A host-based intrusion detection system (HIDS) is an intrusion detection system that monitors and analyzes the internals of a computing system as well as (in some cases) the network packets on its network interfaces (just like a network-based intrusion detection system (NIDS) would do). Source: http://en.wikipedia.org/wiki/Host-based_intrusion_detection_system
OSSEC
is an open source host-based intrusion detection system. It monitors log files, checks the integrity of files, parses firewall messages and checks for rootkits - a real winner.
Issue the following commands to install it on your machine:
cd /usr/local/src
wget http://www.ossec.net/files/ossec-hids-2.7.1.tar.gz
tar -xzvf ossec-hids-2.7.1.tar.gz
and install with ./install.sh
What kind of installation do you want? local
Choose where to install the OSSEC HIDS: /usr/local/ossec
Do you want e-mail notification? y
What's your e-mail address? root@localhost
What's your SMTP server ip/host? localhost
Do you want to run the integrity check daemon?: y
Do you want to run the rootkit detection engine?: y
Do you want to enable active response?: y
Do you want to enable the firewall-drop response?: y
Do you want to add more IPs to the white list?: y
IPs (space separated): 127.0.0.1 ::1
To start the OSSEC daemons on startup, issue:
chkconfig ossec on
OSSEC is really powerful. Make sure you study the documentation carefully. Once you get into writing your own rules and decoders, no limits exist. If you prefer printed books over online docs, I can highly recommend this book: http://www.packtpub.com/ossec-host-based-intrusion-detection-system/book
To access the OSSEC
binaries without having to define the full path every time, we can add its binary directory to our $PATH
variable:
nano ~/.bash_profile
and put:
# include OSSEC binaries in PATH
export PATH=$PATH:/usr/local/ossec/bin
at the very end of it.
When compiled from source, OSSEC doesn't ship a logrotate
configuration file. The package from Atomic
repository contains one with the content below.
nano /etc/logrotate.d/ossec
/usr/local/ossec/logs/active-responses.log {
missingok
notifempty
}
/usr/local/ossec/logs/ossec.log {
create 0664 ossec ossec
missingok
notifempty
}