On this short tutorial, we will learn how to install OSSEC monitoring tools server version 3.6.0 on Ubuntu 20.04 LTS.
Introduction
OSSEC is a free, scalable, multi-platform open-source host-based intrusion detection system (HIDS). OSSEC performs log analysis, integrity checking, Windows registry monitoring, rootkit detection, time-based alerting, and active response. OSSEC has a powerful correlation and analysis engines which provides log analysis, intrusion detection for most operating systems, including: Linux, OpenBSD, FreeBSD, OS X, Solaris and Windows. OSSEC has a centralized, cross-platform architecture allowing multiple systems to be easily monitored and managed. On this tutorial, we will learn how to install OSSEC HIDS Server on Ubuntu 20.04 LTS.
OSSEC Installation On Ubuntu 20.04 LTS
The installation steps will be as following :
- Installing Requirements Packages
Run System Update
Install Required Dependencies - Install OSSEC HIDS on Ubuntu 20.04 LTS
Download OSSEC Repository
Install OSSEC - Starting OSSEC application service
- Install OSSEC Web UI
- Access OSSEC Web host
These items will be explained in more detail below.
1. Installation Requirements Packages
On this stage we have to prepare our system before OSSEC application installed, we will update system repository and install required dependencies packages. For this purpose we will submit following command line below.
$ sudo apt-get update
$ sudo apt-get install build-essential make zlib1g-dev libpcre2-dev libevent-dev libssl-dev build-essential zlib1g-dev libpcre2-dev mysql-dev postgresql-dev $ sudo apt-get install libsqlite3-dev
The output will be shown below :
ramans@master01:~$ sudo apt-get install build-essential make zlib1g-dev libpcre2-dev libevent-dev libssl-dev build-essential zlib1g-dev libpcre2-dev mysql-dev postgresql-dev libsqlite3-dev [sudo] password for ramans: Reading package lists... Done Building dependency tree Reading state information... Done The following additional packages will be installed: binutils binutils-common binutils-x86-64-linux-gnu cpp-9 dpkg-dev fakeroot g++ g++-9 gcc gcc-10-base gcc-9 gcc-9-base libalgorithm-diff-perl libalgorithm-diff-xs-perl libalgorithm-merge-perl libasan5 libatomic1 libbinutils libc-dev-bin libc6 libc6-dbg libc6-dev libcc1-0 libcrypt-dev libctf-nobfd0 libctf0 libevent-core-2.1-7 libevent-extra-2.1-7 libevent-openssl-2.1-7 libevent-pthreads-2.1-7 libfakeroot libgcc-9-dev libgcc-s1 libgomp1 libitm1 liblsan0 libpcre2-16-0 libpcre2-posix2 libquadmath0 libssl1.1 libstdc++-9-dev libstdc++6 libtsan0 libubsan1 linux-libc-dev manpages-dev zlib1g Suggested packages: binutils-doc gcc-9-locales debian-keyring g++-multilib g++-9-multilib gcc-9-doc gcc-multilib autoconf automake libtool flex bison gcc-doc gcc-9-multilib glibc-doc libssl-doc libstdc++-9-doc make-doc The following NEW packages will be installed: binutils binutils-common binutils-x86-64-linux-gnu build-essential dpkg-dev fakeroot g++ g++-9 gcc gcc-9 libalgorithm-diff-perl libalgorithm-diff-xs-perl libalgorithm-merge-perl libasan5 libatomic1 libbinutils libc-dev-bin libc6-dev libcrypt-dev libctf-nobfd0 libctf0 libevent-core-2.1-7 libevent-dev libevent-extra-2.1-7 libevent-openssl-2.1-7 libevent-pthreads-2.1-7 libfakeroot libgcc-9-dev libitm1 liblsan0 libpcre2-16-0 libpcre2-dev libpcre2-posix2 libquadmath0 libssl-dev libstdc++-9-dev libtsan0 libubsan1 linux-libc-dev make manpages-dev zlib1g-dev The following packages will be upgraded: cpp-9 gcc-10-base gcc-9-base libc6 libc6-dbg libcc1-0 libgcc-s1 libgomp1 libssl1.1 libstdc++6 zlib1g 11 upgraded, 42 newly installed, 0 to remove and 527 not upgraded. Need to get 46.3 MB/60.2 MB of archives. After this operation, 202 MB of additional disk space will be used. Do you want to continue? [Y/n] Y
ramans@master01:~$ sudo apt-get install libsqlite3-dev Reading package lists... Done Building dependency tree Reading state information... Done The following additional packages will be installed: libsqlite3-0 Suggested packages: sqlite3-doc The following NEW packages will be installed: libsqlite3-dev The following packages will be upgraded: libsqlite3-0 1 upgraded, 1 newly installed, 0 to remove and 526 not upgraded. Need to get 1,245 kB of archives. After this operation, 2,373 kB of additional disk space will be used. Do you want to continue? [Y/n] Y
2. Install OSSEC HIDS on Ubuntu 20.04 LTS
2.1. Download Latest OSSEC Source Code
On this stage we will install OSSEC by using OSSEC repository which was provide by atomicorp. For this purpose we will download repository file by using command line.
