Voir :
http://www.ossec.net
https://ossec.github.io/docs/manual/
https://ossec.github.io/docs/programs/ossec-control.html
Installation de OSSEC Serveur
Voir :
https://ossec.github.io/docs/manual/installation/installation-package.html#rpm-installation
cd /home/ossecdnc/public_html/ossec/
yum install ossec-hids ossec-hids-serverRépertoires
Le Manager OSSEC est installé dans le répertoire public_html/ossec/ de ce serveur, afin que l’user Web puisse l’atteindre en toute sécurité, notamment sans faire appel au contournement de
La configuration peut être visualisée ou modifiée dans /var/ossec/etc/ossec.conf
Logs et alertes :
/home/ossecdnc/public_html/ossec/logs
/home/ossecdnc/public_html/ossec/logs/alerts
Actions élémentaires en mode commande
- Pour démarrer OSSEC HIDS :
/home/ossecdnc/public_html/ossec/bin/ossec-control start- Pour arrêter OSSEC HIDS :
/home/ossecdnc/public_html/ossec/bin/ossec-control stopOuverture du pare-feu côté serveur
Le principe de la communication agent / serveur est que l’agent démarre une connexion au serveur à l’aide d’un port élevé aléatoire. Ainsi, le seul port ouvert par OSSEC l’est du côté serveur (port 1514 UDP), et attend une réponse.
Ossec utilise UDP 1514 pour dialoguer avec les agents
Syslog demande UDP 514.
Tester l’ouverture du pare-feu
depuis un poste Windows :
Il faut utiliser Port Query portqryui (à télécherger sur le site de Microsoft) :
depuis un client Linux :
# netstat -pun
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address Foreign Address Stat
e PID/Program name
udp 0 0 c.c.c.c:56297 s.s.s.s:1514 ESTABLISHED 16491/ossec-agentdoù s.s.s.s est l’IP du serveur
Contrôle des agents
# /home/ossecdnc/public_html/ossec/bin/agent_control
# /home/ossecdnc/public_html/ossec/bin/agent_control
OSSEC HIDS agent_control: Control remote agents.
Available options:
-h This help message.
-l List available (active or not) agents.
-lc List active agents.
-i <id> Extracts information from an agent.
-R <id> Restarts agent.
-r -a Runs the integrity/rootkit checking on all agents now.
-r -u <id> Runs the integrity/rootkit checking on one agent now.
-b <ip> Blocks the specified ip address.
-f <ar> Used with -b, specifies which response to run.
-L List available active responses.
-s Changes the output to CSV (comma delimited).Identifier les agents actifs/non actifs :
# /home/ossecdnc/public_html/ossec/bin/agent_control -l
OSSEC HIDS agent_control. List of available agents:
ID: 000, Name: vpsxxx.ovh.net (server), IP: x.x.x.x, Active/Local
ID: 001, Name: agent-test, IP:a.a.a.a, Never connected
ID: 002, Name: agent-test2, IP: b.b.b.b, Never connected
ID: 004, Name: vpsyyy, IP: y.y.y.y, ActiveLes agents sont tous vus inactifs ?
Essayer cela :
/home/ossecdnc/public_html/ossec/bin/ossec-control stop
rm -rf /home/ossecdnc/public_html/ossec/queue/rids/*
/home/ossecdnc/public_html/ossec/bin/ossec-control startLancer le Manager en mode debug
# /home/ossecdnc/public_html/ossec/bin/ossec-control enable debug &&
# /home/ossecdnc/public_html/ossec/bin/ossec-control restart`
Killing ossec-monitord ..
Killing ossec-logcollector ..
Killing ossec-remoted ..
Killing ossec-syscheckd ..
Killing ossec-analysisd ..
Killing ossec-maild ..
Killing ossec-execd ..
OSSEC HIDS v2.8.3 Stopped
Starting OSSEC HIDS v2.8.3 (by Trend Micro Inc.)...
2017/11/08 08:19:16 ossec-maild: DEBUG: Starting ...
Started ossec-maild...
Started ossec-execd...
2017/11/08 08:19:16 ossec-analysisd: DEBUG: Starting ...
2017/11/08 08:19:16 ossec-analysisd: DEBUG: Found user/group ...
2017/11/08 08:19:16 ossec-analysisd: DEBUG: Active response initialized ...
