Automated detection and response to attacks


Once you have the server running, it's high time to get the rest of your herd reporting to it. Simply install the OSSEC software on any machines you want to monitor, choosing the agent installation option, of course.

During the install, you will be asked for the IP address of the server and standard options regarding which monitoring options you want. Once you have finished, you will need to create and import the agent key, which is done via the manage_agents program. On the server you simply add the agent.

Once finished you can extract the key for a particular agent, then you will need to cut and paste it (remote login via SSH is your best bet). Simply run manage_agents on the agent and import the key. The process is similar for Windows, but a graphical interface has been added as the default to make it easier (fortunately, the command-line versions of all the programs are available, which allows scripted management to be done remotely via the command line).

By default, OSSEC monitors all files in /etc, /bin, /sbin, /usr/bin, and /usr/sbin (essentially the guts of almost any system) and a large number of network daemon logfiles (named, smbd, mysql, telnetd, etc.).

To modify which directories are monitored or to add new rulesets for monitoring services, you simply edit the ossec.conf file, which uses an XML-style format that is largely self-explanatory.


So now that you have OSSEC properly set up and it's protecting your network, what do you do now? One feature I love about OSSEC is the reporting. For example, you can generate text reports on the top activity for IP addresses, attempted login names, and so on.

Of course, a text-based report is unlikely to impress your boss; fortunately, there is a solution for this. The web user interface for OSSEC allows ad hoc queries, but unfortunately, it does not support configuration of the server or agents (for that, you have to stick to the command line).

Additionally, OSSEC WebUI allows you to see the state of your server and agents at a glance (Figure 1).

Figure 1: The Main tab of the OSSEC web interface shows some information about the latest modified files and events.


Of course, I would be amiss if I failed to mention Tripwire [3]. Tripwire is the granddaddy of HIDS, monitoring and reporting on file changes on Unix systems (and now on Windows), routers, and other devices.

Tripwire is still available as an open source package; however, it has not been updated in several years (although one could argue it is largely a finished project).

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy Linux Magazine

Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • Tutorials – Intrusion Protection

    No computer security is perfect, so make sure you've got a second line of protection.

  • Intrusion Detection

    The Prelude security information management system receives both host- and network-based IDS messages and displays them in an easy web interface. We show you how to set it up.

  • Expert Security Intro

    Internet intruders have many ingenious ways of escalating privileges and hiding their presence once they get inside your system. The best protection is to keep them out in the cold.

  • Host-Based IDS

    A host-based intrusion detection system is a simple but powerful tool for finding traces of an attacker's footprint.

  • Security Lessons: Windows Logging

    Windows 7 is pretty good at logging, but what do you do with all those log files? We look at some monitoring tools that can help you get the most out your logging data.

comments powered by Disqus
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters

Support Our Work

Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.

Learn More