$ wget -q -O - https://updates.atomicorp.com/installers/atomic | sudo bash
The output will be shown below :
ramans@master01:~$ wget -q -O - https://updates.atomicorp.com/installers/atomic | sudo bash Atomic Free Unsupported Archive installer, version 5.0.2 BY INSTALLING THIS SOFTWARE AND BY USING ANY AND ALL SOFTWARE PROVIDED BY ATOMICORP LIMITED YOU ACKNOWLEDGE AND AGREE: THIS SOFTWARE AND ALL SOFTWARE PROVIDED IN THIS REPOSITORY IS PROVIDED BY ATOMICORP LIMITED AS IS, IS UNSUPPORTED AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL ATOMICORP LIMITED, THE COPYRIGHT OWNER OR ANY CONTRIBUTOR TO ANY AND ALL SOFTWARE PROVIDED BY OR PUBLISHED IN THIS REPOSITORY BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. For supported software packages please contact us at: sales@atomicorp.com Do you agree to these terms? (yes/no) [Default: yes] Configuring the [atomic] repo archive for this system Installing the Atomic GPG keys: OK Get:1 http://security.ubuntu.com/ubuntu focal-security InRelease [114 kB] Hit:2 http://us.archive.ubuntu.com/ubuntu focal InRelease . . .
Processing triggers for man-db (2.9.1-1) ... Processing triggers for install-info (6.7.0.dfsg.2-5) ... W: --force-yes is deprecated, use one of the options starting with --allow instead. --2022-01-16 06:55:14-- https://www.atomicorp.com/RPM-GPG-KEY.atomicorp.txt Resolving www.atomicorp.com (www.atomicorp.com)... 74.208.77.16 Connecting to www.atomicorp.com (www.atomicorp.com)|74.208.77.16|:443... connected. HTTP request sent, awaiting response... 200 OK Length: 1694 (1.7K) [text/plain] Saving to: 'STDOUT' - 100%[=====================================================>] 1.65K --.-KB/s in 0s 2022-01-16 06:55:16 (296 MB/s) - written to stdout [1694/1694] OK Adding [atomic] to /etc/apt/sources.list.d/atomic.list: OK The Atomic repo has now been installed and configured for your system The following channels are available: atomic - [ACTIVATED] - contains the stable tree of ART packages atomic-testing - [DISABLED] - contains the testing tree of ART packages atomic-bleeding - [DISABLED] - contains the development tree of ART packages
2.2. Install OSSEC
After we have added repository, we will install OSSEC application by submitting following command lines :
$ sudo apt-get update $ sudo apt-get install ossec-hids-server
The ouptut will be shown below :
ramans@master01:~$ sudo apt-get update Hit:1 http://us.archive.ubuntu.com/ubuntu focal InRelease Hit:2 http://security.ubuntu.com/ubuntu focal-security InRelease Hit:3 http://us.archive.ubuntu.com/ubuntu focal-updates InRelease Hit:4 http://us.archive.ubuntu.com/ubuntu focal-backports InRelease Get:5 https://updates.atomicorp.com/channels/atomic/ubuntu focal InRelease [1,798 B] Get:6 https://updates.atomicorp.com/channels/atomic/ubuntu focal/main amd64 Packages [1,602 B] Fetched 3,400 B in 5s (691 B/s) Reading package lists... Done
ramans@master01:~$ sudo apt-get install ossec-hids-server Reading package lists... Done Building dependency tree Reading state information... Done The following additional packages will be installed: expect geoip-database libgeoip1 libtcl8.6 tcl-expect tcl8.6 Suggested packages: tk8.6 geoip-bin tcl-tclreadline The following NEW packages will be installed: expect geoip-database libgeoip1 libtcl8.6 ossec-hids-server tcl-expect tcl8.6 0 upgraded, 7 newly installed, 0 to remove and 515 not upgraded. Need to get 4,991 kB of archives. After this operation, 22.4 MB of additional disk space will be used. Do