<![CDATA[CrunchBang Linux Forums / OSSEC HIDS (with Web UI)]]> http://crunchbang.org/forums/viewtopic.php?id=14232 Sat, 23 Jul 2011 15:14:09 +0000 FluxBB <![CDATA[OSSEC HIDS (with Web UI)]]> http://crunchbang.org/forums/viewtopic.php?pid=133422#p133422 OSSEC is an Open Source Host-based Intrusion Detection System. It performs log analysis, integrity checking, Windows registry monitoring, rootkit detection, real-time alerting and active response. It runs on most operating systems, including Linux, OpenBSD, FreeBSD, MacOS, Solaris and Windows.

This guide provides instructions for installing OSSEC with a password protected Web interface over SSL which only accepts connections from localhost. Nmap also cannot guess the server version.

First download OSSEC & uncompress the archive. In the resulting folder run the setup script:

./install.sh

Change the LSB header:

sudo -s
nano /etc/init.d/ossec

& replace the header information with the following:

# OSSEC         Controls OSSEC HIDS
# Author:       Daniel B. Cid <dcid@ossec.net>
# Modified for slackware by Jack S. Lai
# Modified for Debian Squeeze by Ben Jackson <bbj@mayhemiclabs.com>
### BEGIN INIT INFO
# Provides:          ossec
# Required-Start:    $local_fs $remote_fs $network $syslog $named
# Required-Stop:     $local_fs $remote_fs $network $syslog $named
# Default-Start:     2 3 4 5
# Default-Stop:      0 1 6
# X-Interactive:     true
# Short-Description: Start/stop OSSEC Host Intrusion Detection System
### END INIT INFO

& update the init scripts & start OSSEC:

update-rc.d ossec defaults
service ossec start

Install the web server & enable FastCGI:

apt-get install lighttpd php5-cgi apache2-utils
lighty-enable-mod fastcgi

Now install the Web UI & verify the file integrity:

wget http://www.ossec.net/files/ui/ossec-wui-0.3.tar.gz
wget http://www.ossec.net/files/ui/ossec-wui-0.3-checksum.txt
wget http://www.ossec.net/files/ui/ossec-wui-0.3.tar.gz.sig
md5 ossec-wui-0.3.tar.gz
sha1 ossec-wui-0.3.tar.gz
gpg --verify ossec-wui-0.3.tar.gz.sig ossec-wui-0.3.tar.gz

Uncompress the archive & move it into the web root & run the setup script:

tar -zxvf ossec-wui-0.3.tar.gz
mv ossec-wui-0.3 /var/www/htdocs/ossec-wui
cd /var/www/htdocs/ossec-wui
./setup.sh

Add your web server user (www-data) to the ossec group: 

nano /etc/group
   ..
   From:
       ossec:x:1002:
   To:
       ossec:x:1002:www-data

& fix the permissions on tmp in the ossec-wui directory:

chmod 770 tmp/
chgrp www-data tmp/

Create a digest file to use inside mod_auth (replacing yourusername with your own):

htdigest -c /etc/lighttpd/www-root.user "ossec wui" yourusername

Add the digest information to mod_auth:

nano /etc/lighttpd/conf-enabled/10-auth.conf

& add the following (replacing yourusername with your own):

auth.backend = "htdigest"
auth.backend.htdigest.userfile = "/etc/lighttpd/www-root.user"
auth.require = ( "/ossec-wui" =>
                                (
                                  "method"  => "digest",
                                  "realm"   => "ossec wui",
                                  "require" => "user=yourusername"
                                 )
               )

Create a Self Signed SSL Certificate:

mkdir /etc/lighttpd/ssl/domain.com -p
cd /etc/lighttpd/ssl/domain.com
openssl req -new -x509 -keyout server.pem -out server.pem -days 365 -nodes
chown www-data:www-data /etc/lighttpd/ssl -R
chmod 0600 /etc/lighttpd/ssl/domain.com

To bind the webserver ports to 127.0.0.1 / force SSL on port 80 & only accept connections from 127.0.0.1 use the following config for /etc/lighttpd/lighttpd.conf:

server.modules = (
    "mod_access",
    "mod_alias",
    "mod_compress",
    "mod_redirect",
    "mod_fastcgi",
    "mod_auth",
#   "mod_rewrite",
)

server.document-root        = "/var/www/htdocs/ossec-wui"
server.upload-dirs          = ( "/var/cache/lighttpd/uploads" )
server.errorlog             = "/var/log/lighttpd/error.log"
server.pid-file             = "/var/run/lighttpd.pid"
server.username             = "www-data"
server.groupname            = "www-data"
server.bind                   = "127.0.0.1"
server.port                    = 81
server.tag                     = "myWebServer v1.0" 
index-file.names            = ( "index.php", "index.html", "index.lighttpd.html" )
url.access-deny             = ( "~", ".inc" )
static-file.exclude-extensions = ( ".pl", ".fcgi" )

compress.cache-dir          = "/var/cache/lighttpd/compress/"
compress.filetype           = ( "application/javascript", "text/css", "text/html", "text/plain" )
debug.log-request-handling  = "enable" 

include_shell "/usr/share/lighttpd/use-ipv6.pl"
include_shell "/usr/share/lighttpd/create-mime.assign.pl"
include_shell "/usr/share/lighttpd/include-conf-enabled.pl"

$HTTP["host"] == "127.0.0.1" {
    $HTTP["remoteip"] != "127.0.0.1" {
        url.access-deny = ( "" )
    }
}  

$SERVER["socket"] == "127.0.0.1:80" {
  $HTTP["host"] =~ "(.*)" {
    url.redirect = ( "^/(.*)" => "https://%1/$1" )
  }
}

$SERVER["socket"] == "127.0.0.1:443" {
ssl.engine = "enable"
ssl.pemfile = "/etc/lighttpd/ssl/domain.com/server.pem"
}

The above config binds a default port 81 so port 80 can be bound to 127.0.0.1 with SSL forced. Otherwise by default lightppd listens on port 80 on the Default Route (0.0.0.0) which is not what we want for a local install.

Also change the config for FastCGI in /etc/lighttpd/conf-enabled/10-fastcgi.conf to the following:

# /usr/share/doc/lighttpd-doc/fastcgi.txt.gz
# http://redmine.lighttpd.net/projects/lighttpd/wiki/Docs:ConfigurationOptions#mod_fastcgi-fastcgi

fastcgi.server = ( ".php" => ((
                     "bin-path" => "/usr/bin/php-cgi", 
                     "socket" => "/tmp/php.socket",
                     "max-procs" => 2,
                     "bin-environment" => (
                       "PHP_FCGI_CHILDREN" => "16",
                       "PHP_FCGI_MAX_REQUESTS" => "10000"
                     ),
                     "bin-copy-environment" => (
                       "PATH", "SHELL", "USER"
                     ),
                     "broken-scriptfilename" => "enable"
                 )))

*** If you installed OSSEC in a directory other than the default ( /opt/ossec instead of /var/ossec ), edit /var/www/htdocs/ossec-wui/ossec_conf.php and change the $ossec_dir variable to match ***

Restart lighttpd:

/etc/init.d/lighttpd restart

You should now be able to enter 127.0.0.1 into your browser & be redirected to an SSL login for the OSSEC Web UI.

I have also posted a guide for setting up a firewall with active intrustion detection.

]]> Sat, 23 Jul 2011 15:14:09 +0000 http://crunchbang.org/forums/viewtopic.php?pid=133422#p133422