在SheevaPlug Debian Squeeze安裝好Asterisk/FreePBX後, 讓我覺得缺少些什麼,就像是沒有穿衣服一樣,那就為它穿上一套功能極為強大又免費的OSSEC主機型入侵偵測系統,可以讓人多少安心一點.
什麼是OSSEC主機型入侵偵測系統? 為什麼要為Asterisk/FreePBX安裝OSSEC主機型入侵偵測系統?
就我的認知簡而言之,就是OSSEC可隨時偵測主機系統在遭受到入侵行為時,主動加以阻斷反制並立即通知你的一套安全系統,覺得好神.所以要為 Asterisk/FreePBX安裝OSSEC主機型入侵偵測系統測試看看,如果覺得不合用,當然還有別的選擇,如fail2ban 我也很喜歡,若不會造成衝突的話,也將把fail2ban裝在一起試試.
有關OSSEC主機型入侵偵測系統詳細說明不在本筆記範疇,請參閱所附參考資料來源.
cd /root wget http://www.ossec.net/files/ossec-hids-latest.tar.gz tar -zxvf ossec-hids-*.tar.gz rm ossec-hids-*.tar.gz cd ossec-hids-* ./install.sh
執行./install.sh後會出現對話式問答, 以下 *號部份可能會出現亂碼,不必理會, 要注意紅色字樣部份:
** Para instalaA§A£o em portuguAas, escolha [br].
** e|a??c”‥a﹐-a–?e??e!?aR?e£…, e¯·e€?a?c [cn].
** Fur eine deutsche Installation wohlen Sie [de].
** I“I1I± IμI3IoI±I?I?I?I?I±I?I· I?I?I± I‧I?I?I·I?I1IoI?, IμI€I1I?I-I?I?Iμ [el].
** For installation in English, choose [en].
** Para instalar en EspaA±ol , eliga [es].
** Pour une installation en franA§ais, choisissez [fr]
** Per l'installazione in Italiano, scegli [it].
** a—¥a??ea?a§a??a?3a?1a??a??a??a—a?a?i??e﹐a??a—a|a﹐?a‧a?i??[jp].
** Voor installatie in het Nederlands, kies [nl].
** Aby instalowaA? w jA?zyku Polskim, wybierz [pl].
** D”D?N D﹐D?NN?N€N?DoN?D﹐D1 D?D? N?NN?D°D?D?D2DoDμ D?D° N€N?NNDoD?D? ,D2D2DμD’D﹐N?Dμ [ru].
** Za instalaciju na srpskom, izaberi [sr].
** TA?rkA§e kurulum iA§in seA§in [tr].
(en/br/cn/de/el/es/fr/it/jp/nl/pl/ru/sr/tr) [en]: 按Enter鍵
OSSEC HIDS v2.5.1 Installation Script - http://www.ossec.net
You are about to start the installation process of the OSSEC HIDS.
You must have a C compiler pre-installed in your system.
If you have any questions or comments, please send an e-mail
to dcid@ossec.net (or daniel.cid@gmail.com).
- System: Linux debian 2.6.32-5-kirkwood
- User: root
- Host: debian
-- Press ENTER to continue or Ctrl-C to abort. -- 按Enter鍵
以下安裝類別選用說明:
a.server:除了監控自身主機外還可將區網內其它Windows, Linux等主機納入監控,這樣所有主機的安全狀態都在這裡,當然就是選用它了.
b.agent:這須與a.server併用,將自身主機完全依附由server主機端監控,自身主機無監控功能.
c.local:僅負責監控自身主機,既不受server主機端監控,也不能監控其它主機,如果Asterisk/FreePBX主機不必監控其它主機,就選它.
1- What kind of installation do you want (server, agent, local or help)? server
- Server installation chosen.
2- Setting up the installation environment.
- Choose where to install the OSSEC HIDS [/var/ossec]: 按Enter鍵
- Installation will be made at /var/ossec .
3- Configuring the OSSEC HIDS.
3.1- Do you want e-mail notification? (y/n) [y]: 按Enter鍵
- What's your e-mail address? jackooo@gmail.com
- We found your SMTP server as: gmail-smtp-in.l.google.com.
- Do you want to use it? (y/n) [y]: n
- What's your SMTP server ip/host? localhost
3.2- Do you want to run the integrity check daemon? (y/n) [y]: 按Enter鍵
- Running syscheck (integrity check daemon).
3.3- Do you want to run the rootkit detection engine? (y/n) [y ]: 按Enter鍵
- Running rootcheck (rootkit detection).