you want to continue? [Y/n] Y Get:1 http://us.archive.ubuntu.com/ubuntu focal/main amd64 libtcl8.6 amd64 8.6.10+dfsg-1 [902 kB] Get:2 https://updates.atomicorp.com/channels/atomic/ubuntu focal/main amd64 ossec-hids-server amd64 3.6.0-16569focal [731 kB] Get:3 http://us.archive.ubuntu.com/ubuntu focal/main amd64 tcl8.6 amd64 8.6.10+dfsg-1 [14.8 kB] Get:4 http://us.archive.ubuntu.com/ubuntu focal/universe amd64 tcl-expect amd64 5.45.4-2build1 [105 kB] Get:5 http://us.archive.ubuntu.com/ubuntu focal/universe amd64 expect amd64 5.45.4-2build1 [137 kB] Get:6 http://us.archive.ubuntu.com/ubuntu focal/universe amd64 geoip-database all 20191224-2 [3,029 kB] Get:7 http://us.archive.ubuntu.com/ubuntu focal/universe amd64 libgeoip1 amd64 1.6.12-6build1 [70.5 kB] Fetched 4,991 kB in 23s (219 kB/s) Preconfiguring packages ...
... Unpacking ossec-hids-server (3.6.0-16569focal) ... Setting up libtcl8.6:amd64 (8.6.10+dfsg-1) ... Setting up libgeoip1:amd64 (1.6.12-6build1) ... Setting up geoip-database (20191224-2) ... Setting up tcl8.6 (8.6.10+dfsg-1) ... Setting up tcl-expect:amd64 (5.45.4-2build1) ... Setting up expect (5.45.4-2build1) ... Setting up ossec-hids-server (3.6.0-16569focal) ... Adding group `ossec' (GID 133) ... Done. Processing triggers for man-db (2.9.1-1) ... Processing triggers for libc-bin (2.31-0ubuntu9) ...
3. Starting OSSEC Application Service
After OSSEC installation was completed done, we will start its service to run properly. To complete this task, we will submit the command line below.
$ sudo /var/ossec/bin/ossec-control start
The output is shown below :
ramans@master01:~$ sudo /var/ossec/bin/ossec-control start Starting OSSEC HIDS v3.6.0... Started ossec-execd... Started ossec-analysisd... Started ossec-logcollector... Started ossec-remoted... Started ossec-syscheckd... Started ossec-monitord... Completed.
4. Install OSSEC Web UI
On this stage, we will install OSSEC web UI. By this tools we will access and monitor OSSEC applicaiton via web browser. For this purpose we will need a web sever. For this tutorial, we will use Apache as web server. To install OSSEC Web UI we will do the following steps :
1. Stop OSSEC application
2. Clone OSSEC web UI from Git repository
3. Executing Setup Command line
4. Starting OSSEC Application
5. Configuring Apache Web Server and Starting OSSEC Web UI Service
6. Accessing OSSEC Web UI
4.1. Stop OSSEC application
We have to stop OSSEC application before OSSEC Web UI will be installed, for this purpose we will use the following command line :
$ sudo /var/ossec/bin/ossec-control stop
The output will be shown :
ramans@master01:~$ sudo /var/ossec/bin/ossec-control stop Deleting PID file '/var/ossec/var/run/ossec-remoted-15276.pid' not used... Killing ossec-monitord .. Killing ossec-logcollector .. ossec-remoted not running .. Killing ossec-syscheckd .. Killing ossec-analysisd .. ossec-maild not running .. Killing ossec-execd .. OSSEC HIDS v3.6.0 Stopped
4.2. Clone OSSEC web UI from Git Repository
The OSSEC Web UI repository will be cloned from Git and extract it, for this purpose we will do the following command line:
$ git clone https://github.com/ossec/ossec-wui.git
The output :
ramans@master01:~$ git clone https://github.com/ossec/ossec-wui.git Cloning into 'ossec-wui'... remote: Enumerating objects: 205, done. remote: Total 205 (delta 0), reused 0 (delta 0), pack-reused 205 Receiving objects: 100% (205/205), 217.04 KiB | 1.62 MiB/s, done. Resolving deltas: 100% (69/69), done.
