I Heart OSSEC

On Wednesday I attended my first SANS webcast, which showcased OSSEC, a HID (Host-based Intrustion Detection) system. Essentially it helps look at server and machine logs to see if anything is going wrong. It actually came at a good time, as at work we were looking into setting up a central log server and reporting system called 'syslog-ng.' I had already been working on it a few days and was having no real luck.

I was somewhat disappointed in the webcast. The main speaker was speaking from his user's experiance and wasn't formally affiliated with the software, so some of the more technical questions weren't answered. The presentatio was interesting enough to peak out interest in OSSEC and give it a try at work.

I kid you not, I was able to set up an OSSEC server and clients (CentOS, Ubuntu Server, and XP) in under one hour, and was already getting alerts. I then deployed it later that evening out in the work cubicles. So, in less than half of a day, I had a good testbed already set up and working. I also decided to set it up at home since I have three servers, one being an production web server and the other a remote login server.

What does OSSEC do?
OSSEC comes in two parts - server and client. The server sits there collecting alerts that the clients send, logs them in a central log file, and then will determine whether or not the alert is worth an e-mail (which you can set the alert level to e-mail out on).

The client sits on the machine and reads through the logs already set up on the machine. Out of the box OSSEC can read a multitude of logs including HTTP, messages, maillog, and others. It then watches for errors and alerts the server with the information about what is going on (multiple logon failures, passwd file changes, etc).

The server can also do what are called 'active responses' - actions to take when a particular thing happens. For example, if it sees a SSH brute force attack, it shuts the attack out via IP rules.

How well does it work?
By itself, very well. As I said before, it is quick to set up, and lets you know about a lot of things. The first night that I had set it up, I was alerted that one of the POP accounts had multiple failed logins as the sysadmin was trying to set it up and trying to remember the password. At home, a badly coded HTML site caused my connection at work to be blacklisted. As for the blacklisting, it is only temporary, but normally a server that blacklists an attacker causes them to move on to easier targets.

Why should I care?
If anyone ever plans to set up servers (be it file servers, or like in my case a web server), or they have a lot of machines in the home that they want to keep track of problems on but are too lazy to manually check logs, OSSEC is a great alternative, and lets you get on with admining or running your machines without having to waste time digging through logs.

Linkage
OSSEC Homepage