Security: OSSEC

Table of Contents

Setup server
Setup web interface
Setup client

Setup web interface

by ross at 18:51:14 on December 31, 2014

Download and setup:

> fetch http://www.ossec.net/files/ossec-wui-0.8.tar.gz
> tar zxvf ossec-wui-0.8.tar.gz
> sudo mkdir -p /home/www/ossec/logs
> sudo mv ossec-wui-0.8 /home/www/ossec/public

Edit ossec_conf.php set the path correctly, your OSSEC install directory is /usr/local/ossec-hids.

Ownership (assuming your web server is running as www user):

# sudo chown -R www:www /home/www/ossec
# sudo pw groupmod ossec -m www

Apache setup:

Create /usr/local/etc/apache24/Includes/ossec.conf:

<VirtualHost *:80>
        ServerName ossec.example.com
        ServerAdmin [email protected]
        DocumentRoot "/home/www/ossec/public"
        ErrorLog "/home/www/ossec/logs/error.log"
        CustomLog "/home/www/ossec/logs/access.log" combined
</VirtualHost>

<Directory "/home/www/ossec/public">
        Options FollowSymLinks Indexes MultiViews
        AllowOverride All
        Require all granted
</Directory>

This Web interface is not protected in any way. You should do it yourself, for example, replace Require line with

        Require ip 192.168.10.0/24

This will allow access from specific IPs only. Or you could password protect it, google "apache htpasswd" or "nginx htpasswd".

Restart

# service ossec-hids restart
# service apache22 restart

 

Comments
Hello,

Thank you very much for this great tutorial.

I have manged to install the ossec-hids-server on my FreeBSD host with no problem but I have a problem installing ossec-webui.

This is because my web server is inside a FreeBSD jail running on the Host.

Could you please quickly explain the step to take in order to be able to have the web installed inside my webjail?

Thank you in advance.

Fred
-- Fred
Tuesday, October 7, 2014, 14:49:50
ossec webui reads data from server's /usr/local/ossec-hids directory. So you have to "mount -t nullfs" it into your jail.

Sorry, can't test it right now, but I believe this will work. Watch out for ownership and permissions on that directory.
-- ross
Thursday, October 9, 2014, 5:21:36
Thank you for the reply it is much apreciated.

When I run ./setup.sh, i get the following error:
---
Setting up ossec ui...

Username: ossecadmin
** ERROR: Could not find htpasswd. No password set.
---

Do you have any suggestion as to where I'm going wrong?
I have the same problem if I try it directly on the host

Thank you in advance.
Fred
-- Fred
Thursday, October 9, 2014, 8:51:20
ossec web interface does not have any means for user authorization. It uses Apache's .htaccess/.htpasswd for limiting access to the interface (the setup scripts creates these files).

The script couldn't find htpasswd command (part of Apache port) so it complains.
-- ross
Saturday, October 11, 2014, 2:09:49
Yes, I understand that...but do you have a solution?
-- Chris
Tuesday, December 30, 2014, 2:29:15
Rewrote the page. This setup.sh script was useless anyway, not using it now.
-- ross
Wednesday, December 31, 2014, 18:53:19
Sorry, I forgot to mention that I am running Nginx webser so I don't have the htpasswd appache module
-- Fred
Thursday, October 9, 2014, 9:11:13