Installing OSSEC and Fail2ban on Debian

@Jlcmux

3 minutes

As promised is debt, here I come to show you a somewhat basic installation of OSSEC y Fail2ban. With these two programs I intend to secure a bit, an Apache server and SSH.

Wikipedia:
OSSEC is a free, open source host-based intrusion detection system (IDS). it performs log analysis, integrity checking, Windows registry monitoring, rootkit detection, time-based alerting and active response. It provides intrusion detection for most operating systems, including Linux, OpenBSD, FreeBSD, Mac OS X, Solaris and Windows. It has a centralized, cross-platform architecture allowing multiple systems to be easily monitored and managed. It was written by Daniel B Cid and made public in 2004.

In summary. OSSEC is an intruder detector that checks the integrity of our server through logs and alarms. So it sends a signal every time a system file is modified etc.

Fail2ban is an application written in Python for the prevention of intrusions in a system, which is based on the connection penalty (block connection) to the sources that attempt brute force access. It is distributed under the license GNU and typically works on all systems POSIX that interface with a packet control system or a firewall .

In short, Fail2ban "bannea" or blocks connections that try unsuccessfully a certain number of times to enter a service on our server.

OSSEC.

We go to the Official page of OSSEC And we download the LINUX version.

And then we download the GUI which as the graphical environment.

Now we are going to install everything.

# tar -xvf ossec-hids-2.7.tar.gz
# aptitude install build-essential

Now we install

# cd ossec-hids-2.7 && sudo ./install

Next, you will get a series of questions. Read very well and follow all the steps.
When I finish compiling we check.

# /var/ossec/bin/ossec-control start

If everything went well, you will get something like.

If you get an error message like: »OSSEC analysisd: Testing rules failed. Configuration error. Exiting. » We run the following to fix it.

# ln -s /var/ossec/bin/ossec-logtest /var/ossec/ossec-logtest

Graphic interface.

The graphical interface of OSSEC goes through the web. If you don't have Apache installed. we install it. and support for PHP as well.

# apt-get install apache2 apache2-doc apache2-utils
# apt-get install libapache2-mod-php5 php5 php-pear php5-xcache
# apt-get install php5-suhosin

Now

# tar -xvf ossec-wui-0.3.tar.gz

Now as ROOT we move the folder.

# mv ossec-wui-0.3 /var/www/ossec

Now we install.

# cd /var/www/ossec/ && ./setup.sh

It will ask us for a username and a password (the user does not have to be on your pc. It is only for login) Now we are going to do the following.
Editamos el archivo "/etc/group»

and where does it say "ossec:x:1001:"
We leave it like this: "ossec:x:1001:www-data"

Now we do the following (inside the folder »/ var / www / ossec»

# chmod 770 tmp/
# chgrp www-data tmp/
# /etc/init.d/apache2 restart

Now we enter our OSSEC. In our browser we write. "Localhost / ossec"

Now we can see what happens on our server through logs.

WE INSTALL FAIL2BAN

Fail2ban is in repositories. Therefore it is easy to install.
#apt-get install fail2ban
we edit
#nano /etc/fail2ban/jail.conf
We press CTRL-W and write ssh.
It will appear something like:

This would enable the failt2ban for SSH. (If they have changed the ssh port. They replace it) In the same way we can enable it for ftp. apache and a multitude of services. Now we are going to make him send us an email when he sees that someone is trying to access. In /etc/fail2ban/jail.conf we add.

[ssh-iptables] enabled = true filter = sshd action = iptables [name = SSH, port = ssh, protocol = tcp] sendmail-whois [name = SSH, dest =you@mail.com, sender = fail2ban @ mail.com] logpath = /var/log/sshd.log maxretry = 5

Now we restart the server.

# service fail2ban restart

As we can see in the two previous LOGS it shows me that they have actually tried to access by sshd with failed passwords.

It tells me the source ip and blocks it. 🙂

regards


Leave a Comment

Your email address will not be published. Required fields are marked with *

*

*

  1. Responsible for the data: Miguel Ángel Gatón
  2. Purpose of the data: Control SPAM, comment management.
  3. Legitimation: Your consent
  4. Communication of the data: The data will not be communicated to third parties except by legal obligation.
  5. Data storage: Database hosted by Occentus Networks (EU)
  6. Rights: At any time you can limit, recover and delete your information.

  1.   lusadi said
    ago 11 years

    Good tuto, as a contribution we can edit the file /etc/fail2ban/jail.conf
    to customize many options, including the maximum ban time, the number of retries.

    Thanks for the input.

    Reply to lusadi
  2.   josephp said
    ago 11 years

    First of all a very good post (and blog too)! hehehe. I wanted to see if you can make a post or something dedicated to the new update that Oracle has just released from Java, I am very new to Linux (I have linux mint 14) and I do not know how to update it, and with this security flaws it is urgent to update it . First of all, Thanks! 😀

    Reply to josehp
    1.    @Jlcmux said
      ago 11 years

      As I read there. They sent an update for that 0-day but many say that the bug persists. Better leave it uninstalled.

      Reply to @Jlcmux
  3.   your space said
    ago 11 years

    in particular I prefer to install something like CSF has all this integrated.

    Reply to tuespazio
  4.   pebelin said
    ago 11 years

    Thank you. I'm going to get with OSSEC.
    I also use the denyhosts server together with fail2ban. It does a similar job (in the sshd part) and also updates the list of 'bad children' from a central server where we can also dump our black list and thus collaborate in the creation of more powerful lists.

    Reply to pebelino