Zjg3Y2NlMjVmODNkNWQ1ZjdlNDM5YQ==
** Press ENTER to return to the main menu.
****************************************
* OSSEC HIDS v2.8 Agent manager. *
* The following options are available: *
****************************************
(A)dd an agent (A).
(E)xtract key for an agent (E).
(L)ist already added agents (L).
(R)emove an agent (R).
(Q)uit.
Choose your action: A,E,L,R or Q: Q
** You must restart OSSEC for your changes to take effect.
manage_agents: Exiting ..
添加agent完成后,記得要重啟ossec服務。注意,這里的添加了agent操作並不是已經可以使用ossec服務了,還需要后面的agent通過導入agent key后並啟動agent進程才會真正完成。
/var/ossec/bin/ossec-control restart
3.2 Agent
在虛擬機2(Agent)和虛擬機3(Agent)上執行以下同樣的操作:
wget https://github.com/ossec/ossec-hids/archive/2.8.1.tar.gz #下載ossec的2.8.1版本,目前最新的版本為3.6.0,筆者嘗試過安裝,發現agent無法連接上server端,
#github也有相關的issue,詳見:https://github.com/ossec/ossec-hids/issues/1869
tar -zxvf 2.8.1.tar.gz #解壓
mv ossec-hids-2.8.1/ ossec-hids #重命名文件夾
cd ossec-hids/ #進入文件夾
yum -y install mysql-devel postgresql-devel zlib-devel pcre2-devel make gcc zlib-devel pcre2-devel sqlite-devel openssl-devel libevent-devel #下載所需編譯工具包
./install.sh #執行編輯安裝腳本進行安裝
具體的安裝腳本交互如下:
** Para instalação em português, escolha [br].
** 要使用中文進行安裝, 請選擇 [cn].
** Fur eine deutsche Installation wohlen Sie [de].
** Για εγκατάσταση στα Ελληνικά, επιλέξτε [el].
** For installation in English, choose [en].
** Para instalar en Español , eliga [es].
** Pour une installation en français, choisissez [fr]
** A Magyar nyelvű telepítéshez válassza [hu].
** Per l'installazione in Italiano, scegli [it].
** 日本語でインストールします.選択して下さい.[jp].
** Voor installatie in het Nederlands, kies [nl].
** Aby instalować w języku Polskim, wybierz [pl].
** Для инструкций по установке на русском ,введите [ru].
** Za instalaciju na srpskom, izaberi [sr].
** Türkçe kurulum için seçin [tr].
(en/br/cn/de/el/es/fr/hu/it/jp/nl/pl/ru/sr/tr) [en]: en #選擇語言
OSSEC HIDS v2.8 Installation Script - http://www.ossec.net
You are about to start the installation process of the OSSEC HIDS.
You must have a C compiler pre-installed in your system.
If you have any questions or comments, please send an e-mail
to dcid@ossec.net (or daniel.cid@gmail.com).
- System: Linux ansible1 3.10.0-1127.18.2.el7.x86_64
- User: root
- Host: ansible1
-- Press ENTER to continue or Ctrl-C to abort. --
1- What kind of installation do you want (server, agent, local, hybrid or help)? agent #安裝agent端
- Agent(client) installation chosen.
2- Setting up the installation environment.
- Choose where to install the OSSEC HIDS [/var/ossec]:
- Installation will be made at /var/ossec .
3- Configuring the OSSEC HIDS.
3.1- What's the IP Address or hostname of the OSSEC HIDS server?: 172.16.11.141 #填寫服務端的IP或者域名
- Adding Server IP 172.16.11.141
3.2- Do you want to run the integrity check daemon? (y/n) [y]: y #開啟完整性檢查守護進程
- Running syscheck (integrity check daemon).
3.3- Do you want to run the rootkit detection engine? (y/n) [y]: y #開啟root檢查功能
- Running rootcheck (rootkit detection).
3.4 - Do you want to enable active response? (y/n) [y]: y #開啟存活響應
3.5- Setting the configuration to analyze the following logs:
-- /var/log/messages
-- /var/log/secure
-- /var/log/maillog
-- /var/log/nginx/access.log (apache log)
-- /var/log/nginx/error.log (apache log)
- If you want to monitor any other file, just change
the ossec.conf and add a new localfile entry.
Any questions about the configuration can be answered
by visiting us online at http://www.ossec.net .
--- Press ENTER to continue ---
5- Installing the system
- Running the Makefile
INFO: Little endian set.
························
······省略編譯輸出········
························
- System is Redhat Linux.
- Init script modified to start OSSEC HIDS during boot.
- Configuration finished properly.
- To start OSSEC HIDS:
/var/ossec/bin/ossec-control start
- To stop OSSEC HIDS:
/var/ossec/bin/ossec-control stop
- The configuration can be viewed or modified at /var/ossec/etc/ossec.conf
Thanks for using the OSSEC HIDS.
If you have any question, suggestion or if you find any bug,
contact us at contact@ossec.net or using our public maillist at
ossec-list@ossec.net
( http://www.ossec.net/main/support/ ).
More information can be found at http://www.ossec.net
--- Press ENTER to finish (maybe more information below). ---
- You first need to add this agent to the server so they
can communicate with each other. When you have done so,
you can run the 'manage_agents' tool to import the
authentication key from the server.
