Setting up OSSEC on Cent OS | z z z z z z z z z

Installing OSSEC

Product Name : OSSEC
Product Version : 1.6.1
Homepage : http://www.ossec.net/
Description : OSSEC is an Open Source Host-based intrusion detection system. It performs log analysis, integrity checking, Windows registry monitoring, rootkit detection, time-based alerting and active response. It runs on most operating systems, including Linux, OpenBSD, FreeBSD, Mac OS, Solaris and Windows. It has a centralized, cross-platform architecture allowing multiple systems to be easily monitored and managed. It was written by Daniel B. Cid and made public in 2004.

This tool will autosense your system, and send you mails when something is strange or really fishy.

It sends you mail from LEVEL 1 to LEVEL 10, so if you get LEVEL 10 mails you need to read them 🙂

Step 1: Installing OSSEC from Source

cd /usr/local/src
wget http://www.ossec.net/files/ossec-hids-1.6.1.tar.gz
tar -zxf ossec-hids-1.6.1.tar.gz
cd ossec-hids-1.6.1
./install.sh

Step 2: Now the config, my choices are marked with RED text

[root@box ossec-hids-1.6.1]# ./install.sh

Choice 1:
(en/br/cn/de/el/es/fr/it/jp/pl/ru/sr/tr) [en]: <— Enter
Choice 2:
1- What kind of installation do you want (server, agent, local or help)? <— Local
Choice 3:
– Choose where to install the OSSEC HIDS [/var/ossec]: <— Enter
Choice 4:
3.1- Do you want e-mail notification? (y/n) [y]: <— Enter
Choice 4.1:
– What’s your e-mail address? <— Fill in the email you want the alerts to
Choice 4.2: Installer will try to find you smtp server that belongs to your email. Choose NO and use localhost if you have sendmail running on your server.
– Do you want to use it? (y/n) [n]: <— Press N
Choice 4.3:
– What’s your SMTP server ip/host? <— Localhost
Choice 5:
3.2- Do you want to run the integrity check daemon? (y/n) [y]: <— Enter
Choice 6:
3.3- Do you want to run the rootkit detection engine? (y/n) [y]: <— Enter
Choice 7:
– Do you want to enable active response? (y/n) [y]: <— Press Enter
Choice 8:
– Do you want to enable the firewall-drop response? (y/n) [y]: <— Press Enter
Choice 9: Choose Yes if you want to add more IPs to the whitelist. Else NO to continue
– Do you want to add more IPs to the white list? (y/n)? [n]:

Step 3: Installer made OSSEC start at boot.
Step 3.1: To start the OSSEC

/var/ossec/bin/ossec-control start

Step 3.2: To stop the OSSEC

/var/ossec/bin/ossec-control stop

Step 4:For futher settings, edit of the config file

nano /var/ossec/etc/ossec.conf

Optional Config 1: Add this lines in /var/ossec/etc/ossec.conf to get rid of some unnessecary mails from OSSEC
Locate , And add new lines

If you use APF Firewall:

/etc/apf/internals/.last.full
/etc/apf/internals/.apf.restore
/etc/prelink.cache

If you use CSF Firewall:

/etc/csf/csf.temppids
/etc/csf/csf.spamhaus

Restart OSSEC

/var/ossec/bin/ossec-control restart

From

http://74.125.95.132/search?q=cache:bhJziKKdcAcJ:www.securecentos.com/temp/installing-ossec.html+http://www.securecentos.com/installing-ossec.html&cd=1&hl=en&ct=clnk&gl=us&client=firefox-a

SELECT option_name, option_value FROM wp_options WHERE option_name IN ('_site_transient_wp_theme_files_patterns-521ceac6f7ea50d1f2c96a08a1af8fc4','_site_transient_timeout_wp_theme_files_patterns-521ceac6f7ea50d1f2c96a08a1af8fc4')

