OSSEC Open Source HIDS with Web user interface. (updated for Ubuntu 20.04 & OSSEC 3.6.0)

—– Guide Starts Here —–

urls used:

OSSEC Server/Agent – https://github.com/ossec/ossec-hids/archive/3.6.0.tar.gz

OSSEC Windows Agent – https://updates.atomicorp.com/channels/atomic/windows/ossec-agent-win32-3.6.0-12032.exe

Start with installing some packages on Ubuntu 20.04.

ssh to your ubuntu 20.04 server

$ ssh yoursuser@yourserverip

$ sudo apt update && sudo apt upgrade

$ sudo apt install -y php php-cli php-common libapache2-mod-php apache2-utils sendmail inotify-tools apache2 build-essential gcc make wget tar zlib1g-dev libpcre2-dev libpcre3-dev unzip libz-dev libssl-dev libpcre2-dev libevent-dev build-essential

Enter you password when prompted.

$ sudo systemctl enable apache2

$ sudo systemctl start apache2

$ sudo a2enmod rewrite

$ sudo systemctl restart apache2

OSSEC Install

$ wget https://github.com/ossec/ossec-hids/archive/3.6.0.tar.gz

$ sudo tar -xvzf 3.6.0.tar.gz

$ sudo /home/hgadmin/ossec-hids-3.6.0/install.sh 

Provide your preferred input as prompted. For the demo we opted for the below:

The inputs we selected for the demo
Input your server IP Address or hostname

Installing the Web User Interface.

$cd /tmp/

$ sudo git clone https://github.com/ossec/ossec-wui.git 

$ sudo mv /tmp/ossec-wui /var/www/html

$ cd /var/www/html/ossec-wui

$ sudo ./setup.sh

When prompted enter your chosen username and password. For the web server name enter www-data.

Set Permissions

$ sudo chown -R www-data:www-data /var/www/html/ossec-wui/

$ sudo chmod -R 755 /var/www/html/ossec-wui/

Restart Apache and launch Web User Interface

$ sudo systemctl restart apache2

Open browser and navigate to http://your-servers-ip/ossec-wui

Configure WUI port to :8090

One way to change the WUI port is to edit the 000-default.conf file.

vi /etc/apache2/sites-enabled/000-default.conf

Add the following to the file


<VirtualHost *:8090>
DocumentRoot /var/www/html/ossec-wui
</VirtualHost>

Edit the /etc/apache2/ports.conf file and add the port you specified. In our case 8090.

sudo vi /etc/apache2/ports.conf

Restart apache and test.

sudo systemctl restart apache2

Open your browser to http://your-ip-address:your-port / http://192.168.68.143:8089

Windows Agent Install

Download the OSSEC agent from – https://updates.atomicorp.com/channels/atomic/windows/ossec-agent-win32-3.6.0-12032.exe

Open the command prompt and ssh to your ossec server.

ssh hgadmin@192.168.68.123

launch the OSSEC Agent Manager

sudo /var/ossec/bin/manage_agents

Input option (A) to add a new agent. Input your windows machines name when prompted.

Input the windows machines IP when prompted and confirm adding with responding (y)

Launch the executable agent file you have downloaded as administrator. Should be in your downloads folder.

Open the OSSEC agent as administrator that you installed and enter the IP address of your OSSEC server.

Open the command prompt window that you used to ssh to the OSSEC server. Extract the Key by inputting option (e) and then the corresponding Agent ID for the windows machine in the OSSEC Agent Manager that should still be open.

Highlight and copy the key, update the OSSEC Agent. Save the updated info and start the OSSEC Agent.

Open your web browser and navigate to your OSSEC Servers IP and specific port if you set one.

—– Guide Ends Here —–

Blocking https sites with IPFire

Got a request from “dedu mihail” & “Amandeep Singh” on how to block https sites. In this quick walk-through we show how to use the proxy with manual settings which is needed to block https urls / sites. It does not work via transparent mode. (We could not find a simple way to make it work via transparent mode).

1. Configure the end user machine to use the proxy.

2. Configure the proxy on IPFire to use the url filter capability.

3. Configure the url filter to block the https url 4. Configure the url filter to allow restriction bypass for listed IP’s.

Enabling Network-Wide Ad blocking!

In this walk through we will show you how to install Pi-Hole to enable network wide ad blocking on your network. We will also show you how to configure a windows machine and the basic steps on how to enable it network wide via your router.

–START–

Url’s used: Pi-Hole – https://pi-hole.net/

Debian 9 (Stretch) – https://www.debian.org/releases/stretch/debian-installer/

DD-WRT – https://dd-wrt.com/

Prerequisites

Prerequisites

Steps

  1. Install one of the supported operating systems
  2. ssh to the OS you decided to use after the OS installation. (We used Debian 9 for the walk through.)– $ su– # wget -O basic-install.sh https://install.pi-hole.net– # bash basic-install.sh
  3. login you our device/s and point its dns settings to the Pi-Hole server. Alternatively change the settings on your router to provide the Pi-Holes ip as your networks dns via DHCP. For more detail refer to the video provided by the link below or reach out to us.

IPFire on a Raspberry Pi !

In this walk-through we will take you through the steps to Install IPFire on a Raspberry Pi.

Steps:

pdfIPFire on a Raspberry Pi or follow below.

Url’s used:

IPFire

https://www.ipfire.org/

https://www.ipfire.org/download/ipfire-2.23-core138

Etcher

https://www.balena.io/etcher


Components:

  • Raspberry Pi 3
  • 32 GB SD Card
  • USB-to-LAN adapter
  • USB Keyboard
  • Monitor with HDMI
  • Win / Mac / Linux computer to download and flash the SD Card

Steps:

  1. Download the arm image from https://www.ipfire.org/
  2. Extract the image from the file you have downloaded.
  3. Flash your SD Card with the IPFire image you extracted using Etcher. (Or your preferred tool)
  4. If you plan on using the HDMI output and USB Keyboard. You need to edit the uENV.txt file on the flashed SD Card and change it as shown below:

SERIAL-CONSOLE=ON

To

SERIAL-CONSOLE=OFF

  1. Remove the SD Card from your computer and insert it into the Raspberry Pi.
  2. Connect all the components to the Raspberry Pi and power it on
  3. Follow the usual IPFire installation / configuration steps.
  4. Configure the IPFire you installed as you need.

QRadar 7.3.1 (CE) Community Edition – Install – Start to Finish – (Unofficial)

QRadar Community Edition 7.3.1 is a fully-featured version of QRadar that you can use at home or in your lab. A new feature of QRadar Community Edition 7.3.1 enables IBM Security X-Force® Threat Intelligence IP reputation for use.

Note: “# sudo /opt/qradar/support/changePasswd.sh -a” command is used to set the QRadar WUI admin password at the end of the installation.

QRadar Community Edition v7.3.0 is the previous release.

Q1 LABS, QRADAR and the ‘Q’ Logo are trademarks or registered trademarks of IBM Corp. All other trademarks are the property of their respective owners.

This is an unofficial video.

Disclaimer – https://www.hendgrow.com/disclaimer/

QRadar 7.3.0 (CE) Community Edition – Install – Start to Finish – (Unofficial)

QRadar Community Edition v7.3.0 is a fully-featured version of QRadar that you can use at home or in your lab. As the QRadar Community Edition install is slightly different from the Standard / traditional QRadar installation. Thought there was value in creating this walk-through.

QRadar Community Edition v7.3.1 has been released. QRadar Community Edition v7.3.1

Note: “# sudo /opt/qradar/support/changePasswd.sh -a” command is used to set the QRadar WUI admin password at the end of the installation.

Links for the ISO’s used:

CentOS

QRadar CE

Q1 LABS, QRADAR and the ‘Q’ Logo are trademarks or registered trademarks of IBM Corp. All other trademarks are the property of their respective owners.

IPFire – The Initial Build (Firewall | Router| Proxy | Gateway)…

IPFire is a hardened open source Linux distribution that primarily performs as a router and a firewall. It’s a standalone firewall system with a web-based management console for configuration.

In short a Good Open-source firewall /proxy that can be used at home. Easy 2 install & Easy 2 use?

There are many open-source distros available today that could serve as a proxy or firewall. We are not saying IPFire is the only firewall/proxy distro. However, if you looking for an easy install system with many add-ons for home or small office use look no further. In this walk though will show you how to install the IPFire Open Source Firewall. Use it as your personal firewall gateway and proxy server.

For more information on IPFire visit https://www.ipfire.org