Automated detection and response to attacks
OSSEC Agent
Once you have the server running, it's high time to get the rest of your herd reporting to it. Simply install the OSSEC software on any machines you want to monitor, choosing the agent installation option, of course.
During the install, you will be asked for the IP address of the server and standard options regarding which monitoring options you want. Once you have finished, you will need to create and import the agent key, which is done via the manage_agents program. On the server you simply add the agent.
Once finished you can extract the key for a particular agent, then you will need to cut and paste it (remote login via SSH is your best bet). Simply run manage_agents on the agent and import the key. The process is similar for Windows, but a graphical interface has been added as the default to make it easier (fortunately, the command-line versions of all the programs are available, which allows scripted management to be done remotely via the command line).
By default, OSSEC monitors all files in /etc, /bin, /sbin, /usr/bin, and /usr/sbin (essentially the guts of almost any system) and a large number of network daemon logfiles (named, smbd, mysql, telnetd, etc.).
To modify which directories are monitored or to add new rulesets for monitoring services, you simply edit the ossec.conf file, which uses an XML-style format that is largely self-explanatory.
OSSEC WebUI
So now that you have OSSEC properly set up and it's protecting your network, what do you do now? One feature I love about OSSEC is the reporting. For example, you can generate text reports on the top activity for IP addresses, attempted login names, and so on.
Of course, a text-based report is unlikely to impress your boss; fortunately, there is a solution for this. The web user interface for OSSEC allows ad hoc queries, but unfortunately, it does not support configuration of the server or agents (for that, you have to stick to the command line).
Additionally, OSSEC WebUI allows you to see the state of your server and agents at a glance (Figure 1).

Tripwire
Of course, I would be amiss if I failed to mention Tripwire [3]. Tripwire is the granddaddy of HIDS, monitoring and reporting on file changes on Unix systems (and now on Windows), routers, and other devices.
Tripwire is still available as an open source package; however, it has not been updated in several years (although one could argue it is largely a finished project).
« Previous 1 2 3 Next »
Buy this article as PDF
(incl. VAT)
Buy Linux Magazine
News
-
Kali Linux 2022.3 Released
From the creators of the most popular penetration testing distributions on the planet, comes a new release with some new tools and a community, real-time chat option.
-
The 14" Pinebook Pro Linux Laptop is Shipping
After a considerable delay, the 14" version of the Pinebook Pro laptop is, once again, available for purchase.
-
OpenMandriva Lx ROME Technical Preview Released
OpenMandriva’s rolling release distribution technical preview has been released for testing purposes and adds some of the latest/greatest software into the mix.
-
Linux Mint 21 is Now Available
The latest iteration of Linux Mint, codenamed Vanessa, has been released with a new upgrade tool and other fantastic features.
-
Firefox Adds Long-Anticipated Feature
Firefox 103 has arrived and it now includes a feature users have long awaited…sort of.
-
System76 Refreshes Their Popular Oryx Pro Laptop with a New CPU
The System76 Oryx Pro laptop has been relaunched with a 12th Gen CPU and more powerful graphics options.
-
Elive Has Released a New Beta
The Elive team is proud to announce the latest beta version (3.8.30) of its Enlightenment-centric Linux distribution.
-
Rocky Linux 9 Has Arrived
The latest iteration of Rocky Linux is now available and includes a host of new features and support for new architecture.
-
Slimbook Executive Linux Ultrabook Upgrading Their CPUs
The Spanish-based company, Slimbook, has made available their next generation Slimbook Executive Linux ultrabooks with a 12th Gen Intel Alder Lake CPU.
-
Fedora Linux is Coming to the Raspberry Pi 4
Thanks to significant work in the upstream, the upcoming release of Fedora 37 will introduce support for the Raspberry Pi 4.