4.3. Executing Setup Command line
ramans@master01:~$ sudo mv ossec-wui ossec
ramans@master01:~$ sudo mv ossec /var/www/html/
ramans@master01:/srv/ossec-wui$ sudo ./setup.sh
ramans@master01:/srv/ossec-wui$ sudo ./setup.sh trap: SIGHUP: bad trap Setting up ossec ui... Username: digiadmin New password: Re-type new password: Adding password for user digiadmin Enter your web server user name (e.g. apache, www, nobody, www-data, ...) www-data You must restart your web server after this setup is done. Setup completed successfully.
4.4. Starting OSSEC Application
On this stage, we will start the OSSEC application again after we have stopped on the earlier step. We will submit the command line :
$ sudo /var/ossec/bin/ossec-control start
4.5. Configuring Apache Web Server and Starting OSSEC Web UI Service
On this stage, we will configure Apache web server by editing configuration file :
$ sudo vi /etc/apache2/sites-enabled/ossec-wui.conf
The output will be shown :
ramans@master01:/srv/ossec-wui$ sudo vi /etc/apache2/sites-enabled/ossec-wui.conf
<VirtualHost *:80> DocumentRoot /srv/ossec-wui/ ServerName master01.otodiginet.com ServerAlias www.master01.otodiginet.com ServerAdmin digiadmin@otodiginet.com <Directory /srv/ossec-wui/> Options +FollowSymlinks AllowOverride All Require all granted </Directory> ErrorLog /var/log/apache2/moodle-error.log CustomLog /var/log/apache2/moodle-access.log combined </VirtualHost>
ramans@master01:/srv/ossec-wui$ sudo a2enmod rewrite Enabling module rewrite. To activate the new configuration, you need to run: systemctl restart apache2 ramans@master01:/srv/ossec-wui$ sudo systemctl restart apache2 ramans@master01:/srv/ossec-wui$ sudo systemctl status apache2 ● apache2.service - The Apache HTTP Server Loaded: loaded (/lib/systemd/system/apache2.service; enabled; vendor preset: enabled) Active: active (running) since Sun 2022-01-16 07:48:04 PST; 6s ago Docs: https://httpd.apache.org/docs/2.4/ Process: 29948 ExecStart=/usr/sbin/apachectl start (code=exited, status=0/SUCCESS) Main PID: 29952 (apache2) Tasks: 6 (limit: 4601) Memory: 9.4M CGroup: /system.slice/apache2.service ├─29952 /usr/sbin/apache2 -k start ├─29953 /usr/sbin/apache2 -k start ├─29954 /usr/sbin/apache2 -k start ├─29955 /usr/sbin/apache2 -k start ├─29956 /usr/sbin/apache2 -k start └─29957 /usr/sbin/apache2 -k start Jan 16 07:48:04 master01.otodiginet.com systemd[1]: Starting The Apache HTTP Server... Jan 16 07:48:04 master01.otodiginet.com apachectl[29951]: AH00558: apache2: Could not reliably determine the server's fully q> Jan 16 07:48:04 master01.otodiginet.com systemd[1]: Started The Apache HTTP Server.
6. Accessing OSSEC Web UI
On this stage we have had OSSEC Web UI running on the system. As we have configured on /etc/apache2/sites-enabled/ossec-wui.conf file, if the OSSEC web GUI will be hosted master01.otodiginet.com as shown below.
Conclusion
On this short tutorial, we have learnt how to install OSSEC and OSSEC web GUI on Ubuntu 20.04 LTS server. I hope this article could be helpful.