1、故事背景,項目要求三級等保,大家懂的。
2、操作系統版本
[root@ossec01 yum.repos.d]# cat /etc/redhat-release
CentOS Linux release 7.6.1810 (Core)
3、安裝wget
安裝wget(如果有外網的話可以直接使用centos7安裝後自帶的yum源安裝wget,沒有外網使用本地安裝鏡像配置個本地源安裝)
yum -y install wget
獲取國內阿里源
wget http://mirrors.aliyun.com/repo/Centos-7.repo
在該目錄會產生下面這個文件:
/etc/yum.repos.d/Centos-7.repo
將原有的那些yum源備份掉:
mkdir /etc/yum.repos.d/backup
mv *.repo backup/
備份後如下:
[root@ossec01 yum.repos.d]# ll
total 12
drwxr-xr-x 2 root root 187 Aug 17 18:23 backup
-rw-r--r-- 1 root root 2523 Jun 16 2018 Centos-7.repo
創建yum源緩存
yum clean all
yum makecache
4、關閉selinux
vi /etc/selinux/config
SELINUX=disabled
然後重啓:
reboot
5、防火牆
關於防火牆,我們先開着
systemctl restart firewalld
systemctl enable firewalld
6、安裝配置mysql5.7
wget http://repo.mysql.com/mysql57-community-release-el7.rpm
該語句會在當前目錄下載一個mysql的rpm包,安裝即可:
[root@ossec01 soft]# ll
total 28
-rw-r--r-- 1 root root 25680 Apr 27 2017 mysql57-community-release-el7.rpm
安裝mysql yum源:
[root@ossec01 soft]# rpm -ivh mysql57-community-release-el7.rpm
warning: mysql57-community-release-el7.rpm: Header V3 DSA/SHA1 Signature, key ID 5072e1f5: NOKEY
Preparing... ################################# [100%]
Updating / installing...
1:mysql57-community-release-el7-11 ################################# [100%]
安裝yum源完成後會在/etc/yum.repos.d目錄下產生如下兩個repo源文件:
[root@ossec01 yum.repos.d]# ll mysql*
-rw-r--r-- 1 root root 1838 Apr 27 2017 mysql-community.repo
-rw-r--r-- 1 root root 1885 Apr 27 2017 mysql-community-source.repo
[root@ossec01 yum.repos.d]# pwd
/etc/yum.repos.d
重新緩存新mysql源(原阿里源和mysql源同時用,只有mysql源可能報缺少依賴包):
yum clean all
yum makecache
安裝mysql及lib庫
yum -y install -y mysql-server mariadb-server mariadb mariadb-devel
這個源安裝的狂慢。
啓動mysql
systemctl start mysqld
systemctl status mysqld
systemctl enable mysqld
netstat -ntlp
[root@ossec01 yum.repos.d]# netstat -ntlp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 6729/sshd
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 6955/master
tcp6 0 0 :::3306 :::* LISTEN 22059/mysqld
tcp6 0 0 :::22 :::* LISTEN 6729/sshd
tcp6 0 0 ::1:25 :::* LISTEN 6955/master
獲取mysql密碼:
[root@ossec01 yum.repos.d]# grep 'temporary password' /var/log/mysqld.log
2019-08-17T16:14:26.656418Z 1 [Note] A temporary password is generated for root@localhost: rs.flfh<)5vQ
7、配置mysql
設置mysql密碼策略
mysql -uroot -p
設置密碼策略爲low
mysql> set global validate_password_policy=0;
Query OK, 0 rows affected (0.00 sec)
設置密碼長度
mysql> set global validate_password_length=1;
Query OK, 0 rows affected (0.00 sec)
修改密碼
mysql> ALTER USER 'root'@'localhost' IDENTIFIED BY 'root#123';
Query OK, 0 rows affected (0.00 sec)
授權其他機器登陸
mysql> grant all privileges on *.* to 'root'@'%' identified by "root#123" with grant option ;
Query OK, 0 rows affected, 1 warning (0.00 sec)
刷新權限
mysql> flush privileges ;
Query OK, 0 rows affected (0.00 sec)
8、創建ossec相關數據庫
創建ossec相關數據庫
創建ossec數據庫
mysql> create database ossec;
Query OK, 1 row affected (0.00 sec)
創建ossec用戶並授權
mysql> grant INSERT,SELECT,UPDATE,CREATE,DELETE,EXECUTE on ossec.* to ossec@localhost identified by 'ossec';
Query OK, 0 rows affected, 1 warning (0.00 sec)
刷新權限
mysql> flush privileges ;
Query OK, 0 rows affected (0.00 sec)
9、安裝相關依賴包
首先我們安裝需要用到的關聯庫和軟件,
由於我們最終是需要把日誌導入到MySQL中進行分析,
以及需要通過web程序對報警結果進行展示,
同時需要把本機當做SMTP,所以需要在本機安裝MySQL、Apache和sendmail服務。
在當前的終端中執行如下命令
yum install wget gcc make httpd php php-mysql sendmail
10、啓動httpd
啓動http並設置隨機自啓動
systemctl start httpd
systemctl status httpd
systemctl enable httpd
11、服務端安裝ossec-hids
[root@ossec01 soft]# ll ossec*
-rw-r--r-- 1 root root 1642095 Aug 16 14:53 ossec-hids-2.8.3.tar.gz
[root@ossec01 soft]# pwd
/soft
爲了使OSSEC支持MySQL,需要在安裝前執行make setdb命令,如下
tar -zxvf ossec-hids-2.8.3.tar.gz
cd ossec-hids-2.8.3
cd src
[root@ossec01 src]# pwd
/soft/ossec-hids-2.8.3/src
[root@ossec01 src]# make setdb
Error: PostgreSQL client libraries not installed.
Info: Compiled with MySQL support.
[root@ossec01 src]#
看到如下的信息說明可以正常支持MySQL:
Info: Compiled with MySQL support.
安裝服務端
cd ..
[root@ossec01 ossec-hids-2.8.3]# pwd
/soft/ossec-hids-2.8.3
./install.sh
會要輸入一些信息,
選擇語言:cn
安裝類型:server安裝路徑:默認(/var/ossec)
是否email告警:y
email地址:[email protected]
smtp服務器ip或主機名:smtp.qq.com
您希望運行系統完整性檢測模塊嗎:y
您希望運行 rootkit檢測嗎:y
您希望開啓聯動(active response)功能嗎:y
您希望開啓防火牆聯動(firewall-drop)功能嗎:y
聯動功能默認的白名單是:可以添加服務端,也可以n
您希望接收遠程機器syslog嗎:y
...
cp -pr agent-auth ossec-authd ../../bin
make[1]: Leaving directory `/soft/ossec-hids-2.8.3/src/os_auth'
useradd: warning: the home directory already exists.
Not copying any file from skel directory into it.
useradd: warning: the home directory already exists.
Not copying any file from skel directory into it.
useradd: warning: the home directory already exists.
Not copying any file from skel directory into it.
- 系統類型是 Redhat Linux.
- 修改啓動腳本使 OSSEC HIDS 在系統啓動時自動運行
- 已正確完成系統配置.
- 要啓動 OSSEC HIDS:
/var/ossec/bin/ossec-control start
- 要停止 OSSEC HIDS:
/var/ossec/bin/ossec-control stop
- 要查看或修改系統配置,請編輯 /var/ossec/etc/ossec.conf
感謝使用 OSSEC HIDS.
如果您有任何疑問,建議或您找到任何bug,
請通過 [email protected] 或郵件列表 [email protected] 聯繫我們.
( http://www.ossec.net/en/mailing_lists.html ).
您可以在 http://www.ossec.net 獲得更多信息
--- 請按 ENTER 結束安裝 (下面可能有更多信息). ---
- 爲使代理能夠聯接服務器端, 您需要將每個代理添加到服務器.
允許'manage_agents'來添加活刪除代理:
/var/ossec/bin/manage_agents
詳細信息請參考:
http://www.ossec.net/en/manual.html#ma
[root@ossec01 ossec-hids-2.8.3]#
看到上面的信息,表示安裝成功
12、配置ossec數據庫支持
爲了配置服務端,使其工作正常,執行下面命令啓用數據庫支持
/var/ossec/bin/ossec-control enable database
13、導入ossec相關數據結構到mysql數據庫中
導入mysql表結構到mysql庫中
mysql -uossec -possec ossec < src/os_dbd/mysql.schema
檢查導入:
mysql> use ossec ;
mysql> show tables ;
+----------------------------+
| Tables_in_ossec |
+----------------------------+
| agent |
| alert |
| category |
| data |
| location |
| server |
| signature |
| signature_category_mapping |
+----------------------------+
8 rows in set (0.00 sec)
可以看到導入這些對象,這些表都是空的,未導入之前這個庫是空的,沒有這些表。
14、修改配置文件權限
修改配置文件的權限,否則啓動服務可能會失敗
chmod u+w /var/ossec/etc/ossec.conf
15、修改配置文件,添加數據庫連接信息
添加mysql數據庫連接信息,加在該文件最後,</ossec_config>節點之前:
vi /var/ossec/etc/ossec.conf
<database_output>
<hostname>localhost</hostname>
<username>ossec</username>
<password>ossec</password>
<database>ossec</database>
<port>3306</port>
<type>mysql</type>
</database_output>
16、修改配置文件,添加客戶端允許連接ip地址
由於服務端安裝過程中設置了支持接受遠程機器的syslog,所以需要對ossec.conf文件中的 syslog部分進行配置,修改ossec.conf文件,將需要收集的網段全添加進去。
<remote>
<connection>syslog</connection>
<allowed-ips>192.168.10.0/24</allowed-ips>
</remote>
17、啓動ossec服務
[root@ossec01 ossec-hids-2.8.3]# /var/ossec/bin/ossec-control start
Starting OSSEC HIDS v2.8.3 (by Trend Micro Inc.)...
Started ossec-dbd...
Started ossec-maild...
Started ossec-execd...
Started ossec-analysisd...
Started ossec-logcollector...
Started ossec-remoted...
Started ossec-syscheckd...
Started ossec-monitord...
Completed.
[root@ossec01 ossec-hids-2.8.3]# /var/ossec/bin/ossec-control status
ossec-monitord is running...
ossec-logcollector is running...
ossec-remoted is running...
ossec-syscheckd is running...
ossec-analysisd is running...
ossec-maild not running...
ossec-execd is running...
ossec-dbd is running...
所有能看到的服務都應該是運行的狀態(因爲前面我們沒有配置發送郵件,所以mail服務沒有運行)
18、添加客戶端
此時就可以在服務端添加客戶端並導出客戶端的key(此時客戶端還沒裝)
[root@ossec01 ossec-hids-2.8.3]# /var/ossec/bin/manage_agents
****************************************
* OSSEC HIDS v2.8.3 Agent manager. *
* The following options are available: *
****************************************
(A)dd an agent (A).
(E)xtract key for an agent (E).
(L)ist already added agents (L).
(R)emove an agent (R).
(Q)uit.
Choose your action: A,E,L,R or Q: a
- Adding a new agent (use '\q' to return to the main menu).
Please provide the following:
* A name for the new agent: 192.168.10.178
* The IP Address of the new agent: 192.168.10.178
* An ID for the new agent[001]:
Agent information:
ID:001
Name:192.168.10.178
IP Address:192.168.10.178
Confirm adding it?(y/n): y
Agent added.
****************************************
* OSSEC HIDS v2.8.3 Agent manager. *
* The following options are available: *
****************************************
(A)dd an agent (A).
(E)xtract key for an agent (E).
(L)ist already added agents (L).
(R)emove an agent (R).
(Q)uit.
Choose your action: A,E,L,R or Q: e
Available agents:
ID: 001, Name: 192.168.10.178, IP: 192.168.10.178
Provide the ID of the agent to extract the key (or '\q' to quit): 001
Agent key information for '001' is:
MDAxIDE5Mi4xNjguMTAuMTc4IDE5Mi4xNjguMTAuMTc4IDg0OTRiM2EzMzVkMjE0ZWU1M2U5OTkzZTU0MGQxNjU1MjgzMTgwNmMxNzA1MDJhZTQ1YzRhZWU5OTFjNTlmN2Q=
** Press ENTER to return to the main menu.
上面導出的那個key要記下來,後面要複製粘貼到客戶端使用:
MDAxIDE5Mi4xNjguMTAuMTc4IDE5Mi4xNjguMTAuMTc4IDg0OTRiM2EzMzVkMjE0ZWU1M2U5OTkzZTU0MGQxNjU1MjgzMTgwNmMxNzA1MDJhZTQ1YzRhZWU5OTFjNTlmN2Q=
19、安裝客戶端
安裝客戶端192.168.10.178
從服務端將安裝包拷貝到客戶端
scp ossec-hids-2.8.3.tar.gz 192.168.10.178:/soft/
然後在客戶端解壓縮
tar -xzvf ossec-hids-2.8.3.tar.gz
cd ossec-hids-2.8.3
20、客戶端安裝必要的依賴包
客戶端安裝必要的依賴包
yum -y install make gcc cmake
21、安裝ossec客戶端
[root@ossec02 ossec-hids-2.8.3]# ./install.sh
which: no host in (/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/root/bin)
** Para instala??o em português, escolha [br].
** 要使用中文進行安裝, 請選擇 [cn].
** Fur eine deutsche Installation wohlen Sie [de].
** Για εγκατ?σταση στα Ελληνικ?, επιλ?ξτε [el].
** For installation in English, choose [en].
** Para instalar en Espa?ol , eliga [es].
** Pour une installation en fran?ais, choisissez [fr]
** A Magyar nyelv? telepítéshez válassza [hu].
** Per l'installazione in Italiano, scegli [it].
** 日本語でインストールします.選択して下さい.[jp].
** Voor installatie in het Nederlands, kies [nl].
** Aby instalowa? w j?zyku Polskim, wybierz [pl].
** Для инструкций по установке на русском ,введите [ru].
** Za instalaciju na srpskom, izaberi [sr].
** Türk?e kurulum i?in se?in [tr].
(en/br/cn/de/el/es/fr/hu/it/jp/nl/pl/ru/sr/tr) [en]: cn
which: no host in (/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/root/bin)
OSSEC HIDS v2.8.3 安裝腳本 - http://www.ossec.net
您將開始 OSSEC HIDS 的安裝.
請確認在您的機器上已經正確安裝了 C 編譯器.
如果您有任何疑問或建議,請給 [email protected] (或 [email protected]) 發郵件.
- 系統類型: Linux ossec02 3.10.0-957.el7.x86_64
- 用戶: root
- 主機: ossec02
-- 按 ENTER 繼續或 Ctrl-C 退出. --
1- 您希望哪一種安裝 (server, agent, local or help)? agent
- 選擇了 Agent(client) 類型的安裝.
2- 正在初始化安裝環境.
- 請選擇 OSSEC HIDS 的安裝路徑 [/var/ossec]:
- OSSEC HIDS 將安裝在 /var/ossec .
3- 正在配置 OSSEC HIDS.
3.1- 請輸入 OSSEC HIDS 服務器的IP地址或主機名: 192.168.10.177
- 添加服務器IP 192.168.10.177
3.2- 您希望運行系統完整性檢測模塊嗎? (y/n) [y]:
- 系統完整性檢測模塊將被部署.
3.3- 您希望運行 rootkit檢測嗎? (y/n) [y]:
- rootkit檢測將被部署.
3.4 - 您希望開啓聯動(active response)功能嗎? (y/n) [y]:
3.5- 設置配置文件以分析一下日誌:
-- /var/log/messages
-- /var/log/secure
-- /var/log/maillog
-如果你希望監控其他文件, 只需要在配置文件ossec.conf中
添加新的一項.
任何關於配置的疑問您都可以在 http://www.ossec.net 找到答案.
--- 按 ENTER 以繼續 ---
...(一堆編譯安裝的內容省略...)
- 系統類型是 Redhat Linux.
- 修改啓動腳本使 OSSEC HIDS 在系統啓動時自動運行
- 已正確完成系統配置.
- 要啓動 OSSEC HIDS:
/var/ossec/bin/ossec-control start
- 要停止 OSSEC HIDS:
/var/ossec/bin/ossec-control stop
- 要查看或修改系統配置,請編輯 /var/ossec/etc/ossec.conf
感謝使用 OSSEC HIDS.
如果您有任何疑問,建議或您找到任何bug,
請通過 [email protected] 或郵件列表 [email protected] 聯繫我們.
( http://www.ossec.net/en/mailing_lists.html ).
您可以在 http://www.ossec.net 獲得更多信息
--- 請按 ENTER 結束安裝 (下面可能有更多信息). ---
- 您必須首先將該代理添加到服務器端以使他們能夠相互通信.
這樣做了以後,您可以運行'manage_agents'工具導入
服務器端產生的認證密匙.
/var/ossec/bin/manage_agents
詳細信息請參考:
http://www.ossec.net/en/manual.html#ma
[root@ossec02 ossec-hids-2.8.3]#
看到上面的信息,說明agent安裝成功。
22、在客戶端導入key
[root@ossec02 bin]# /var/ossec/bin/manage_agents
****************************************
* OSSEC HIDS v2.8.3 Agent manager. *
* The following options are available: *
****************************************
(I)mport key from the server (I).
(Q)uit.
Choose your action: I or Q: i
* Provide the Key generated by the server.
* The best approach is to cut and paste it.
*** OBS: Do not include spaces or new lines.
Paste it here (or '\q' to quit): MDAxIDE5Mi4xNjguMTAuMTc4IDE5Mi4xNjguMTAuMTc4IDg0OTRiM2EzMzVkMjE0ZWU1M2U5OTkzZTU0MGQxNjU1MjgzMTgwNmMxNzA1MDJhZTQ1YzRhZWU5OTFjNTlmN2Q=
Agent information:
ID:001
Name:192.168.10.178
IP Address:192.168.10.178
Confirm adding it?(y/n): y
Added.
** Press ENTER to return to the main menu.
23、啓動客戶端
[root@ossec02 bin]# /var/ossec/bin/ossec-control start
Starting OSSEC HIDS v2.8.3 (by Trend Micro Inc.)...
Started ossec-execd...
2019/08/18 01:23:11 ossec-agentd: INFO: Using notify time: 600 and max time to reconnect: 1800
Started ossec-agentd...
Started ossec-logcollector...
Started ossec-syscheckd...
Completed.
[root@ossec02 bin]# /var/ossec/bin/ossec-control status
ossec-logcollector is running...
ossec-syscheckd is running...
ossec-agentd is running...
ossec-execd is running...
24、去服務端檢查客戶端是否已經連接上
[root@ossec01 bin]# /var/ossec/bin/agent_control -l
OSSEC HIDS agent_control. List of available agents:
ID: 000, Name: ossec01 (server), IP: 127.0.0.1, Active/Local
ID: 001, Name: 192.168.10.178, IP: 192.168.10.178, Never connected
List of agentless devices:
[root@ossec01 bin]#
發現是192.168.10.178是Never connected的狀態。
去客戶端查看日誌:
view /var/ossec/logs/ossec.log
2019/08/18 01:24:42 ossec-agentd(4101): WARN: Waiting for server reply (not started). Tried: '192.168.10.177'.
2019/08/18 01:25:20 ossec-agentd: INFO: Trying to connect to server (192.168.10.177:1514).
2019/08/18 01:25:20 ossec-agentd: INFO: Using IPv4 for: 192.168.10.177 .
2019/08/18 01:25:30 ossec-agentd(1218): ERROR: Unable to send message to server.
2019/08/18 01:25:42 ossec-agentd(1218): ERROR: Unable to send message to server.
發現是服務端沒有響應,客戶端連接的是服務端的1514端口。我們去服務端查看下1514端口是否正常。
[root@ossec01 bin]# netstat -ntpl
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 6729/sshd
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 6955/master
tcp6 0 0 :::3306 :::* LISTEN 22059/mysqld
tcp6 0 0 :::80 :::* LISTEN 22305/httpd
tcp6 0 0 :::22 :::* LISTEN 6729/sshd
tcp6 0 0 ::1:25 :::* LISTEN 6955/master
[root@ossec01 bin]# netstat -nupl
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
udp 0 0 0.0.0.0:68 0.0.0.0:* 6549/dhclient
udp 0 0 0.0.0.0:514 0.0.0.0:* 24225/ossec-remoted
[root@ossec01 bin]#
很遺憾,服務端1514端口應該是udp協議,經過查詢發現不管是tcp還是udp的端口都沒有1514.
[root@ossec01 init.d]# /etc/init.d/ossec start
Starting OSSEC: [ OK ]
然後重啓下ossec服務
/var/ossec/bin/ossec-control stop
/var/ossec/bin/ossec-control start
在查看下端口1514:
[root@ossec01 init.d]# netstat -nulp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
udp 0 0 0.0.0.0:1514 0.0.0.0:* 25218/ossec-remoted
udp 0 0 0.0.0.0:68 0.0.0.0:* 6549/dhclient
udp 0 0 0.0.0.0:514 0.0.0.0:* 25217/ossec-remoted
發現已經有了。
24、驗證服務端1514端口是否通
我們在本地windows下測試一下是否能連該端口
測試tcp端口(在客戶端測試):
nc -zv 192.168.10.177 80
[root@ossec02 bin]# nc -zv 192.168.10.177 80
Ncat: Version 7.50 ( https://nmap.org/ncat )
Ncat: Connected to 192.168.10.177:80.
Ncat: 0 bytes sent, 0 bytes received in 0.01 seconds.
[root@ossec02 bin]#
nc -zvu 192.168.10.177 1514
[root@ossec02 bin]# nc -zvu 192.168.10.177 1514
Ncat: Version 7.50 ( https://nmap.org/ncat )
Ncat: Connected to 192.168.10.177:1514.
Ncat: UDP packet sent successfully
Ncat: 1 bytes sent, 0 bytes received in 2.01 seconds.
[root@ossec02 bin]#
看到上面的信息就表示端口是通的。因爲1514端口是使用的udp,所以需要使用下面的一個語句測試。
25、如果無法連接,把防火牆端口開一下。(我們上面防火牆是開着的,如果直接把防火牆關了就不需要了)
發現無法連接,這個是因爲防火牆沒開此端口,我們把需要的端口都開一下:
firewall-cmd --zone=public --add-port=80/tcp --permanent
firewall-cmd --zone=public --add-port=3306/tcp --permanent
firewall-cmd --zone=public --add-port=1514/udp --permanent
firewall-cmd --zone=public --add-port=514/udp --permanent
firewall-cmd --zone=public --add-port=514/tcp --permanent
firewall-cmd --zone=public --add-port=1514/tcp --permanent
重啓防火牆:
[root@ossec01 init.d]# systemctl restart firewalld
26、內核參數提前配好
##########Shared Memory###############
kernel.shmmax=3221225472
kernel.shmmni=4096
kernel.shmall=786432
##########Semaphore Arrays############
kernel.sem=6144 50331648 4096 8192
##########open file###################
fs.file-max=6815744
##########aio#########################
fs.aio-max-nr=3145728
##########network#####################
net.ipv4.icmp_echo_ignore_broadcasts=1
net.ipv4.icmp_ignore_bogus_error_responses=1
net.ipv4.conf.all.rp_filter=1
net.ipv4.conf.default.rp_filter=1
net.ipv4.tcp_syncookies=1
net.ipv4.tcp_fin_timeout=30
net.ipv4.tcp_keepalive_time=1500
net.ipv4.tcp_keepalive_probes=5
net.ipv4.tcp_keepalive_intvl=60
net.ipv4.tcp_window_scaling=1
net.core.rmem_default=262144
net.core.wmem_default=262144
net.core.rmem_max=4194304
net.core.wmem_max=4194304
net.ipv4.tcp_rmem=8192 262144 4194304
net.ipv4.tcp_wmem=8192 262144 4194304
net.ipv4.ip_local_port_range=9000 65500
##########CORE######################
kernel.core_uses_pid=1
##########Message Queues##############
kernel.msgmax=655360
kernel.msgmni=4096
kernel.msgmnb=1024000
##########vm config###################
vm.min_free_kbytes=1048576
vm.vfs_cache_pressure=200
vm.swappiness=10
27、再次在服務端驗證狀態
再次在服務端查詢客戶端連接狀態,就可以看到客戶端是active的狀態了。
如果還有問題,可以查詢日誌:
服務端:
/var/ossec/logs/ossec.log
客戶端:
/var/ossec/logs/ossec.log
一般有問題的話日誌裏面就會報的比較詳細。
28、圖形界面安裝
服務端和客戶端都安裝好了,並且也連接上了,下一步就需要有個界面管理我們的服務端和客戶端。
安裝文件:
[root@ossec01 soft]# ll *ossec-wui*
-rw-r--r-- 1 root root 397357 Aug 19 18:27 ossec-wui.tar.gz
解壓解包:
tar -xzvf ossec-wui.tar.gz
cd ossec-wui
[root@ossec01 ossec-wui]# ll
total 68
-rwxr-xr-x 1 root root 317 Aug 16 16:52 CONTRIB
drwxr-xr-x 3 root root 50 Aug 16 16:52 css
-rw-r--r-- 1 root root 218 Aug 16 16:52 htaccess_def.txt
drwxr-xr-x 2 root root 168 Aug 16 16:52 img
-rwxr-xr-x 1 root root 5177 Aug 16 16:52 index.php
drwxr-xr-x 2 root root 107 Aug 16 16:52 js
drwxr-xr-x 3 root root 273 Aug 16 16:52 lib
-rw-r--r-- 1 root root 35745 Aug 16 16:52 LICENSE
-rw-r--r-- 1 root root 462 Aug 16 16:52 ossec_conf.php
-rw-r--r-- 1 root root 2106 Aug 16 16:52 README
-rw-r--r-- 1 root root 923 Aug 16 16:52 README.search
-rwxr-xr-x 1 root root 2471 Aug 16 16:52 setup.sh
drwxr-xr-x 2 root root 175 Aug 16 16:52 site
29、創建目錄
mkdir -p /opt/ossec
拷貝解壓目錄下的所有文件到目標/opt/ossec目錄下
cp -R /soft/ossec-wui/* /opt/ossec/
[root@ossec01 ossec]# pwd
/opt/ossec
[root@ossec01 ossec]# ll
total 68
-rwxr-xr-x 1 root root 317 Aug 19 18:30 CONTRIB
drwxr-xr-x 3 root root 50 Aug 19 18:30 css
-rw-r--r-- 1 root root 218 Aug 19 18:30 htaccess_def.txt
drwxr-xr-x 2 root root 168 Aug 19 18:30 img
-rwxr-xr-x 1 root root 5177 Aug 19 18:30 index.php
drwxr-xr-x 2 root root 107 Aug 19 18:30 js
drwxr-xr-x 3 root root 273 Aug 19 18:30 lib
-rw-r--r-- 1 root root 35745 Aug 19 18:30 LICENSE
-rw-r--r-- 1 root root 462 Aug 19 18:30 ossec_conf.php
-rw-r--r-- 1 root root 2106 Aug 19 18:30 README
-rw-r--r-- 1 root root 923 Aug 19 18:30 README.search
-rwxr-xr-x 1 root root 2471 Aug 19 18:30 setup.sh
drwxr-xr-x 2 root root 175 Aug 19 18:30 site
30、進行安裝ossec-wui
cd /opt/ossec/
./setup.sh
[root@ossec01 ossec]# ./setup.sh
Setting up ossec ui...
Username: ossec
New password:
Re-type new password:
Adding password for user ossec
Enter your web server user name (e.g. apache, www, nobody, www-data, ...)
apache
You must restart your web server after this setup is done.
Setup completed successfully.
[root@ossec01 ossec]#
上面輸入的用戶名和密碼需要記住,這個就是後面登陸web界面的憑證。
31、配置http
對ossec.config進行配置,需要添加虛擬目錄
[root@ossec01 opt]# vi /etc/httpd/conf.d/ossce.conf
Alias /ossec "/opt/ossec/"
<Directory "/opt/ossec/">
Options Indexes FollowSymLinks
AllowOverride None
Order deny,allow
Deny from all
Allow from 192.168.0.0/16
# Order deny,allow
# Deny from all
# Allow from 127.0.0.1
AuthName "OSSEC AUTH"
AuthType Basic
AuthUserFile /opt/ossec/.htpasswd
Require valid-user
</Directory>
32、賦權
對ossec-wui目錄的權限授權給apache用戶
cd /opt
chown -R apache:apache ossec
33、重啓httpd服務
重新啓動httpd服務
systemctl restart httpd
34、通過web瀏覽器訪問
然後就可以通過以下地址訪問:
http://192.168.10.177/ossec/
訪問界面如下:
輸入剛纔的輸入的用戶名ossec和對應的密碼。