2017/11/08 08:19:16 adding rule: rules_config.xml
2017/11/08 08:19:16 adding rule: pam_rules.xml
2017/11/08 08:19:16 adding rule: sshd_rules.xml
2017/11/08 08:19:16 adding rule: telnetd_rules.xml
2017/11/08 08:19:16 adding rule: syslog_rules.xml
2017/11/08 08:19:16 adding rule: arpwatch_rules.xml
2017/11/08 08:19:16 adding rule: symantec-av_rules.xml
2017/11/08 08:19:16 adding rule: symantec-ws_rules.xml
2017/11/08 08:19:16 adding rule: pix_rules.xml
2017/11/08 08:19:16 adding rule: named_rules.xml
2017/11/08 08:19:16 adding rule: smbd_rules.xml
2017/11/08 08:19:16 adding rule: vsftpd_rules.xml
2017/11/08 08:19:16 adding rule: pure-ftpd_rules.xml
2017/11/08 08:19:16 adding rule: proftpd_rules.xml
2017/11/08 08:19:16 adding rule: ms_ftpd_rules.xml
2017/11/08 08:19:16 adding rule: ftpd_rules.xml
2017/11/08 08:19:16 adding rule: hordeimp_rules.xml
2017/11/08 08:19:16 adding rule: roundcube_rules.xml
2017/11/08 08:19:16 adding rule: wordpress_rules.xml
2017/11/08 08:19:16 adding rule: cimserver_rules.xml
2017/11/08 08:19:16 adding rule: vpopmail_rules.xml
2017/11/08 08:19:16 adding rule: vmpop3d_rules.xml
2017/11/08 08:19:16 adding rule: courier_rules.xml
2017/11/08 08:19:16 adding rule: web_rules.xml
2017/11/08 08:19:16 adding rule: web_appsec_rules.xml
2017/11/08 08:19:16 adding rule: apache_rules.xml
2017/11/08 08:19:16 adding rule: nginx_rules.xml
2017/11/08 08:19:16 adding rule: php_rules.xml
2017/11/08 08:19:16 adding rule: mysql_rules.xml
2017/11/08 08:19:16 adding rule: postgresql_rules.xml
2017/11/08 08:19:16 adding rule: ids_rules.xml
2017/11/08 08:19:16 adding rule: squid_rules.xml
2017/11/08 08:19:16 adding rule: firewall_rules.xml
2017/11/08 08:19:16 adding rule: cisco-ios_rules.xml
2017/11/08 08:19:16 adding rule: netscreenfw_rules.xml
2017/11/08 08:19:16 adding rule: sonicwall_rules.xml
2017/11/08 08:19:16 adding rule: postfix_rules.xml
2017/11/08 08:19:16 adding rule: sendmail_rules.xml
2017/11/08 08:19:16 adding rule: imapd_rules.xml
2017/11/08 08:19:16 adding rule: mailscanner_rules.xml
2017/11/08 08:19:16 adding rule: dovecot_rules.xml
2017/11/08 08:19:16 adding rule: ms-exchange_rules.xml
2017/11/08 08:19:16 adding rule: racoon_rules.xml
2017/11/08 08:19:16 adding rule: vpn_concentrator_rules.xml
2017/11/08 08:19:16 adding rule: spamd_rules.xml
2017/11/08 08:19:16 adding rule: msauth_rules.xml
2017/11/08 08:19:16 adding rule: mcafee_av_rules.xml
2017/11/08 08:19:16 adding rule: trend-osce_rules.xml
2017/11/08 08:19:16 adding rule: ms-se_rules.xml
2017/11/08 08:19:16 adding rule: zeus_rules.xml
2017/11/08 08:19:16 adding rule: solaris_bsm_rules.xml
2017/11/08 08:19:16 adding rule: vmware_rules.xml
2017/11/08 08:19:16 adding rule: ms_dhcp_rules.xml
2017/11/08 08:19:16 adding rule: asterisk_rules.xml
2017/11/08 08:19:16 adding rule: ossec_rules.xml
2017/11/08 08:19:16 adding rule: attack_rules.xml
2017/11/08 08:19:16 adding rule: openbsd_rules.xml
2017/11/08 08:19:16 adding rule: clam_av_rules.xml
2017/11/08 08:19:16 adding rule: dropbear_rules.xml
2017/11/08 08:19:16 adding rule: local_rules.xml
2017/11/08 08:19:16 ossec-analysisd: DEBUG: Read configuration ...
Started ossec-analysisd...
2017/11/08 08:19:16 ossec-logcollector: DEBUG: Starting ...
Started ossec-logcollector...
2017/11/08 08:19:16 ossec-remoted: DEBUG: Starting ...
Started ossec-remoted...
2017/11/08 08:19:16 ossec-syscheckd: DEBUG: Starting ...
2017/11/08 08:19:16 ossec-rootcheck: DEBUG: Starting ...
2017/11/08 08:19:16 ossec-rootcheck: Starting queue ...
2017/11/08 08:19:17 ossec-syscheckd: INFO: (unix_domain) Maximum send buffer set
to: '124928'.
Started ossec-syscheckd...
2017/11/08 08:19:17 ossec-monitord: DEBUG: Starting ...
Started ossec-monitord...
Completed.Vérifier que tous les services fonctionnent, en particulier ossec-remoted :
# /home/ossecdnc/public_html/ossec/bin/ossec-control status
ossec-monitord is running...
ossec-logcollector is running...
ossec-remoted not running... # <-------------------------
ossec-syscheckd is running...
ossec-analysisd is running...
ossec-maild is running...
ossec-execd is running...Notons que ossec-remoted ne fonctionne pas, alors que ossec-control restart signalait "Started ossec-monitord". Le mode DEBUG n’aporte rien de plus !
# /home/ossecdnc/public_html/ossec/bin/ossec-control status
ossec-monitord is running...
ossec-logcollector is running...
ossec-remoted: Process 23785 not used by ossec, removing ..
ossec-remoted not running...
ossec-syscheckd is running...
ossec-analysisd is running...
ossec-maild is running...
ossec-execd is running...Est-ce que le port 1514 est déjà utilisé par ailleurs ?
# ss -pl | grep :1514ossec.log : Messages et signification
ossec-remoted(1206) : ERROR : Unable to Bind port ’1514’
et aussi ossec-agentd(4101) : WARN : Waiting for server reply (not started). Tried : ’IP.DU.SERVEUR’.
Vérifier les firewalls :
Le firewall côté agent autorise-t-il la sortie sur le port UDP 1514 ?
Le firewall côté serveur autorise-t-il l’écoute sur le port UDP 1514 ?
ossec-remoted(1213) : WARN : Message from x.x.x.x not allowed.
L’IP indiquée ne correspond pas à une IP d’un agent installé sur l’hôte.
ossec-remoted(1403) : ERROR : Incorrectly formated message from ’x.x.x.x’.
Après l’installation d’un nouvel agent, avez-vous bien relancé dans l’ordre : le serveur, l’agent ?
RSS 2.0