OSSEC Open Source HIDS with Web user interface. (updated for Ubuntu 20.04 & OSSEC 3.6.0)

Posted on by Hend Grow

—Start Here—

Update the system.

Assuming you have an existing Ubuntu server setup. 

sudo apt update && sudo apt upgrade

Install some base applications

sudo apt install -y php php-cli php-common libapache2-mod-php apache2-utils sendmail inotify-tools apache2 build-essential gcc make wget tar zlib1g-dev libpcre2-dev libpcre3-dev unzip libz-dev libssl-dev libpcre2-dev libevent-dev build-essential

Enable rewrite, Apache & Start Apache.

sudo systemctl enable apache2

sudo systemctl start apache2

sudo a2enmod rewrite

sudo systemctl restart apache2

OSSEC Server Install

wget https://github.com/ossec/ossec-hids/archive/3.6.0.tar.gz

sudo tar -xvzf 3.6.0.tar.gz

sudo /home/hgadmin/ossec-hids-3.6.0/install.sh

Note: Provide your preferred input as prompted. For the demo we opted for the below:

Image of the inputs we selected for the demo

Input your servers IP address or hostname (FQDN)

Installing the Web User Interface.

cd /tmp/

sudo git clone https://github.com/ossec/ossec-wui.git

sudo mv /tmp/ossec-wui /var/www/html

cd /var/www/html/ossec-wui

When prompted enter your chosen username and password. For the web server name enter www-data.

Set the permissions

sudo chown -R www-data:www-data /var/www/html/ossec-wui/

sudo chmod -R 755 /var/www/html/ossec-wui/

Restart Apache and launch Web User Interface

sudo systemctl restart apache2

Open a web browser and navigate to http://your-servers-ip/ossec-wui

Windows Agent Install

Download the OSSEC agent from – https://updates.atomicorp.com/channels/atomic/windows/ossec-agent-win32-3.6.0-12032.exe

Open the command prompt and ssh to your ossec server.

ssh hgadmin@192.168.68.123

Launch the OSSEC Agent Manager once connected to your server.

sudo /var/ossec/bin/manage_agents

Input option (A) to add a new agent. Input your windows machines name when prompted.

Input the windows machines IP when prompted and confirm adding with responding (y)

On the target Windows desktop. Launch the executable agent file you have downloaded as administrator. Should be in your downloads folder.

Open the OSSEC agent as administrator that you installed and enter the IP address of your OSSEC server.

Open the command prompt window that you used to ssh to the OSSEC server. Extract the Key by inputting option (e) and then the corresponding Agent ID for the windows machine in the OSSEC Agent Manager that should still be open.

Highlight and copy the key, update the OSSEC Agent. Save the updated info and start the OSSEC Agent.

Open your web browser and navigate to your OSSEC Servers IP and specific port if you set one.

—– Guide Ends Here —–