4. Host-Based Intrusion Detection Systems

We use OSSEC for our Host-Based Intrusion Detection System because it not only comes preconfigured with many powerful rules/logs built in, but it also allows for extreme customizability. We installed OSSEC on a dedicated OSSEC server and then set up the other servers as OSSEC agents which would talk to the OSSEC server. This creates a relationship where OSSEC can monitor every server on the network and consolidate the activity into one easy to use and easy to find place. We set up email alerting with OSSEC and decided that we would set the email alert level to minimum of 1 since we were sending the email to a Gmail account made just for this. This means that the gmail account becomes flooded with many alerts, but we this is okay since it is a dedicated OSSEC email. If we were to use this with a personal email we would probably increase the level to 6 or 7. We also reduced the syscheck frequency down to checking every half an hour rather than the 22 hour default.

After setting up these basics of OSSEC we then explored its power by looking at the many default rules and determining which we needed and if we should add any custom rules. Fortunately, since we used popular services such as MySQL, most of our services had premade rules in OSSEC. For MySQL we had to modify the agent’s ossec.conf file on the database to include monitoring on the mysql/error.log file. Similar additions were made for the other services. In addition, we added real time file integrity and new file alerting on the web server’s directories to see if any files in the web hosting directory have changed or if any have been added. This could alert us to any unintentional changes and possible “hacking” activity on our website.

Overall, OSSEC is extremely powerful and allows us to see all of the important activity that we would want to see as administrators. It shows us when users begin and end ssh sessions, root user sessions, access denied messages, file integrity, and more all send through easy email alerting and gives us lots of power to add new rules as necessary.