3.4. Intrusion detection

For intrusion detection we are going to use a program called OSSEC. If you want to find out more about OSSEC visit it's web site.

Although OSSEC is not yet available in Debians repositories the good news is that OSSECs installer is "Debian aware" and it will create appropriate init scripts for OSSEC.


During the installation OSSEC checks the available files in the /var/log folder and adds them to the list of files that should be monitored. If you install OSSEC before installing all other services on your server some of the log files will not be monitored unless you add them manually to OSSECs configuration.

Also, OSSEC will not be able to send out emails untill you finish setting up the mail server.

Download the latest release of OSSEC from its we biste. At the time of writing the latest release is 2.5.1

mkdir /root/src
cd /root/src
wget http://www.ossec.net/files/ossec-hids-latest.tar.gz

Do not skip cheksum checking

On the web site you will also find a list of checksum for the release you just downloaded. Before proceeding any further you should check that the cheksums published on the web site, are the some ones you are getting for the file you just downloaded. Do this using the md5sum and sha1sum utilities.

root@atlantis:~/src# sha1sum ossec-hids-2.5.1.tar.gz 
6dbda038020b30ff4f115fe655f69c4d9ae01994  ossec-hids-2.5.1.tar.gz
root@atlantis:~/src# md5sum ossec-hids-2.5.1.tar.gz
94a7cabbba009728510a7a3e290ab200  ossec-hids-2.5.1.tar.gz

Now we need to extract the files from the downloaded archive.

tar -xvzf ossec-hids-2.5.1.tar.gz

Since the installer will compile OSSEC we need to have a compiler and a make utility installed on our system.

apt-get install gcc make

Run the installation script

cd ossec-hids-2.5.1

During the installation you will have to select set some options:

  1. Select the language for the installation

  2. What kind of installation do you want (server, agent, local or help)? local

  3. Choose where to install the OSSEC HIDS [/var/ossec]: /var/ossec

  4. Do you want e-mail notification? (y/n) [y]: y

  5. What's your e-mail address? your-email@example.com

  6. What's your SMTP server ip/host? localhost

  7. Do you want to run the integrity check daemon? (y/n) [y]: y

  8. Do you want to run the rootkit detection engine? (y/n) [y]: y

  9. Do you want to enable active response? (y/n) [y]: y

  10. Do you want to enable the firewall-drop response? (y/n) [y]: y

  11. Do you want to add more IPs to the white list? (y/n)? [n]: y

  12. IPs (space separated): IP address you do not want to get blocked

After we answer all of the questions the installer will compile OSSEC, finish the installation and create init scripts that will start OSSEC during boot.

Now it is a good time to commit our changes to the /etc folder.

etckeeper commit "Installed OSSEC"

False positives

You will probably start getting emails that you do not want to receive. Luckily, OSSEC allows you to filter out those emails. For managing OSSEC rules you will have to reffer to the OSSEC documentation on their web site.

You probably do not need a compiler on your server and not having one makes it harder to do damage if somebody gains access to your server. So we are going to remove gcc and make.

apt-get --purge remove gcc make
apt-get autoremove