SELECT DISTINCT t.term_id, tr.object_id FROM wp_terms AS t INNER JOIN wp_term_taxonomy AS tt ON t.term_id = tt.term_id INNER JOIN wp_term_relationships AS tr ON tr.term_taxonomy_id = tt.term_taxonomy_id WHERE tt.taxonomy IN ('category', 'post_tag', 'post_format') AND tr.object_id IN (1071) ORDER BY t.name ASC

SELECT wp_posts.* FROM wp_posts LEFT JOIN wp_term_relationships ON (wp_posts.ID = wp_term_relationships.object_id) WHERE 1=1 AND ( wp_term_relationships.term_taxonomy_id IN (468) ) AND wp_posts.post_type = 'nav_menu_item' AND ((wp_posts.post_status = 'publish')) GROUP BY wp_posts.ID ORDER BY wp_posts.menu_order ASC

SELECT DISTINCT t.term_id FROM wp_terms AS t INNER JOIN wp_term_taxonomy AS tt ON t.term_id = tt.term_id INNER JOIN wp_term_relationships AS tr ON tr.term_taxonomy_id = tt.term_taxonomy_id WHERE tt.taxonomy IN ('category') AND tr.object_id IN (1071) ORDER BY t.name ASC

SELECT SQL_CALC_FOUND_ROWS wp_comments.comment_ID FROM wp_comments WHERE ( comment_approved = '1' ) AND comment_post_ID = 1071 AND comment_parent = 0 ORDER BY wp_comments.comment_date_gmt ASC, wp_comments.comment_ID ASC

[0] => themes/twentyeleven/inc/theme-options.php [1] => themes/twentyeleven/inc/widgets.php [2] => themes/twentyeleven/single.php [3] => themes/twentyeleven/header.php [4] => themes/twentyeleven/searchform.php [5] => themes/twentyeleven/content-single.php [6] => themes/twentyeleven/comments.php [7] => themes/twentyeleven/footer.php [8] => themes/twentyeleven/sidebar-footer.php

$_SERVER = array ( 'SERVER_SOFTWARE' => 'Apache', 'REQUEST_URI' => '/setting-up-ossec-on-cent-os/', 'LSPHP_ENABLE_USER_INI' => 'on', 'PATH' => '/usr/local/bin:/usr/bin:/bin', 'TEMP' => '/tmp', 'TMP' => '/tmp', 'TMPDIR' => '/tmp', 'PWD' => '/', 'HTTP_ACCEPT' => '*/*', 'HTTP_ACCEPT_ENCODING' => 'gzip, br, zstd, deflate', 'CONTENT_LENGTH' => '0', 'HTTP_HOST' => 'www.zzzzzzzzz.net', 'HTTP_REFERER' => 'https://zzzzzzzzz.net/?p=1071', 'HTTP_USER_AGENT' => 'Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko; compatible; ClaudeBot/1.0; +claudebot@anthropic.com)', 'HTTP_X_HTTPS' => '1', 'REDIRECT_UNIQUE_ID' => 'Z4t-Hj9zsxL2X35Aq2YH0wAAbms', 'REDIRECT_QS_ConnectionId' => '173719503841144667402508', 'REDIRECT_SCRIPT_URL' => '/setting-up-ossec-on-cent-os/', 'REDIRECT_SCRIPT_URI' => 'https://www.zzzzzzzzz.net/setting-up-ossec-on-cent-os/', 'REDIRECT_HTTPS' => 'on', 'REDIRECT_SSL_TLS_SNI' => 'www.zzzzzzzzz.net', 'REDIRECT_HTTP2' => 'on', 'REDIRECT_H2PUSH' => 'off', 'REDIRECT_H2_PUSH' => 'off', 'REDIRECT_H2_PUSHED' => '', 'REDIRECT_H2_PUSHED_ON' => '', 'REDIRECT_H2_STREAM_ID' => '1', 'REDIRECT_H2_STREAM_TAG' => '402508-1567-1', 'REDIRECT_STATUS' => '200', 'UNIQUE_ID' => 'Z4t-Hj9zsxL2X35Aq2YH0wAAbms', 'QS_ConnectionId' => '173719503841144667402508', 'SCRIPT_URL' => '/setting-up-ossec-on-cent-os/', 'SCRIPT_URI' => 'https://www.zzzzzzzzz.net/setting-up-ossec-on-cent-os/', 'HTTPS' => 'on', 'SSL_TLS_SNI' => 'www.zzzzzzzzz.net', 'HTTP2' => 'on', 'H2PUSH' => 'off', 'H2_PUSH' => 'off', 'H2_PUSHED' => '', 'H2_PUSHED_ON' => '', 'H2_STREAM_ID' => '1', 'H2_STREAM_TAG' => '402508-1567-1', 'SERVER_SIGNATURE' => '', 'SERVER_NAME' => 'www.zzzzzzzzz.net', 'SERVER_ADDR' => '192.185.137.117', 'SERVER_PORT' => '443', 'REMOTE_ADDR' => '18.117.107.43', 'DOCUMENT_ROOT' => '/home1/zzz/public_html', 'REQUEST_SCHEME' => 'https', 'CONTEXT_PREFIX' => '', 'CONTEXT_DOCUMENT_ROOT' => '/home1/zzz/public_html', 'SERVER_ADMIN' => 'webmaster@zzzzzzzzz.net', 'SCRIPT_FILENAME' => '/home1/zzz/public_html/index.php', 'REMOTE_PORT' => '7783', 'REDIRECT_URL' => '/setting-up-ossec-on-cent-os/', 'SERVER_PROTOCOL' => 'HTTP/2.0', 'REQUEST_METHOD' => 'GET', 'QUERY_STRING' => '', 'SCRIPT_NAME' => '/index.php', 'PHP_SELF' => '/index.php', 'REQUEST_TIME_FLOAT' => 1737195038.4230899810791015625, 'REQUEST_TIME' => 1737195038, 'argv' => array ( ), 'argc' => 0, );

