For intrusion detection we are going to use a program called OSSEC. If you want to find out more about OSSEC visit it's web site.
Although OSSEC is not yet available in Debians repositories the good news is that OSSECs installer is "Debian aware" and it will create appropriate init scripts for OSSEC.
During the installation OSSEC checks the available files in the /var/log folder and adds them to the list of files that should be monitored. If you install OSSEC before installing all other services on your server some of the log files will not be monitored unless you add them manually to OSSECs configuration.
Also, OSSEC will not be able to send out emails untill you finish setting up the mail server.
Download the latest release of OSSEC from its we biste. At the time of writing the latest release is 2.5.1
mkdir /root/src cd /root/src wget http://www.ossec.net/files/ossec-hids-latest.tar.gz
Do not skip cheksum checking
On the web site you will also find a list of checksum for the release you just downloaded. Before proceeding any further you should check that the cheksums published on the web site, are the some ones you are getting for the file you just downloaded. Do this using the md5sum and sha1sum utilities.
Now we need to extract the files from the downloaded archive.
tar -xvzf ossec-hids-2.5.1.tar.gz
Since the installer will compile OSSEC we need to have a compiler and a make utility installed on our system.
apt-get install gcc make
Run the installation script
cd ossec-hids-2.5.1 ./install.sh
During the installation you will have to select set some options:
Select the language for the installation
What kind of installation do you want (server, agent, local or
Choose where to install the OSSEC HIDS [/var/ossec]:
Do you want e-mail notification? (y/n) [y]:
What's your e-mail address?
What's your SMTP server ip/host?
Do you want to run the integrity check daemon? (y/n) [y]:
Do you want to run the rootkit detection engine? (y/n) [y]:
Do you want to enable active response? (y/n) [y]:
Do you want to enable the firewall-drop response? (y/n) [y]:
Do you want to add more IPs to the white list? (y/n)? [n]:
IPs (space separated):
IP address you do not want to
After we answer all of the questions the installer will compile OSSEC, finish the installation and create init scripts that will start OSSEC during boot.
Now it is a good time to commit our changes to the
etckeeper commit "Installed OSSEC"
You will probably start getting emails that you do not want to receive. Luckily, OSSEC allows you to filter out those emails. For managing OSSEC rules you will have to reffer to the OSSEC documentation on their web site.
You probably do not need a compiler on your server and not having one makes it harder to do damage if somebody gains access to your server. So we are going to remove gcc and make.
apt-get --purge remove gcc make apt-get autoremove