基于主机的入侵检测系统ossec安装部署-CentOS6.5

1.ossec服务端安装
解压>>>
#tar -zxvf ossec_server.tar.gz
#cd ossec
安装>>>
#./install.sh
agent.conf初始化>>>
#touch /var/ossec/etc/shared/agent.conf
服务启动>>>
#/var/ossec/bin/ossec-control start
安装授权>>>
# openssl genrsa -out /var/ossec/etc/sslmanager.key
# openssl req -new -x509 -key
# openssl req -new -x509 -key /var/ossec/etc/sslmanager.key -out /var/ossec/etc/sslmanager.cert -days 365

授权监听启动>>>
# /var/ossec/bin/ossec-authd &

2.利用salt做客户端salt安装
#salt '192.168.190.101' state.sls ossec
客户端启动
#/var/ossec/bin/ossec-control start
服务端重启
#/var/ossec/bin/ossec-control restart

salt模板init.sls

/root/Downloads:file.directory:- user: root- group: root- file_mode: 644- dir_mode: 644- makedirs: True- include_empty: True- template: jinja- backup: minioninstall_packages:pkg.latest:- pkgs:- openssl-devel- gcc- prelinkinstall_ossec:cmd.run:- name: tar zxf ossec.tar.gz && cd ossec && sh install.sh - cwd: /root/Downloads- unless: test -e /var/ossec/bin/ossec-control - require:- file: /root/Downloads/ossec.tar.gz /var/ossec/etc/ossec.conf:file.managed:- source: salt://ossec/conf/etc/ossec.conf- user: root- group: root- mode: 644 - template: jinja- require:- cmd: install_ossec /var/ossec/etc/shared/agent.conf:file.managed:- source: salt://ossec/conf/etc/shared/agent.conf- user: root- group: root- mode: 644- template: jinja- require:- cmd: install_ossec/var/ossec/monitor.sh:file.managed:- source: salt://ossec/conf/monitor.sh- user: root- group: root- mode: 755 - template: jinja- require:- cmd: install_ossec/root/Downloads/ossec.tar.gz:file.managed:- source: salt://ossec/ossec.tar.gz- user: root- group: root- mode: 755- template: jinja- require:- file: /root/Downloadsagentauth:cmd.run:- name: /var/ossec/bin/agent-auth -m 192.168.190.217 -p 1515 -A $(ifconfig | egrep -o '192.168.[0-9]{1,3}.[0-9]{1,3}' | head -n 1)- unless: test -s /var/ossec/etc/client.keys- require:- cmd: install_ossecserverstart:cmd.run:- name: /var/ossec/bin/ossec-control restart- onchanges: - file: /var/ossec/etc/ossec.conf- require:- cmd: install_ossec

3.rules调整

3.1添加白名单修改pam_rules.xml

   <rule id="5503" level="0"><if_sid>5500</if_sid><match>192.168.190.62|192.168.190.58</match><description>OpenVas WhiteList</description></rule>

3.2修改sshd_rules.xml

   <rule id="5503" level="0"><if_sid>5500</if_sid><match>192.168.190.62|192.168.190.58</match><description>OpenVas WhiteList</description></rule> #120秒内发生5次则触发规则，120秒-180秒如果还触发则忽略<rule id="5720" level="10" frequency="5" timeframe="120" ignore="60">

3.3修改syslog_rules.xml

#过滤掉大数据服务器在部署flume操作<rule id="5905" level="0"><if_sid>5901</if_sid><match>name=flume</match><description>New group Ignore</description></rule><rule id="5906" level="0"><if_sid>5902</if_sid><match>name=flume</match><description>New user Ignore</description></rule>

3.4修改ossec_rules.xml

  #忽略/pro目录下的执行<rule id="517" level="0"><if_sid>510</if_sid><match>hidden from /proc</match><description>Ignored process hidden entries.</description><group>rootcheck,</group></rule>#属于root用户，其他用户可以有写权限的忽略<rule id="520" level="0"><if_sid>510</if_sid><regex>/var/log/glusterfs|/usr/local/fms|/var/lib/docker|/var/tmp/ntopng|/tmp/gsyncd</regex><description>Ignored some files which owned by root and has write permissions.</description><group>rootcheck,</group></rule>#监控定时执行/var/ossec/monitor.sh返回内容，有则将内容邮件通知报警<rule id="536" level="7"><if_sid>530</if_sid><match>ossec: output: '/var/ossec/monitor.sh</match><description>bash_connetion_check ppid_check tmp_process_check</description></rule>

3.5修改local_rules.xml

#有regex的bash执行，属于项目自有调用，则不报警。
<group name="syslog,auditd,"><rule id="110000" level="0" noalert="1"><decoded_as>auditd</decoded_as><description>AUDITD messages grouped.</description></rule><rule id="110001" level="0"><if_sid>110000</if_sid><regex>suoha|convert2mp4|ffmpeg|accessibility|"env"|data4g12e|646174613467313265|getvideoscale|646f6332737766347a79676a|video_mediainfo</regex><description>Java execution white list</description></rule><rule id="110010" level="10"><if_sid>110000</if_sid><match>EXECVE</match><description>Java execution command</description></rule>
</group>#疑似脚本执行，则报警
<group name="webshell"><rule id="120000" level="10"><match>Vulnerable</match><description>Suspect webshell files.</description></rule>
</group>

4.agent端配置文件ossec.conf

<ossec_config><client><server-ip>192.168.190.217</server-ip></client><syscheck><!-- Frequency that syscheck is executed - default to every 22 hours --><frequency>79200</frequency><!-- Directories to check  (perform all possible verifications) --><directories check_sha1sum="yes">/usr/bin,/usr/sbin</directories><directories check_sha1sum="yes">/bin,/sbin,/boot</directories><prefilter_cmd>/usr/sbin/prelink -y</prefilter_cmd><skip_nfs>yes</skip_nfs></syscheck><rootcheck><rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files><rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans></rootcheck><!-- Files to monitor (localfiles) --><localfile><log_format>syslog</log_format><location>/var/log/secure</location></localfile><localfile><log_format>syslog</log_format><location>/var/log/audit/audit.log</location></localfile><localfile><log_format>syslog</log_format><location>/root/vulnerable.txt</location></localfile><localfile><log_format>command</log_format><command>/var/ossec/monitor.sh</command><frequency>600</frequency></localfile></ossec_config>

5.agent端启动python脚本

#!/usr/bin/env python
# encoding:utf-8import sys
import pyinotify
import os
import subprocess
import time
import yaraSUFFIXES = [".jsp", ".jspx"]def suffix_filter(filename):return os.path.splitext(filename)[1] not in SUFFIXESdef detect_ssdeep(pathname):try:f = open('/root/vulnerable.txt','a')changetime = time.strftime("%Y-%m-%d %H:%M:%S", time.localtime())f.write(changetime + " FileChange " + pathname + "\n")#print "/usr/bin/ssdeep -t 60 -bm /var/ossec/hash.txt " + pathnameresult = subprocess.Popen("/usr/bin/ssdeep -t 60 -bm /var/ossec/hash.txt " + pathname, shell=True, stdout=subprocess.PIPE, stderr=subprocess.STDOUT)out, err = result.communicate()if "matches" in out: f.write(changetime + " Vulnerable(ssdeep) " + pathname + "\n")except Exception as e:print "[-] %s" % (str(e))finally:f.close()def detect_yara(pathname):try:rules = yara.compile(filepath='/var/ossec/Rules')matches = rules.match(pathname, timeout=60) if matches:f = open('/root/vulnerable.txt','a')changetime = time.strftime("%Y-%m-%d %H:%M:%S", time.localtime())f.write(changetime + " Vulnerable(yara) " + pathname + "\n")f.close()except Exception as e:print "[-] %s" % (str(e))class EventHandler(pyinotify.ProcessEvent):def __call__(self, event):if not suffix_filter(event.name):super(EventHandler, self).__call__(event)def process_IN_CREATE(self, event):#print "Create Jsp File : %s" % (event.pathname)detect_ssdeep(event.pathname)detect_yara(event.pathname)def main(path, exclude_dir):wm = pyinotify.WatchManager()mask = pyinotify.IN_CREATE#mask = pyinotify.ALL_EVENTSwm.add_watch(path, mask, exclude_filter=pyinotify.ExcludeFilter(exclude_dir), rec=True, auto_add=True)eh = EventHandler()notifier = pyinotify.Notifier(wm, eh)notifier.loop()if __name__ == "__main__":path = '/web/project/'exclude_dir = ['/web/project/cdel_jxjy_upfiles', '/web/project/huabeisai_files'] # mount dirmain(path, exclude_dir)

6.monitor.sh

#!/bin/bashupdate_jboss_pid(){if [ ! -e "/tmp/pid_old.txt" ]; then touch "/tmp/pid_old.txt" fi#Update monitor jboss ppidpidnew=`ps aux | grep "Bootstrap start" | grep -v grep | awk '{print $2} ' | xargs`pidold=`cat /tmp/pid_old.txt`if [ "$pidnew" != "$pidold" ]; thenecho $pidnew > /tmp/pid_old.txtsed -i "/arch/d" /etc/audit/audit.rulesps axu | grep "Bootstrap start" | grep -v grep | awk '{print $2,$11}' | while read pid javabindo#Check if the jdk is 32bit(arch=b32) or 64bit(arch=b64).ver=`$javabin -version 2>&1`echo $ver | grep 64-Bit > /dev/nullif [ $? -eq 0 ];thenecho "-a exit,always -F arch=b64 -F ppid=${pid} -S execve -k webshell" >> /etc/audit/audit.ruleselseecho "-a exit,always -F arch=b32 -F ppid=${pid} -S execve -k webshell" >> /etc/audit/audit.rulesfidone#If u modify audit.rules u need restart service auditd/etc/init.d/auditd restart >> /dev/nullfi
}bash_connetion_check(){netstat -antlp | grep ESTABLISHED | egrep '/(bash|sh)' | grep -v 10050
}ppid_check(){ps -ef | grep bash | grep -v grep | awk '{if($8 ~ "^-?bash"){print $3}}' | while read ppiddols -al /proc/$ppid/exe | egrep -v "(/bin/login|/usr/sbin/sshd|/bin/su|/usr/bin/tmux|/usr/bin/gnome-terminal)"done
}tmp_process_check(){ls /proc/ -tr | grep -v "[a-z]" | while read linedoif [ -d "/proc/$line" ];thenfile /proc/$line/exe | grep "symbolic link to" >> /dev/nullif [ $? -eq 0 ];thenls -al /proc/$line/exe | awk '{print $11}' | egrep '^/(tmp|var/tmp|dev/shm)' fifidone
}
update_jboss_pid
bash_connetion_check
tmp_process_check

【官方文档】

http://ossec-docs.readthedocs.io/en/latest/index.html

基于主机的入侵检测系统ossec安装部署-CentOS6.5相关推荐

【1. 概述】开源入侵检测系统OSSEC详解
一.前言入侵检测系统(IDS)是用于检测服务器安全的防护系统,通常可分为基于主机(host-based)和基于网络(network-based)两大类.基于主机的入侵检测系统,顾名思义, ...
基于主机的入侵检测tripwire
简介 tripwire是一个基于主机的入侵检测系统,主要手段是在系统初始化后生成一个指纹库,通过定期检查校验文件,如果发生变化,则会触发邮件报警. tripwire 运行方式并不是服务,而是cront ...
开源入侵检测系统OSSEC搭建之一：服务端安装
OSSEC是一款开源的多平台的入侵检测系统,可以运行于Windows, Linux, OpenBSD/FreeBSD, 以及 MacOS等操作系统中.主要功能有日志分析.完整性检查.rootkit检测 ...
基于主机的入侵检测优缺点_如何建立我们的网络防线？入侵检测，确保我们的网络安全...
目前我们的网络安全趋势日益严峻,那么如何利用入侵检测系统确保我的网络安全呢?入侵检测又是什么呢? 网络安全入侵检测技术是为保证计算机系统的安全,而设计与配置的一种能够及时发现并报告系统中未授权或异常 ...
基于Snort的入侵检测系统
基于Snort的入侵检测系统用Snort,Apache,MySQL,PHP及ACID构建高级IDS 第一章入侵检测系统及Snort介绍在当今的企业应用环境中,安全是所有网络面临的大问题.黑客和入 ...
基于主机的入侵检测优缺点_入侵检测技术课后答案
– – 1 第 1 章入侵检测概述思考题: ( 1 ) 分布式入侵检测系统 ( DIDS ) 是如何把基于主机的入侵检测方法和基于网络的入侵检测方法集成在一起的? 答:分布式入侵检测系统是将主机 ...
基于主机的入侵检测技术
基于主机的入侵检测技术审计数据的获取审计数据的预处理基于统计模型的入侵检测技术基于专家系统的入侵检测技术基于状态转移分析的入侵检测技术基于完整性检查的入侵检测技术基于智能体的入侵检测技术 ...
基于机器学习的入侵检测系统
导语在过去十年中,机器学习技术取得了快速进步,实现了以前从未想象过的自动化和预测能力.随着这一技术的发展促使研究人员和工程师为这些美妙的技术构思新的应用.不久,机器学习技术被用于加强网络安全系统. ...
Linux审计以及主机的入侵检测系统HIDS编写
背景想编写一个入侵检测系统,也就是IDS,其中有一个功能是要收集用户的History命令然后收集放到ElasticSearch里面去.对于这个需求我们要设置多用户的使用记录并记录到文件,然后通过 G ...

基于主机的入侵检测系统ossec安装部署-CentOS6.5

基于主机的入侵检测系统ossec安装部署-CentOS6.5相关推荐

最新文章

热门文章