0.6452	`SELECT option_value FROM wp_options WHERE option_name = 'GOTMLS_nonce_array' LIMIT 1`
0.5579	`SELECT option_value FROM wp_options WHERE option_name = 'GOTMLS_definitions_array' LIMIT 1`
0.5441	`SELECT option_value FROM wp_options WHERE option_name = 'GOTMLS_scan_log/18.117.107.43/1737195038.444' LIMIT 1`
0.6490	`SELECT option_value FROM wp_options WHERE option_name = 'gzipcompression' LIMIT 1`
0.7350	`SELECT option_value FROM wp_options WHERE option_name = 'rsssl_encryption_keys_set' LIMIT 1`
0.7620	`SELECT option_value FROM wp_options WHERE option_name = 'rsssl_le_certificate_generated_by_rsssl' LIMIT 1`
0.6599	`SELECT option_value FROM wp_options WHERE option_name = 'rsssl_ssl_activation_active' LIMIT 1`
0.8709	`SELECT option_name, option_value FROM wp_options WHERE option_name IN ('_site_transient_wp_theme_files_patterns-521ceac6f7ea50d1f2c96a08a1af8fc4','_site_transient_timeout_wp_theme_files_patterns-521ceac6f7ea50d1f2c96a08a1af8fc4')`
0.5231	`SELECT option_value FROM wp_options WHERE option_name = 'preload_cache_counter' LIMIT 1`
0.8049	`SELECT ID, post_name, post_parent, post_type FROM wp_posts WHERE post_name IN ('setting-up-ossec-on-cent-os') AND post_type IN ('page','attachment')`
0.8290	`SELECT wp_posts.* FROM wp_posts WHERE 1=1 AND wp_posts.post_name = 'setting-up-ossec-on-cent-os' AND wp_posts.post_type = 'post' ORDER BY wp_posts.post_date DESC`
0.8559	`SELECT DISTINCT t.term_id, tr.object_id FROM wp_terms AS t INNER JOIN wp_term_taxonomy AS tt ON t.term_id = tt.term_id INNER JOIN wp_term_relationships AS tr ON tr.term_taxonomy_id = tt.term_taxonomy_id WHERE tt.taxonomy IN ('category', 'post_tag', 'post_format') AND tr.object_id IN (1071) ORDER BY t.name ASC`
0.5791	`SELECT t., tt. FROM wp_terms AS t INNER JOIN wp_term_taxonomy AS tt ON t.term_id = tt.term_id WHERE t.term_id IN (1)`
0.5209	`SELECT post_id, meta_key, meta_value FROM wp_postmeta WHERE post_id IN (1071) ORDER BY meta_id ASC`
0.8841	`SELECT * FROM wp_posts WHERE ID = 1716 LIMIT 1`
0.7129	`SELECT option_value FROM wp_options WHERE option_name = 'https_migration_required' LIMIT 1`
0.7629	`SELECT option_value FROM wp_options WHERE option_name = 'site_logo' LIMIT 1`
