Security: OSSEC

Table of Contents

Setup server
Setup web interface
Setup client

Setup client

by ross at 18:38:26 on December 31, 2014

Install

# cd /usr/ports/security/ossec-hids-client
# make install clean
# rehash

Configure

Refer to OSSEC docs and tweak your initial client's /usr/local/ossec-hids/etc/ossec.conf.

Login to server and:

# /usr/local/ossec-hids/bin/manage_agents
  • At the menu press (A)dd an agent.
  • Enter name: agent1
  • Enter IP address (or subnet): 192.168.10.0/24
  • Enter ID for the new agent: just press enter to accept
  • At the main menu select (E)xtract key for an agent.
  • Enter ID
  • Copy the key without adding line breaks to it (important)

Now login to client again:

# /usr/local/ossec-hids/bin/manage_agents
  • Press (I)mport key from the server
  • Paste the key
  • Press y to confirm

Add to /etc/rc.conf on client:

# Enable OSSEC
ossechids_enable="YES"

Finish

For the changes to be in effect you have to restart the server and start the agent:

server# service ossec-hids restart
client# service ossec-hids start

You will probably need ot modify server's firewall. Connection uses random high port on client and port 1514 on the server, UDP.

Check server's web interface to make sure the server receives notification from the client you've just added.

If client could not connect

Stop both server and client. Then do on both the client and server:

# rm -rf queue/rids/*

Not start the server and client.

If this did not help try the FAQ:

http://ossec-docs.readthedocs.org/en/latest/faq/unexpected.html

Comments