How To Install OSSEC HIDS Server On Ubuntu 20.04 LTS

On this short tutorial, we will learn how to install OSSEC monitoring tools server version 3.6.0 on Ubuntu 20.04 LTS.

Introduction

OSSEC is a free, scalable, multi-platform open-source host-based intrusion detection system (HIDS). OSSEC performs log analysis, integrity checking, Windows registry monitoring, rootkit detection, time-based alerting, and active response. OSSEC has a powerful correlation and analysis engines which provides log analysis, intrusion detection for most operating systems, including: Linux, OpenBSD, FreeBSD, OS X, Solaris and Windows. OSSEC has a centralized, cross-platform architecture allowing multiple systems to be easily monitored and managed. On this tutorial, we will learn how to install OSSEC HIDS Server on Ubuntu 20.04 LTS.

OSSEC Installation On Ubuntu 20.04 LTS

The installation steps will be as following :

  1. Installing Requirements Packages
    Run System Update
    Install Required Dependencies
  2. Install OSSEC HIDS on Ubuntu 20.04 LTS
    Download OSSEC Repository
    Install OSSEC
  3. Starting OSSEC application service
  4. Install OSSEC Web UI
  5. Access OSSEC Web host

These items will be explained in more detail below.

1. Installation Requirements Packages

On this stage we have to prepare our system before OSSEC application installed, we will update system repository and install required dependencies packages. For this purpose we will submit following command line below.

$ sudo apt-get update
$ sudo apt-get install build-essential make zlib1g-dev libpcre2-dev libevent-dev libssl-dev build-essential zlib1g-dev libpcre2-dev
mysql-dev postgresql-dev 
$ sudo apt-get install libsqlite3-dev

The output will be shown below :

ramans@master01:~$ sudo apt-get install build-essential make zlib1g-dev libpcre2-dev libevent-dev libssl-dev build-essential zlib1g-dev libpcre2-dev
mysql-dev postgresql-dev libsqlite3-dev
[sudo] password for ramans: 
Reading package lists... Done
Building dependency tree 
Reading state information... Done
The following additional packages will be installed:
binutils binutils-common binutils-x86-64-linux-gnu cpp-9 dpkg-dev fakeroot g++ g++-9 gcc gcc-10-base gcc-9 gcc-9-base
libalgorithm-diff-perl libalgorithm-diff-xs-perl libalgorithm-merge-perl libasan5 libatomic1 libbinutils libc-dev-bin
libc6 libc6-dbg libc6-dev libcc1-0 libcrypt-dev libctf-nobfd0 libctf0 libevent-core-2.1-7 libevent-extra-2.1-7
libevent-openssl-2.1-7 libevent-pthreads-2.1-7 libfakeroot libgcc-9-dev libgcc-s1 libgomp1 libitm1 liblsan0 libpcre2-16-0
libpcre2-posix2 libquadmath0 libssl1.1 libstdc++-9-dev libstdc++6 libtsan0 libubsan1 linux-libc-dev manpages-dev zlib1g
Suggested packages:
binutils-doc gcc-9-locales debian-keyring g++-multilib g++-9-multilib gcc-9-doc gcc-multilib autoconf automake libtool
flex bison gcc-doc gcc-9-multilib glibc-doc libssl-doc libstdc++-9-doc make-doc
The following NEW packages will be installed:
binutils binutils-common binutils-x86-64-linux-gnu build-essential dpkg-dev fakeroot g++ g++-9 gcc gcc-9
libalgorithm-diff-perl libalgorithm-diff-xs-perl libalgorithm-merge-perl libasan5 libatomic1 libbinutils libc-dev-bin
libc6-dev libcrypt-dev libctf-nobfd0 libctf0 libevent-core-2.1-7 libevent-dev libevent-extra-2.1-7 libevent-openssl-2.1-7
libevent-pthreads-2.1-7 libfakeroot libgcc-9-dev libitm1 liblsan0 libpcre2-16-0 libpcre2-dev libpcre2-posix2 libquadmath0
libssl-dev libstdc++-9-dev libtsan0 libubsan1 linux-libc-dev make manpages-dev zlib1g-dev
The following packages will be upgraded:
cpp-9 gcc-10-base gcc-9-base libc6 libc6-dbg libcc1-0 libgcc-s1 libgomp1 libssl1.1 libstdc++6 zlib1g
11 upgraded, 42 newly installed, 0 to remove and 527 not upgraded.
Need to get 46.3 MB/60.2 MB of archives.
After this operation, 202 MB of additional disk space will be used.
Do you want to continue? [Y/n] Y
ramans@master01:~$ sudo apt-get install libsqlite3-dev
Reading package lists... Done
Building dependency tree 
Reading state information... Done
The following additional packages will be installed:
libsqlite3-0
Suggested packages:
sqlite3-doc
The following NEW packages will be installed:
libsqlite3-dev
The following packages will be upgraded:
libsqlite3-0
1 upgraded, 1 newly installed, 0 to remove and 526 not upgraded.
Need to get 1,245 kB of archives.
After this operation, 2,373 kB of additional disk space will be used.
Do you want to continue? [Y/n] Y