0.9511	`SELECT t., tt. FROM wp_terms AS t INNER JOIN wp_term_taxonomy AS tt ON t.term_id = tt.term_id WHERE t.term_id = 468`
2.1119	`SELECT wp_posts.* FROM wp_posts LEFT JOIN wp_term_relationships ON (wp_posts.ID = wp_term_relationships.object_id) WHERE 1=1 AND ( wp_term_relationships.term_taxonomy_id IN (468) ) AND wp_posts.post_type = 'nav_menu_item' AND ((wp_posts.post_status = 'publish')) GROUP BY wp_posts.ID ORDER BY wp_posts.menu_order ASC`
1.5790	`SELECT post_id, meta_key, meta_value FROM wp_postmeta WHERE post_id IN (1670,1671,1672,1681,1682) ORDER BY meta_id ASC`
1.0569	`SELECT wp_posts.* FROM wp_posts WHERE ID IN (1542,1534,1579,1544)`
0.8540	`SELECT post_id, meta_key, meta_value FROM wp_postmeta WHERE post_id IN (1542,1534,1579,1544) ORDER BY meta_id ASC`
0.9930	`SELECT DISTINCT t.term_id FROM wp_terms AS t INNER JOIN wp_term_taxonomy AS tt ON t.term_id = tt.term_id INNER JOIN wp_term_relationships AS tr ON tr.term_taxonomy_id = tt.term_taxonomy_id WHERE tt.taxonomy IN ('category') AND tr.object_id IN (1071) ORDER BY t.name ASC`
1.5440	`SELECT user_id, meta_key, meta_value FROM wp_usermeta WHERE user_id IN (1) ORDER BY umeta_id ASC`
0.4110	`SELECT * FROM wp_users WHERE ID IN (1)`
0.5932	`SELECT p.ID FROM wp_posts AS p WHERE p.post_date < '2009-10-06 15:14:27' AND p.post_type = 'post' AND p.post_status = 'publish' ORDER BY p.post_date DESC LIMIT 1`
0.5779	`SELECT * FROM wp_posts WHERE ID = 1072 LIMIT 1`
0.5260	`SELECT p.ID FROM wp_posts AS p WHERE p.post_date > '2009-10-06 15:14:27' AND p.post_type = 'post' AND p.post_status = 'publish' ORDER BY p.post_date ASC LIMIT 1`
0.6289	`SELECT * FROM wp_posts WHERE ID = 1070 LIMIT 1`
1.1539	`SELECT SQL_CALC_FOUND_ROWS wp_comments.comment_ID FROM wp_comments WHERE ( comment_approved = '1' ) AND comment_post_ID = 1071 AND comment_parent = 0 ORDER BY wp_comments.comment_date_gmt ASC, wp_comments.comment_ID ASC`
0.5100	`SELECT option_value FROM wp_options WHERE option_name = 'akismet_comment_nonce' LIMIT 1`
0.5078	`SELECT option_value FROM wp_options WHERE option_name = 'akismet_comment_form_privacy_notice' LIMIT 1`

Installing OSSEC

Leave a Reply Cancel reply