3.4- Active response allows you to execute a specific
command based on the events received. For example,
you can block an IP address or disable access for
a specific user.
More information at:
http://www.ossec.net/en/manual.html#active-response
- Do you want to enable active response? (y/n) [y]: 按Enter鍵
- Active response enabled.
- By default, we can enable the host-deny and the
firewall-drop responses. The first one will add
a host to the /etc/hosts.deny and the second one
will block the host on iptables (if linux) or on
ipfilter (if Solaris, FreeBSD or NetBSD).
- They can be used to stop SSHD brute force scans,
portscans and some other forms of attacks. You can
also add them to block on snort events, for example.
- Do you want to enable the firewall-drop response? (y/n) [y]: 按Enter鍵
- firewall-drop enabled (local) for levels >= 6
- Default white list for the active response:
- 192.168.1.1
以下如果要讓區網內其它主機不受Ossec server主機阻斷,就再加入特定IP或全區網段通行,都是自家人使用,所以我選用全區網段:
- Do you want to add more IPs to the white list? (y/n)? [n]: y
- IPs (space separated): 192.168.1.0/24
3.5- Do you want to enable remote syslog (port 514 udp)? (y/n) [y]: 按Enter鍵
- Remote syslog enabled.
3.6- Setting the configuration to analyze the following logs:
-- /var/log/messages
-- /var/log/auth.log
-- /var/log/syslog
-- /var/log/mail.info
-- /var/log/dpkg.log
-- /var/log/apache2/error.log (apache log)
-- /var/log/apache2/access.log (apache log)
- If you want to monitor any other file, just change
the ossec.conf and add a new localfile entry.
Any questions about the configuration can be answered
by visiting us online at http://www.ossec.net .
--- Press ENTER to continue --- 按Enter鍵
開始編譯Ossec過程,請稍後...
編譯完成後會出現下列訊息:
- System is Debian (Ubuntu or derivative).
- Init script modified to start OSSEC HIDS during boot.
- Configuration finished properly.
- To start OSSEC HIDS:
/var/ossec/bin/ossec-control start
- To stop OSSEC HIDS:
/var/ossec/bin/ossec-control stop
- The configuration can be viewed or modified at /var/ossec/etc/ossec.conf
Thanks for using the OSSEC HIDS.
If you have any question, suggestion or if you find any bug,
contact us at contact@ossec.net or using our public maillist at
ossec-list@ossec.net
( http://www.ossec.net/main/support/ ).
More information can be found at http://www.ossec.net
--- Press ENTER to finish (maybe more information below). --- 按Enter鍵
- In order to connect agent and server, you need to add each agent to the server.
Run the 'manage_agents' to add or remove them:
/var/ossec/bin/manage_agents
More information at:
http://www.ossec.net/en/manual.html#ma
Code:
nano -w /var/ossec/etc/ossec.conf
<ossec_config>
<global>
<email_notification>yes</email_notification>
<email_to>jackooo@gmail.com</email_to>
<smtp_server>localhost</smtp_server>
<email_from>ossecm@dyndns.org</email_from>
</global>
a.為FreePBX安裝Ossec Server Web介面之前,先將asterisk這參數填入/etc/group 之ossec這一行末:
Code:
sed -i '/ossec:/s|$|asterisk|' /etc/group
b.接著將主機重新啟動,套用新設定:
Code:
reboot
c.主機重新開機後繼續安裝OSSEC module - ossec-1.0.2.tgz for FreePBX:
從http://www.fonicaprojects.com/wiki/index.php/FreePBX_Module:_OSSEC 網頁下載ossec-1.0.2.tgz檔到Windows桌面
打開FreePBX-> Tools-> Module Admin-> Upload Module-> 瀏覽-> 桌面-> ossec-1.0.2.tgz
點按Upload 後再到Module Administration-> Maintenance-> OSSEC-> Install
完成安裝後,在左頁Tools-> 點按OSSEC 可看到Ossec Server Web介面如下圖示:
Code:
nano -w /etc/iptables.up.rules
# Allow connections from Ossec Agents to our Ossec Server
-A INPUT -p udp -m udp -s 192.168.1.0/24 --dport 1514 -j ACCEPT
Code:
nano -w /etc/asterisk/logger.conf
messages => notice,warning,error
full => notice,warning,error,debug,verbose
syslog.local0 => notice,warning,error
改好之後記得要 reload:
asterisk -rx "logger reload"
Code:
/var/ossec/bin/ossec-control stop
/var/ossec/bin/ossec-control start
/var/ossec/bin/ossec-control restart
/var/ossec/bin/manage_agents
ps -ef | grep ossec