2. Install OSSEC HIDS on Ubuntu 20.04 LTS

2.1. Download Latest OSSEC Source Code

On this stage we will install OSSEC by using OSSEC repository which was provide by atomicorp. For this purpose we will download repository file by using command line.

$ wget -q -O - https://updates.atomicorp.com/installers/atomic | sudo bash

The output will be shown below :

ramans@master01:~$ wget -q -O - https://updates.atomicorp.com/installers/atomic | sudo bash

Atomic Free Unsupported Archive installer, version 5.0.2

BY INSTALLING THIS SOFTWARE AND BY USING ANY AND ALL SOFTWARE
PROVIDED BY ATOMICORP LIMITED YOU ACKNOWLEDGE AND AGREE:

THIS SOFTWARE AND ALL SOFTWARE PROVIDED IN THIS REPOSITORY IS 
PROVIDED BY ATOMICORP LIMITED AS IS, IS UNSUPPORTED AND ANY
EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL ATOMICORP LIMITED, THE
COPYRIGHT OWNER OR ANY CONTRIBUTOR TO ANY AND ALL SOFTWARE PROVIDED
BY OR PUBLISHED IN THIS REPOSITORY BE LIABLE FOR ANY DIRECT,
INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
OF THE POSSIBILITY OF SUCH DAMAGE.

For supported software packages please contact us at:

sales@atomicorp.com

Do you agree to these terms? (yes/no) [Default: yes]

Configuring the [atomic] repo archive for this system

Installing the Atomic GPG keys: OK

Get:1 http://security.ubuntu.com/ubuntu focal-security InRelease [114 kB] 
Hit:2 http://us.archive.ubuntu.com/ubuntu focal InRelease
. . .
Processing triggers for man-db (2.9.1-1) ...
Processing triggers for install-info (6.7.0.dfsg.2-5) ...
W: --force-yes is deprecated, use one of the options starting with --allow instead.
--2022-01-16 06:55:14-- https://www.atomicorp.com/RPM-GPG-KEY.atomicorp.txt
Resolving www.atomicorp.com (www.atomicorp.com)... 74.208.77.16
Connecting to www.atomicorp.com (www.atomicorp.com)|74.208.77.16|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1694 (1.7K) [text/plain]
Saving to: 'STDOUT'

- 100%[=====================================================>] 1.65K --.-KB/s in 0s

2022-01-16 06:55:16 (296 MB/s) - written to stdout [1694/1694]

OK
Adding [atomic] to /etc/apt/sources.list.d/atomic.list: OK


The Atomic repo has now been installed and configured for your system
The following channels are available:
atomic - [ACTIVATED] - contains the stable tree of ART packages
atomic-testing - [DISABLED] - contains the testing tree of ART packages
atomic-bleeding - [DISABLED] - contains the development tree of ART packages

2.2. Install OSSEC

After we have added repository, we will install OSSEC application by submitting following command lines :

$ sudo apt-get update
$ sudo apt-get install ossec-hids-server

The ouptut will be shown below :

ramans@master01:~$ sudo apt-get update
Hit:1 http://us.archive.ubuntu.com/ubuntu focal InRelease 
Hit:2 http://security.ubuntu.com/ubuntu focal-security InRelease
Hit:3 http://us.archive.ubuntu.com/ubuntu focal-updates InRelease
Hit:4 http://us.archive.ubuntu.com/ubuntu focal-backports InRelease
Get:5 https://updates.atomicorp.com/channels/atomic/ubuntu focal InRelease [1,798 B]
Get:6 https://updates.atomicorp.com/channels/atomic/ubuntu focal/main amd64 Packages [1,602 B]
Fetched 3,400 B in 5s (691 B/s) 
Reading package lists... Done
ramans@master01:~$ sudo apt-get install ossec-hids-server
Reading package lists... Done
Building dependency tree 
Reading state information... Done
The following additional packages will be installed:
expect geoip-database libgeoip1 libtcl8.6 tcl-expect tcl8.6
Suggested packages:
tk8.6 geoip-bin tcl-tclreadline
The following NEW packages will be installed:
expect geoip-database libgeoip1 libtcl8.6 ossec-hids-server tcl-expect tcl8.6
0 upgraded, 7 newly installed, 0 to remove and 515 not upgraded.
Need to get 4,991 kB of archives.
After this operation, 22.4 MB of additional disk space will be used.
Do you want to continue? [Y/n] Y
Get:1 http://us.archive.ubuntu.com/ubuntu focal/main amd64 libtcl8.6 amd64 8.6.10+dfsg-1 [902 kB]
Get:2 https://updates.atomicorp.com/channels/atomic/ubuntu focal/main amd64 ossec-hids-server amd64 3.6.0-16569focal [731 kB]
Get:3 http://us.archive.ubuntu.com/ubuntu focal/main amd64 tcl8.6 amd64 8.6.10+dfsg-1 [14.8 kB]
Get:4 http://us.archive.ubuntu.com/ubuntu focal/universe amd64 tcl-expect amd64 5.45.4-2build1 [105 kB]
Get:5 http://us.archive.ubuntu.com/ubuntu focal/universe amd64 expect amd64 5.45.4-2build1 [137 kB]
Get:6 http://us.archive.ubuntu.com/ubuntu focal/universe amd64 geoip-database all 20191224-2 [3,029 kB] 
Get:7 http://us.archive.ubuntu.com/ubuntu focal/universe amd64 libgeoip1 amd64 1.6.12-6build1 [70.5 kB] 
Fetched 4,991 kB in 23s (219 kB/s) 
Preconfiguring packages ...
...
Unpacking ossec-hids-server (3.6.0-16569focal) ...
Setting up libtcl8.6:amd64 (8.6.10+dfsg-1) ...
Setting up libgeoip1:amd64 (1.6.12-6build1) ...
Setting up geoip-database (20191224-2) ...
Setting up tcl8.6 (8.6.10+dfsg-1) ...
Setting up tcl-expect:amd64 (5.45.4-2build1) ...
Setting up expect (5.45.4-2build1) ...
Setting up ossec-hids-server (3.6.0-16569focal) ...
Adding group `ossec' (GID 133) ...
Done.
Processing triggers for man-db (2.9.1-1) ...
Processing triggers for libc-bin (2.31-0ubuntu9) ...





3. Starting OSSEC Application Service

After OSSEC installation was completed done, we will start its service to run properly. To complete this task, we will submit the command line below.

$ sudo /var/ossec/bin/ossec-control start

The output is shown below :

ramans@master01:~$ sudo /var/ossec/bin/ossec-control start
Starting OSSEC HIDS v3.6.0...
Started ossec-execd...
Started ossec-analysisd...
Started ossec-logcollector...
Started ossec-remoted...
Started ossec-syscheckd...
Started ossec-monitord...
Completed.

4. Install OSSEC Web UI

On this stage, we will install OSSEC web UI. By this tools we will access and monitor OSSEC applicaiton via web browser. For this purpose we will need a web sever. For this tutorial, we will use Apache as web server. To install OSSEC Web UI we will do the following steps :

1. Stop OSSEC application
2. Clone OSSEC web UI from Git repository
3. Executing Setup Command line
4. Starting OSSEC Application
5. Configuring Apache Web Server and Starting OSSEC Web UI Service
6. Accessing OSSEC Web UI

4.1. Stop OSSEC application

We have to stop OSSEC application before OSSEC Web UI will be installed, for this purpose we will use the following command line :

$ sudo /var/ossec/bin/ossec-control stop
The output will be shown  :
ramans@master01:~$ sudo /var/ossec/bin/ossec-control stop
Deleting PID file '/var/ossec/var/run/ossec-remoted-15276.pid' not used...
Killing ossec-monitord .. 
Killing ossec-logcollector .. 
ossec-remoted not running ..
Killing ossec-syscheckd .. 
Killing ossec-analysisd .. 
ossec-maild not running ..
Killing ossec-execd .. 
OSSEC HIDS v3.6.0 Stopped

4.2. Clone OSSEC web UI from Git Repository

The OSSEC Web UI repository will be cloned from Git and extract it, for this purpose we will do the following command line:

$ git clone https://github.com/ossec/ossec-wui.git

The output :

ramans@master01:~$ git clone https://github.com/ossec/ossec-wui.git
Cloning into 'ossec-wui'...
remote: Enumerating objects: 205, done.
remote: Total 205 (delta 0), reused 0 (delta 0), pack-reused 205
Receiving objects: 100% (205/205), 217.04 KiB | 1.62 MiB/s, done.
Resolving deltas: 100% (69/69), done.

4.3. Executing Setup Command line

ramans@master01:~$ sudo mv ossec-wui ossec
ramans@master01:~$ sudo mv ossec /var/www/html/
ramans@master01:/srv/ossec-wui$ sudo ./setup.sh

ramans@master01:/srv/ossec-wui$ sudo ./setup.sh
trap: SIGHUP: bad trap
Setting up ossec ui...

Username: digiadmin
New password: 
Re-type new password: 
Adding password for user digiadmin
Enter your web server user name (e.g. apache, www, nobody, www-data, ...)
www-data
You must restart your web server after this setup is done.

Setup completed successfully.





4.4. Starting OSSEC Application

On this stage, we will start the OSSEC application again after we have stopped on the earlier step. We will submit the command line :

$ sudo /var/ossec/bin/ossec-control start

4.5. Configuring Apache Web Server and Starting OSSEC Web UI Service

On this stage, we will configure Apache web server by editing configuration file :

$ sudo vi /etc/apache2/sites-enabled/ossec-wui.conf

The output will be shown :

ramans@master01:/srv/ossec-wui$ sudo vi /etc/apache2/sites-enabled/ossec-wui.conf

<VirtualHost *:80>
DocumentRoot /srv/ossec-wui/
ServerName master01.otodiginet.com
ServerAlias www.master01.otodiginet.com
ServerAdmin digiadmin@otodiginet.com

<Directory /srv/ossec-wui/>
Options +FollowSymlinks
AllowOverride All
Require all granted
</Directory>

ErrorLog /var/log/apache2/moodle-error.log
CustomLog /var/log/apache2/moodle-access.log combined
</VirtualHost>
ramans@master01:/srv/ossec-wui$ sudo a2enmod rewrite
Enabling module rewrite.
To activate the new configuration, you need to run:
systemctl restart apache2
ramans@master01:/srv/ossec-wui$ sudo systemctl restart apache2
ramans@master01:/srv/ossec-wui$ sudo systemctl status apache2
● apache2.service - The Apache HTTP Server
Loaded: loaded (/lib/systemd/system/apache2.service; enabled; vendor preset: enabled)
Active: active (running) since Sun 2022-01-16 07:48:04 PST; 6s ago
Docs: https://httpd.apache.org/docs/2.4/
Process: 29948 ExecStart=/usr/sbin/apachectl start (code=exited, status=0/SUCCESS)
Main PID: 29952 (apache2)
Tasks: 6 (limit: 4601)
Memory: 9.4M
CGroup: /system.slice/apache2.service
├─29952 /usr/sbin/apache2 -k start
├─29953 /usr/sbin/apache2 -k start
├─29954 /usr/sbin/apache2 -k start
├─29955 /usr/sbin/apache2 -k start
├─29956 /usr/sbin/apache2 -k start
└─29957 /usr/sbin/apache2 -k start

Jan 16 07:48:04 master01.otodiginet.com systemd[1]: Starting The Apache HTTP Server...
Jan 16 07:48:04 master01.otodiginet.com apachectl[29951]: AH00558: apache2: Could not reliably determine the server's fully q>
Jan 16 07:48:04 master01.otodiginet.com systemd[1]: Started The Apache HTTP Server.

6. Accessing OSSEC Web UI

On this stage we have had OSSEC Web UI running on the system. As we have configured on /etc/apache2/sites-enabled/ossec-wui.conf file, if the OSSEC web GUI will be hosted master01.otodiginet.com as shown below.

Ossec web GUI

Conclusion

On this short tutorial, we have learnt how to install OSSEC and OSSEC web GUI on Ubuntu 20.04 LTS server. I hope this article could be helpful.

Add a Comment

Your email address will not be published.