OSSEC简要介绍： 

OSSEC 是一款开源的入侵检测系统，包括了日志分析，全面检测，rook-kit检测。作为一款HIDS，OSSEC应该被安装在一台实施监控的系统中。另外有时候不需要安装完全版本的OSSEC，如果有多台电脑都安装了OSSEC，那么就可以采用客户端/服务器模式来运行。客户机通过客户端程序将数据发回到服务器端进行分析。在一台电脑上对多个系统进行监控对于企业或者家庭用户来说都是相当经济实用的。

ossec 概念图

环境： 

centos5.5 x86_64 

ossec-hids-2.7-beta1

10.10.10.240 ossec server 

10.10.10.141 ossec client1

下载软件包

wget http://www.ossec.net/files/ossec-hids-2.7-beta-1.tar.gz

一、ossec server安装

配置源码,使能够兼容mysql

[root@logserver src]# tar -xf ossec-hids-2.7-beta-1.tar.gz

[root@logserver src]# cd ossec-hids-2.7-beta1/

[root@logserver ossec-hids-2.7-beta1]# cd src

[root@logserver src]# make setdb

Info: Compiled with MySQL support

[root@logserver ossec-hids-2.7-beta1]# ./install.sh 

[root@logserver ossec-hids-2.7-beta1]# /var/ossec/bin/ossec-control enable database

[root@logserver ossec-hids-2.7-beta1]# mysql -u root -p

mysql>  create database ossec;

Query OK, 1 row affected (0.04 sec)

mysql> grant INSERT,SELECT,UPDATE,CREATE,DELETE,EXECUTE on ossec.* to ossecuser@ identified by 'ossecpass';

Query OK, 0 rows affected (0.10 sec)

mysql> flush privileges;

Query OK, 0 rows affected (0.00 sec)

[root@logserver ossec-hids-2.7-beta1]# cd contrib/

[root@logserver contrib]# vim ossec2mysql.conf

# PARAMS USED BY  OSSEC2BASED

dbhost=localhost

database=ossecuser

debug=5

dbport=3306

dbpasswd=ossecpass

dbuser=ossec

daemonize=0

sensor=centralserver

hids_inter>

导入数据

[root@logserver contrib]# mysql -u ossecuser -p < /usr/local/src/ossec-hids-2.7-beta1/contrib/ossec2mysql.sql 

在末尾添加

 <database_output>

        <hostname>10.10.10.137</hostname>

        <username>ossecuser</username>

        <password>ossecpass</password>

        <database>ossec</database>

        <type>mysql</type>

    </database_output>

</ossec_config>

2.启动ossec

[root@logserver etc]# /var/ossec/bin/ossec-control restart

添加agent key

二、ossec cilent安装

 tar xf ossec-hids-2.7-beta-1.tar.gz

 cd ossec-hids-2.7-beta1/

 ./install.sh

-->cn

-->client

/usr/local/ossec/bin/manage_agents  

三、添加ossec client到ossec server

server:

/usr/local/ossec/bin/manage_agents

A

name

IP

E

001

cpoy key

q

client

/usr/local/ossec/bin/manage_agents

-->i

-->paste key

-->y

 /usr/local/ossec/bin/ossec-control start

Starting OSSEC HIDS v2.7-beta1 (by Trend Micro Inc.)...

Started ossec-execd...

Started ossec-agentd...

Started ossec-logcollector...

Started ossec-syscheckd...

Completed.

You have new mail in /var/spool/mail/root

[root@redmine src]# netstat -antup|grep ossec

udp        0      0 10.10.10.141:35928          10.10.10.240:1514           ESTABLISHED 28558/ossec-agentd

四、安装管理界面

wget http://www.ossec.net/files/ossec-wui-0.3.tar.gz

[root@db src]# tar xf ossec-wui-0.3.tar.gz 

[root@db src]# cd ossec-wui-0.3

[root@db ossec-wui-0.3]# ls

CONTRIB  css  htaccess_def.txt  img  index.php  js  lib  LICENSE  ossec_conf.php  README  README.search  setup.sh  site

[root@db ossec-wui-0.3]# cp -Rf * /usr/local/ossec/

[root@db ossec-wui-0.3]# cd /usr/local/ossec/

运行配置脚本

[root@db ossec]# ./setup.sh

配置ossec权限

[root@db ossec]# chgrp apache tmp/

[root@db ossec]# chmod 770 -R tmp/

[root@db ossec]#cat /etc/group

apache:x:48:ossec

 [root@db ossec]# yum install -y php.x86_64   php-cli.x86_64  php-devel.x86_64 httpd

yum install -y httpd php

添加虚拟目录

[root@db ~]# cat /etc/httpd/conf.d/vdoc.conf

Alias /ossec/ "/usr/local/ossec/"

<Directory "/usr/local/ossec/">

    Options Indexes FollowSymLinks

    AllowOverride None

    Order allow,deny

 Allow from all

#  Order deny,allow

#  Deny from all

#  Allow from 127.0.0.1

   AuthName "OSSEC AUTH"

   AuthType Basic

   AuthUserFile /usr/local/ossec/.htpasswd

   Require valid-user

</Directory> 

ossec预览

望月飞鱼版权所有

©著作权归作者所有：来自51CTO博客作者珏石头的原创作品，如需转载，请注明出处，否则将追究法律责任

ossec防篡改OperatingSystem