Written by: Steve McMaster
From Eye of the Storm - December 2007

There is no such thing as an “unhackable network.” There, I said it. I got it out of the way right off the bat. The same goes for any sort of security system – none is totally foolproof. Think back through all of the movies you have ever watched where something highly coveted is being protected. Were there more than just a locked door and some cameras guarding that special something? Maybe infrared trip lasers, or motion sensors, or guard dogs? The point is: there is (almost) always something more. In IT, we call this securing in layers or defense in depth.

I heard a talk once where the presenter said the true strength of your network security comes when you take away your firewall; what happens to your network if someone adds an “Any to Any on Any Accept” rule to the top of your rulebase? Does your network fall apart and crumble? Obviously, that’s quite a blow to the defense of your network – but can you fight from one knee until reinforcements arrive? One of the best tools you can get to help you out is software called OSSEC.

The idea behind OSSEC is simple – have software that watches your logs, understands what they mean, and reacts as necessary. Let’s say Joe Scriptkiddie decides to brute force your email server. Any good mail server will log a failed authentication attempt. But you’re not watching your email logs 24/7, are you? So how could you know that’s going on? Maybe your network gets a little slow (especially email), maybe you get an alert that CPU load is high. But other than that, you won’t know until someone’s email account is compromised, unless you’re using something like OSSEC. OSSEC sees repeated authentication failures from a single source, and acts on it. You can have it email, page, or block the attacker in his tracks. No hijacked email account for Joe today.

Getting OSSEC running is surprisingly simple, considering how powerful it is. All it takes is some knowledge of Linux, and knowing what logs you want to watch. Don’t worry, there is an agent for Windows servers, too; however, the server itself runs only on Linux.

To get started, head on over to the OSSEC website. There, you will find not only downloads, but the official documentation and links on how to get support. Anyway, there is a download tab at the top of the page – click it and you will be given a list of download options – a Unix/Linux version, a Windows version, and a web interface (oh yeah, OSSEC has a pretty web interface...it requires some extra software though and is beyond the scope of this article). The Windows version is only supported as an agent – that is, it needs a server running on a Unix/Linux box somewhere to report to – so keep this in mind if you want to use OSSEC on a Windows server. Choose which download you’d like and save it to your computer. At this point, you will need to use some form of file transfer to get the file over the server you want to watch.

OSSEC installations come in three flavors: server, agent, and standalone. Unless you have one server that runs your whole network, you’re probably going to want the server/agent setup. If you want to monitor a Windows server, standalone is not an option, since OSSEC only comes as an agent for Windows. Server/agent is going to be the most common, therefore that’s the one I’m going to talk about.

To get the server installed, find yourself a Linux box to use as your server. OSSEC doesn't really care where the server is running, as long as you put it on a Linux box. Here’s what I ran to get it installed:

$ cd /tmp
$ wget http://www.ossec.net/files/ossec-hids-1.4.tar.gz
$ tar xzf ossec-hids-1.4.tar.gz
$ cd ossec-hids-1.4
$ su/sudo
# ./install.sh

After this, it will ask you some questions, such as what language you want. Answer the questions as they suit your network. When you are asked about the type of installation you want to perform, select the server installation. In general, I install OSSEC server installations to /var/ossec, and agent installations (on Linux, anyways) to /usr/local/ossec, just to keep them straight. Moving on, you will more than likely want an email notification. When asked, give it an email address to send to. Correct the SMTP server it detects if you need to. You will want to run the integrity check daemon. It watches your files and lets you know when they change. It also watches for suspicious activity in the rootkit detection engine, and not just in the logs.

Active response is just like a lot of other automated tools in the security field in that it can be quite the double edged sword. While it is nice to be able to block an attacker automatically without requiring any interaction from you, an automated tool can’t distinguish between an attacker and someone who has forgotten their password and is trying to log in repeatedly. Enable it if you'd like to use it, and disable it if you think it could cause issues. Using this for very specific things is a good idea. For instance, blocking an FTP or SSH dictionary attack with it is an excellent use. The OSSEC website has documentation in the manual about using active response.

Remote syslog is probably something you won't really need. OSSEC does a good job on its own of picking up which log files need analyzed, so unless you really need that extra information, you will probably want to turn this off. You can send your Cisco Router/Switch, etc logs to OSSEC and it will understand them and do some basic alert on them as well.

After this, OSSEC determines which logs will need monitored on the server, and generates your configuration. You will be given a prompt such as Press ENTER to continue. Do as it says. The installer will proceed to compile OSSEC for use on your system. When its done, you will get another prompt similar to that, and above that will be the commands to start and stop OSSEC. Run the command it gives you to start your server (i.e. '/var/osssec/bin/ossec-control start').

Now that you have got your server set up, you need some agents to report to it. For a Unix/Linux agent, the installation is basically the same, except you choose agent instead of server in the installation. Again, answer the questions as best fits your desired operation. If you're setting up a Windows agent, installation proceeds the same as any other standard Windows app. You will get similar configuration questions, and OSSEC will be installed.

The last step to getting OSSEC installed is the agent key. Every agent has a key that is used to encrypt the traffic. These keys are generated on the server, and must be keyed in (manually) on every agent. First, log in to your OSSEC server. In the following, please replace $OSSEC with whatever directory you installed OSSEC to (default is '/var/ossec'). Run $OSSEC/bin/manage_agents. You will be given a menu of choices: choose (A) for Add an agent. You will need to enter a name for the agent (I just use the full domain name), the IP address of the agent, and the ID (it is easiest to just use the default ID). You will be asked to confirm adding the agent: make sure your info is correct, and confirm. You will be taken back to the main menu. This time, choose (E) for Extract key for an agent. Enter the ID of the agent you want the key for (a list of IDs and matching agents will be given), and the key will be displayed for you. Copy this to your clipboard — you will need it. Exit the manager, and restart OSSEC (/etc/init.d/ossec restart).

Adding the key to a Windows agent is very easy. Open the Manage Agent tool from your start menu, enter the server IP, paste the key, and click save. On the Manage menu, click Start OSSEC. If everything is configured correctly (including any firewalls that may be between client and server – client needs to connect to the server on udp/1514), you will have a working OSSEC setup. For a Unix/Linux agent, run the same command above ($OSSEC/bin/manage_agents), (I) for Import key, and paste the key. Exit the manager and start OSSEC (/etc/init.d/ossec start). Voila! A working Linux OSSEC agent.

This is enough to give you a basic OSSEC infrastructure. What remains is the fine tuning of your alerts, and maintenance of your agents. You will get A LOT of email alerts from a default installation so be prepared. Keep an eye open for a follow-up article on these topics.