/var/ossec/bin/manage_agents
More information at:
http://www.ossec.net/en/manual.html#ma
現在可以看到Agent端已經安裝完成了,安裝腳本會默認安裝在/var/ossec目錄下。Agent端的配置首先需要在Server端添加此Agent主機,添加Agent和提取密鑰請回看Server部分。添加完成后,提取並拷貝此客戶端的驗證密鑰到agent端,然后運行進行導入:
/var/ossec/bin/manage_agents
腳本交互:
****************************************
* OSSEC HIDS v2.8 Agent manager. *
* The following options are available: *
****************************************
(I)mport key from the server (I).
(Q)uit.
Choose your action: I or Q: I #選擇”導入一個從Server端導出的key“操作
* Provide the Key generated by the server.
* The best approach is to cut and paste it.
*** OBS: Do not include spaces or new lines.
Paste it here (or '\q' to quit): MDAxIGFuc2libGUxIDE3Mi4xNi4xMS4xOTcgNDAxNTZlNTk0Y2JjYWZhMWZmNWQ2OWMwZjYxMjUyMmRmMWMxODNjZGI5Zjg3Y2NlMjVmODNkNWQ1ZjdlNDM5YQ== #粘貼key
Agent information:
ID:001
Name:ansible1
IP Address:172.16.11.197
Confirm adding it?(y/n): y #確定添加
Added.
** Press ENTER to return to the main menu.
至此,導入完成,可以啟動Agent端了:
/var/ossec/bin/ossec-control start
最后,在Server端檢查一下agent端是否運行正常。在Server端執行/var/ossec/bin/agent_control -l查看添加了的Agent:
[root@master ossec]# /var/ossec/bin/agent_control -l
OSSEC HIDS agent_control. List of available agents:
ID: 000, Name: master (server), IP: 127.0.0.1, Active/Local
ID: 002, Name: ansible2, IP: 172.16.11.198, Active
ID: 001, Name: ansible1, IP: 172.16.11.197, Active
List of agentless devices:
3.3 配置郵件通知
配置郵件通知需要在Server端下進行操作。我這里以網易的163郵箱作為發件人,騰訊的QQ郵箱作為收件人,進行Ossec的郵件通知配置操作。
- 安裝所需的軟件包
yum install -y postfix mailx cyrus-sasl cyrus-sasl-plain #安裝postfix郵件相關的軟件包
- 配置Postfix的配置文件
/etc/postfix/main.cf
cat >> /etc/postfix/main.cf << EOF
relayhost = [smtp.163.com]:25
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous
smtp_tls_CAfile = /etc/ssl/certs/ca-bundle.crt
smtp_use_tls = yes
EOF
- 配置發送郵箱的賬號和密碼
echo "[smtp.163.com]:25 superlollipop@163.com:QFIANRBFCXMHEOVA" > /etc/postfix/sasl_passwd
#格式[smtp服務地址]:端口 USERNAME@gmail.com:PASSWORD
postmap /etc/postfix/sasl_passwd #更新Postfix查詢表使配置生效
PASSWORD是郵箱提供商提供的第三方客戶端授權碼,不是登錄密碼,請搜索相關郵箱提供商的資料獲取。postmap執行如果提示缺少 libmysqlclient.so.18,需要安裝MySQL的庫,執行:yum install mariadb-libs安裝依賴庫。常見的郵箱服務器和端口,可參考文章:常用的郵箱服務器(SMTP、POP3)地址、端口
- 更改存儲文件和DB文件權限和用戶組
chown root:root /etc/postfix/sasl_passwd /etc/postfix/sasl_passwd.db
chmod 0600 /etc/postfix/sasl_passwd /etc/postfix/sasl_passwd.db
- 啟動
Postfix服務
systemctl start postfix
- 測試配置文件是否有效
echo "Test mail from postfix" | mail -s "Test Postfix" -r "superlollipop@163.com" 1769128867@qq.com
#-s subject:郵件主題;-r from-addr 發送方郵箱地址;1769128867@qq.com為收件人郵箱地址
如下圖所示的測試郵件截圖:
- 配置
/var/ossec/etc/ossec.conf文件,如下所示:
<global>
<email_notification>yes</email_notification>
<email_to>1769128867@qq.com</email_to>
<smtp_server>127.0.0.1</smtp_server>
<email_from>superlollipop@163.com</email_from>
</global>
注意:<global>標簽是放在<ossec_config>標簽里面,參見官方文檔:Alerts to a single E-Mail Address。
- 重啟Ossec服務
/var/ossec/bin/ossec-control restart
至此,Ossec的郵件通知已經完成,可以通過修改目錄/var/ossec/rules下的xml配置文件修改相關規則。這些規則很多都沒有配置郵件通知,比如添加修改了用戶密碼發送郵件通知,則可以修改文件/var/ossec/rules/pam_rules.xml,如下所示:
<rule id="5555" level="3"> <!-- 此規則默認就存在了的 -->
<options>alert_by_email</options> <!-- 添加alert_by_email就會發送郵件通知 -->
<match>: password changed for</match>
<description>User changed password.</description>
</rule>
保存文件,然后執行/var/ossec/bin/ossec-control restart重啟Ossec服務使配置更改生效。然后測試修改了Server端的root用戶的密碼后,接收到郵件通知,如下圖所示:
