Ossec 安装并配置邮件通知
1. 介绍
OSSEC 是一个完全开源的免费的服务器入侵检测工具,它支持多个平台,包括Linux, Solaris, AIX, HP-UX, BSD, Windows, Mac and VMware ESX;提供预留的入侵规则并提供相关的定制选项,也支持自定义安全规则,规则触发后的行动支持邮件通知,数据库写入,系统日志写入,2.9.0版本及之后的支持将告警信息写入到一个JSON格式的文件。更进一步的了解,请查阅官网:OSSEC.
2. 软硬件环境
OSSEC是基于C/S架构的,分为Server和Agent两部分,这里的部署使用三台虚拟机,一台虚拟机运行Server,另外两台台虚拟机只运行Agent。详细的环境信息如下:
| 项 | 虚拟机1(Server) | 虚拟机2(Agent) | 虚拟机3(Agent) |
|---|---|---|---|
| 硬件信息 | CPU:8核 RAM:16G 硬盘:100G | CPU:4核 RAM:4G 硬盘:100G | CPU:2核 RAM:2G 硬盘:100G |
| IP地址 | 172.16.11.141 | 172.16.11.197 | 172.16.11.198 |
| 操作系统 | Centos7 | Centos7 | Centos7 |
| 主机名 | master | ansible1 | ansible2 |
| 软件版本 | Ossec2.8.1 MySQL8.0 | Ossec2.8.1 | Ossec2.8.1 |
3. 安装步骤
3.1 Server
- Ossec安装
在虚拟机1(Server)的主机上操作:
wget https://github.com/ossec/ossec-hids/archive/2.8.1.tar.gz #下载ossec的2.8.1版本,目前最新的版本为3.6.0,笔者尝试过安装这个版本,
#发现agent无法连接上server端,github也有相关的issue,详见:https://github.com/ossec/ossec-hids/issues/1869
tar -zxvf 2.8.1.tar.gz #解压
mv ossec-hids-2.8.1/ ossec-hids #重命名文件夹
cd ossec-hids/ #进入文件夹
export OSSEC_SOURCE=$(pwd) #设置目录变量
yum -y install mysql-devel postgresql-devel zlib-devel pcre2-devel make gcc zlib-devel pcre2-devel sqlite-devel openssl-devel libevent-devel #下载所需编译工具包
ln -s /usr/lib64/mysql/libmysqlclient.so.18 /usr/lib/libmysqlclient.so.18 #创建软链接链接MySQL库
ln -s /usr/lib64/mysql/libmysqlclient.so.18 /usr/lib64/libmysqlclient.so.18 #创建软链接链接MySQL库
cd src
make setdb #开启数据库支持,该指令有以下输出:
#Info: Compiled with MySQL support.
#Info: Compiled with PostgreSQL support.
#如果是3.6.0版本,这个指令不存在,详见:https://github.com/ossec/ossec-hids/issues/1905
cd ../install.sh #执行编辑安装脚本进行安装
具体的安装脚本交互如下:
** Para instalação em português, escolha [br].
** 要使用中文进行安装, 请选择 [cn].
** Fur eine deutsche Installation wohlen Sie [de].
** Για εγκατάσταση στα Ελληνικά, επιλέξτε [el].
** For installation in English, choose [en].
** Para instalar en Español , eliga [es].
** Pour une installation en français, choisissez [fr]
** A Magyar nyelvű telepítéshez válassza [hu].
** Per l'installazione in Italiano, scegli [it].
** 日本語でインストールします.選択して下さい.[jp].
** Voor installatie in het Nederlands, kies [nl].
** Aby instalować w języku Polskim, wybierz [pl].
** Для инструкций по установке на русском ,введите [ru].
** Za instalaciju na srpskom, izaberi [sr].
** Türkçe kurulum için seçin [tr].
(en/br/cn/de/el/es/fr/hu/it/jp/nl/pl/ru/sr/tr) [en]: en #选择语言
OSSEC HIDS v2.8 Installation Script - http://www.ossec.net
You are about to start the installation process of the OSSEC HIDS.
You must have a C compiler pre-installed in your system.
If you have any questions or comments, please send an e-mail
to dcid@ossec.net (or daniel.cid@gmail.com).
- System: Linux master 3.10.0-1127.18.2.el7.x86_64
- User: root
- Host: master
-- Press ENTER to continue or Ctrl-C to abort. --
1- What kind of installation do you want (server, agent, local, hybrid or help)? server #安装server端
- Server installation chosen.
2- Setting up the installation environment.
- Choose where to install the OSSEC HIDS [/var/ossec]:
- Installation will be made at /var/ossec .
3- Configuring the OSSEC HIDS.
3.1- Do you want e-mail notification? (y/n) [y]: y #开启邮件通知
- What's your e-mail address? 1769128867@qq.com #收件人邮箱
- What's your SMTP server ip/host? 127.0.0.1 #SMTP邮箱服务器的地址
3.2- Do you want to run the integrity check daemon? (y/n) [y]: y #开启完整性检查守护进程
- Running syscheck (integrity check daemon).
3.3- Do you want to run the rootkit detection engine? (y/n) [y]: y #开启rootkit检查引擎功能
- Running rootcheck (rootkit detection).
3.4- Active response allows you to execute a specific
command based on the events received. For example,
you can block an IP address or disable access for
a specific user.
More information at:
http://www.ossec.net/en/manual.html#active-response
- Do you want to enable active response? (y/n) [y]: y #开启存活响应
- Active response enabled.
- By default, we can enable the host-deny and the
firewall-drop responses. The first one will add
a host to the /etc/hosts.deny and the second one
will block the host on iptables (if linux) or on
ipfilter (if Solaris, FreeBSD or NetBSD).
- They can be used to stop SSHD brute force scans,
portscans and some other forms of attacks. You can
also add them to block on snort events, for example.
- Do you want to enable the firewall-drop response? (y/n) [y]: n #关闭防火墙响应功能
- firewall-drop disabled.
- Default white list for the active response:
- 119.29.29.29
- Do you want to add more IPs to the white list? (y/n)? [n]: n #无需添加白名单
3.5- Do you want to enable remote syslog (port 514 udp)? (y/n) [y]: y #开启远程的syslog
- Remote syslog enabled.
3.6- Setting the configuration to analyze the following logs:
-- /var/log/messages
-- /var/log/secure
-- /var/log/maillog
-- /var/log/httpd/error_log (apache log)
-- /var/log/httpd/access_log (apache log)
- If you want to monitor any other file, just change
the ossec.conf and add a new localfile entry.
Any questions about the configuration can be answered
by visiting us online at http://www.ossec.net .
--- Press ENTER to continue ---
5- Installing the system
- Running the Makefile
INFO: Little endian set.
.......省略编译输出........
- System is Redhat Linux.
- Init script modified to start OSSEC HIDS during boot.
- Configuration finished properly.
- To start OSSEC HIDS:
/var/ossec/bin/ossec-control start
- To stop OSSEC HIDS:
/var/ossec/bin/ossec-control stop
- The configuration can be viewed or modified at /var/ossec/etc/ossec.conf
Thanks for using the OSSEC HIDS.
If you have any question, suggestion or if you find any bug,
contact us at contact@ossec.net or using our public maillist at
ossec-list@ossec.net
( http://www.ossec.net/main/support/ ).
More information can be found at http://www.ossec.net
--- Press ENTER to finish (maybe more information below). ---
- In order to connect agent and server, you need to add each agent to the server.
Run the 'manage_agents' to add or remove them:
/var/ossec/bin/manage_agents
More information at:
http://www.ossec.net/en/manual.html#ma
至此,服务器端已经安装成功,可以先添加agent端的信息,使用manage_agents添加agent:
/var/ossec/bin/manage_agents
具体的添加agent脚本交互如下:
****************************************
* OSSEC HIDS v2.8 Agent manager. *
* The following options are available: *
****************************************
(A)dd an agent (A).
(E)xtract key for an agent (E).
(L)ist already added agents (L).
(R)emove an agent (R).
(Q)uit.
Choose your action: A,E,L,R or Q: A #选择添加一个agent操作
- Adding a new agent (use '\q' to return to the main menu).
Please provide the following:
* A name for the new agent: ansible1 #agent的显示名称
* The IP Address of the new agent: 172.16.11.197 #agent的IP
* An ID for the new agent[001]: 001 #agent的IP
Agent information:
ID:001
Name:ansible1
IP Address:172.16.11.197
Confirm adding it?(y/n): y #确定
Agent added.
****************************************
* OSSEC HIDS v2.8 Agent manager. *
* The following options are available: *
****************************************
(A)dd an agent (A).
(E)xtract key for an agent (E).
(L)ist already added agents (L).
(R)emove an agent (R).
(Q)uit.
Choose your action: A,E,L,R or Q: E #选择提取agent key操作
Available agents:
ID: 001, Name: ansible1, IP: 172.16.11.197
Provide the ID of the agent to extract the key (or '\q' to quit): 001
Agent key information for '001' is:
MDAxIGFuc2libGUxIDE3Mi4xNi4xMS4xOTcgNDAxNTZlNTk0Y2JjYWZhMWZmNWQ2OWMwZjYxMjUyMmRmMWMxODNjZGI5Zjg3Y2NlMjVmODNkNWQ1ZjdlNDM5YQ==
** Press ENTER to return to the main menu.
.........再重复操作添加agent2并记下agent key后面配置agent时需要使用。.........
- MySQL数据库配置
MySQL数据库的安装这里就不在列出,可以参考我上次安装zabbix服务时的安装进行操作,链接:MySQL安装。MySQL数据安装完成后,需要新建数据库和导入Ossec软件使用的数据库表结构。
mysql -u root -p
#输入root用户的密码
mysql> create database ossec character set utf8 collate utf8_bin; #创建数据库
mysql> create user ossec identified by 'QCgOvUJ7&Cs*dG4m'; #创建数据库连接用户
mysql> grant all privileges on ossec.* to ossec;
mysql> flush privileges;
数据库用户新建成功后,再导入数据库的表结构,MySQL数据库的表结构文件在源码包下的src/os_dbd/mysql.schema,使用mysql工具进行导入:
mysql -uossec -pQCgOvUJ7&Cs*dG4m ossec < $OSSEC_SOURCE/src/os_dbd/mysql.schema #导入MySQL数据库表结构
数据库导入完成后,还需要配置ossec的配置文件,指定连接的数据库服务器和用户等信息,编辑/var/ossec/etc/ossec.conf文件,添加内容如下:
<database_output>
<hostname>127.0.0.1</hostname> <!-- MySQL服务器IP -->
<username>ossec</username> <!-- MySQL用户账号 -->
<password>QCgOvUJ7&Cs*dG4m</password> <!-- MySQL用户密码 -->
<database>ossec</database> <!-- 数据库模式名称 -->
<type>mysql</type> <!-- 数据库类型为MySQL -->
</database_output>
注意:<database_output>标签是放在<ossec_config>标签里面,参见官方文档:Configuring MySQL。保存文件后,还需要启动数据库支持:
/var/ossec/bin/ossec-control enable database
- 启动ossec
/var/ossec/bin/ossec-control start
启动后,通过查看/var/ossec/logs/ossec.log日志,可以看到已经连接上了数据库,如下所示:
- 添加agent方法
添加agent需要填写agent的IP、ID和主机名。执行如下脚本进行导入:
/var/ossec/bin/manage_agents
具体的脚本交互如下:
****************************************
* OSSEC HIDS v2.8 Agent manager. *
* The following options are available: *
****************************************
(A)dd an agent (A).
(E)xtract key for an agent (E).
(L)ist already added agents (L).
(R)emove an agent (R).
(Q)uit.
Choose your action: A,E,L,R or Q: A #进行添加agent操作
- Adding a new agent (use '\q' to return to the main menu).
Please provide the following:
* A name for the new agent: ansible1 #主机名
* The IP Address of the new agent: 172.16.11.197 #IP地址
* An ID for the new agent[001]: 001 #ID号
Agent information:
ID:001
Name:ansible01
IP Address:172.16.11.197
Confirm adding it?(y/n): y
Agent added.
****************************************
* OSSEC HIDS v2.8 Agent manager. *
* The following options are available: *
****************************************
(A)dd an agent (A).
(E)xtract key for an agent (E).
(L)ist already added agents (L).
(R)emove an agent (R).
(Q)uit.
Choose your action: A,E,L,R or Q: E
Available agents:
ID: 001, Name: ansible1, IP: 172.16.11.197
Provide the ID of the agent to extract the key (or '\q' to quit): 001
Agent key information for '001' is:
MDAxIGFuc2libGUxIDE3Mi4xNi4xMS4xOTcgNDAxNTZlNTk0Y2JjYWZhMWZmNWQ2OWMwZjYxMjUyMmRmMWMxODNjZGI5Zjg3Y2NlMjVmODNkNWQ1ZjdlNDM5YQ==
** Press ENTER to return to the main menu.
****************************************
* OSSEC HIDS v2.8 Agent manager. *
* The following options are available: *
****************************************
(A)dd an agent (A).
(E)xtract key for an agent (E).
(L)ist already added agents (L).
(R)emove an agent (R).
(Q)uit.
Choose your action: A,E,L,R or Q: Q
** You must restart OSSEC for your changes to take effect.
manage_agents: Exiting ..
添加agent完成后,记得要重启ossec服务。注意,这里的添加了agent操作并不是已经可以使用ossec服务了,还需要后面的agent通过导入agent key后并启动agent进程才会真正完成。
/var/ossec/bin/ossec-control restart
3.2 Agent
在虚拟机2(Agent)和虚拟机3(Agent)上执行以下同样的操作:
wget https://github.com/ossec/ossec-hids/archive/2.8.1.tar.gz #下载ossec的2.8.1版本,目前最新的版本为3.6.0,笔者尝试过安装,发现agent无法连接上server端,
#github也有相关的issue,详见:https://github.com/ossec/ossec-hids/issues/1869
tar -zxvf 2.8.1.tar.gz #解压
mv ossec-hids-2.8.1/ ossec-hids #重命名文件夹
cd ossec-hids/ #进入文件夹
yum -y install mysql-devel postgresql-devel zlib-devel pcre2-devel make gcc zlib-devel pcre2-devel sqlite-devel openssl-devel libevent-devel #下载所需编译工具包
./install.sh #执行编辑安装脚本进行安装
具体的安装脚本交互如下:
** Para instalação em português, escolha [br].
** 要使用中文进行安装, 请选择 [cn].
** Fur eine deutsche Installation wohlen Sie [de].
** Για εγκατάσταση στα Ελληνικά, επιλέξτε [el].
** For installation in English, choose [en].
** Para instalar en Español , eliga [es].
** Pour une installation en français, choisissez [fr]
** A Magyar nyelvű telepítéshez válassza [hu].
** Per l'installazione in Italiano, scegli [it].
** 日本語でインストールします.選択して下さい.[jp].
** Voor installatie in het Nederlands, kies [nl].
** Aby instalować w języku Polskim, wybierz [pl].
** Для инструкций по установке на русском ,введите [ru].
** Za instalaciju na srpskom, izaberi [sr].
** Türkçe kurulum için seçin [tr].
(en/br/cn/de/el/es/fr/hu/it/jp/nl/pl/ru/sr/tr) [en]: en #选择语言
OSSEC HIDS v2.8 Installation Script - http://www.ossec.net
You are about to start the installation process of the OSSEC HIDS.
You must have a C compiler pre-installed in your system.
If you have any questions or comments, please send an e-mail
to dcid@ossec.net (or daniel.cid@gmail.com).
- System: Linux ansible1 3.10.0-1127.18.2.el7.x86_64
- User: root
- Host: ansible1
-- Press ENTER to continue or Ctrl-C to abort. --
1- What kind of installation do you want (server, agent, local, hybrid or help)? agent #安装agent端
- Agent(client) installation chosen.
2- Setting up the installation environment.
- Choose where to install the OSSEC HIDS [/var/ossec]:
- Installation will be made at /var/ossec .
3- Configuring the OSSEC HIDS.
3.1- What's the IP Address or hostname of the OSSEC HIDS server?: 172.16.11.141 #填写服务端的IP或者域名
- Adding Server IP 172.16.11.141
3.2- Do you want to run the integrity check daemon? (y/n) [y]: y #开启完整性检查守护进程
- Running syscheck (integrity check daemon).
3.3- Do you want to run the rootkit detection engine? (y/n) [y]: y #开启root检查功能
- Running rootcheck (rootkit detection).
3.4 - Do you want to enable active response? (y/n) [y]: y #开启存活响应
3.5- Setting the configuration to analyze the following logs:
-- /var/log/messages
-- /var/log/secure
-- /var/log/maillog
-- /var/log/nginx/access.log (apache log)
-- /var/log/nginx/error.log (apache log)
- If you want to monitor any other file, just change
the ossec.conf and add a new localfile entry.
Any questions about the configuration can be answered
by visiting us online at http://www.ossec.net .
--- Press ENTER to continue ---
5- Installing the system
- Running the Makefile
INFO: Little endian set.
························
······省略编译输出········
························
- System is Redhat Linux.
- Init script modified to start OSSEC HIDS during boot.
- Configuration finished properly.
- To start OSSEC HIDS:
/var/ossec/bin/ossec-control start
- To stop OSSEC HIDS:
/var/ossec/bin/ossec-control stop
- The configuration can be viewed or modified at /var/ossec/etc/ossec.conf
Thanks for using the OSSEC HIDS.
If you have any question, suggestion or if you find any bug,
contact us at contact@ossec.net or using our public maillist at
ossec-list@ossec.net
( http://www.ossec.net/main/support/ ).
More information can be found at http://www.ossec.net
--- Press ENTER to finish (maybe more information below). ---
- You first need to add this agent to the server so they
can communicate with each other. When you have done so,
you can run the 'manage_agents' tool to import the
authentication key from the server.
/var/ossec/bin/manage_agents
More information at:
http://www.ossec.net/en/manual.html#ma
现在可以看到Agent端已经安装完成了,安装脚本会默认安装在/var/ossec目录下。Agent端的配置首先需要在Server端添加此Agent主机,添加Agent和提取密钥请回看Server部分。添加完成后,提取并拷贝此客户端的验证密钥到agent端,然后运行进行导入:
/var/ossec/bin/manage_agents
脚本交互:
****************************************
* OSSEC HIDS v2.8 Agent manager. *
* The following options are available: *
****************************************
(I)mport key from the server (I).
(Q)uit.
Choose your action: I or Q: I #选择”导入一个从Server端导出的key“操作
* Provide the Key generated by the server.
* The best approach is to cut and paste it.
*** OBS: Do not include spaces or new lines.
Paste it here (or '\q' to quit): MDAxIGFuc2libGUxIDE3Mi4xNi4xMS4xOTcgNDAxNTZlNTk0Y2JjYWZhMWZmNWQ2OWMwZjYxMjUyMmRmMWMxODNjZGI5Zjg3Y2NlMjVmODNkNWQ1ZjdlNDM5YQ== #粘贴key
Agent information:
ID:001
Name:ansible1
IP Address:172.16.11.197
Confirm adding it?(y/n): y #确定添加
Added.
** Press ENTER to return to the main menu.
至此,导入完成,可以启动Agent端了:
/var/ossec/bin/ossec-control start
最后,在Server端检查一下agent端是否运行正常。在Server端执行/var/ossec/bin/agent_control -l查看添加了的Agent:
[root@master ossec]# /var/ossec/bin/agent_control -l
OSSEC HIDS agent_control. List of available agents:
ID: 000, Name: master (server), IP: 127.0.0.1, Active/Local
ID: 002, Name: ansible2, IP: 172.16.11.198, Active
ID: 001, Name: ansible1, IP: 172.16.11.197, Active
List of agentless devices:
3.3 配置邮件通知
配置邮件通知需要在Server端下进行操作。我这里以网易的163邮箱作为发件人,腾讯的QQ邮箱作为收件人,进行Ossec的邮件通知配置操作。
- 安装所需的软件包
yum install -y postfix mailx cyrus-sasl cyrus-sasl-plain #安装postfix邮件相关的软件包
- 配置Postfix的配置文件
/etc/postfix/main.cf
cat >> /etc/postfix/main.cf << EOF
relayhost = [smtp.163.com]:25
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous
smtp_tls_CAfile = /etc/ssl/certs/ca-bundle.crt
smtp_use_tls = yes
EOF
- 配置发送邮箱的账号和密码
echo "[smtp.163.com]:25 superlollipop@163.com:QFIANRBFCXMHEOVA" > /etc/postfix/sasl_passwd
#格式[smtp服务地址]:端口 USERNAME@gmail.com:PASSWORD
postmap /etc/postfix/sasl_passwd #更新Postfix查询表使配置生效
PASSWORD是邮箱提供商提供的第三方客户端授权码,不是登录密码,请搜索相关邮箱提供商的资料获取。postmap执行如果提示缺少 libmysqlclient.so.18,需要安装MySQL的库,执行:yum install mariadb-libs安装依赖库。常见的邮箱服务器和端口,可参考文章:常用的邮箱服务器(SMTP、POP3)地址、端口
- 更改存储文件和DB文件权限和用户组
chown root:root /etc/postfix/sasl_passwd /etc/postfix/sasl_passwd.db
chmod 0600 /etc/postfix/sasl_passwd /etc/postfix/sasl_passwd.db
- 启动
Postfix服务
systemctl start postfix
- 测试配置文件是否有效
echo "Test mail from postfix" | mail -s "Test Postfix" -r "superlollipop@163.com" 1769128867@qq.com
#-s subject:邮件主题;-r from-addr 发送方邮箱地址;1769128867@qq.com为收件人邮箱地址
如下图所示的测试邮件截图:
- 配置
/var/ossec/etc/ossec.conf文件,如下所示:
<global>
<email_notification>yes</email_notification>
<email_to>1769128867@qq.com</email_to>
<smtp_server>127.0.0.1</smtp_server>
<email_from>superlollipop@163.com</email_from>
</global>
注意:<global>标签是放在<ossec_config>标签里面,参见官方文档:Alerts to a single E-Mail Address。
- 重启Ossec服务
/var/ossec/bin/ossec-control restart
至此,Ossec的邮件通知已经完成,可以通过修改目录/var/ossec/rules下的xml配置文件修改相关规则。这些规则很多都没有配置邮件通知,比如添加修改了用户密码发送邮件通知,则可以修改文件/var/ossec/rules/pam_rules.xml,如下所示:
<rule id="5555" level="3"> <!-- 此规则默认就存在了的 -->
<options>alert_by_email</options> <!-- 添加alert_by_email就会发送邮件通知 -->
<match>: password changed for</match>
<description>User changed password.</description>
</rule>
保存文件,然后执行/var/ossec/bin/ossec-control restart重启Ossec服务使配置更改生效。然后测试修改了Server端的root用户的密码后,接收到邮件通知,如下图所示: