Automated detection and response to attacks

OSSEC

Article from Issue 103/2009
Author(s):

Learn how to monitor and block attacks without lifting a finger.

One of the first things I learned about computer security was logging [1]. If you don't have logs, then trying to reconstruct what happened when something breaks, or when you get broken into, is almost impossible. The second thing I learned was that you have to centralize your logging; this is the only way to get a complete picture and ensure that an attacker can't simply wipe the logs on a compromised host, leaving you nothing to work with. But none of this will alert you to an attacker or, even more importantly, stop an attacker from getting in. It will simply give you something to look at once you figure out you have been broken into. For this, you need a human being in the loop, right? Well, you either need a human being or some smart software.

Wouldn't it be great if you could monitor critical logfiles (like mail and web) and actually have something respond to attacks, notifying you and even blocking the attacker from further access if you so wished? Well you're not the only one. Daniel B. Cid is the lead developer of the OSSEC project, an effort to build an open source host-based intrusion detection system [2]. OSSEC uses a traditional server and agent approach: You install the agent software on each system you want to monitor, and a central server collects all the data and sends out alerts. Additionally, the OSSEC project has released a web-based interface; however, it is only capable of reporting. Unfortunately, it can't be used to configure the system.

Installing OSSEC

When installing OSSEC, you have three options. The server option allows you to have it monitor itself and collect alerts from other systems. The agent option simply monitors local events and fires anything interesting off to the server. The local option runs the monitoring locally and can send email alerts, but it does not listen for any remote agents (so if you have one server or want to test it, this is the option for you). Simply download the OSSEC package (ossec-hids-2.0.tar.gz") and unpack it to a directory:

[...]

Use Express-Checkout link below to read the full article (PDF).

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy Linux Magazine

SINGLE ISSUES
 
SUBSCRIPTIONS
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • Tutorials – Intrusion Protection

    No computer security is perfect, so make sure you've got a second line of protection.

  • Intrusion Detection

    The Prelude security information management system receives both host- and network-based IDS messages and displays them in an easy web interface. We show you how to set it up.

  • Expert Security Intro

    Internet intruders have many ingenious ways of escalating privileges and hiding their presence once they get inside your system. The best protection is to keep them out in the cold.

  • Host-Based IDS

    A host-based intrusion detection system is a simple but powerful tool for finding traces of an attacker's footprint.

  • Security Lessons: Windows Logging

    Windows 7 is pretty good at logging, but what do you do with all those log files? We look at some monitoring tools that can help you get the most out your logging data.

comments powered by Disqus
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters

Support Our Work

Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.

Learn More

News