RamNode logo
    Sign UpLogin
    Back to Deployment Guides
    Security & HIDS

    OSSEC HIDS

    Deploy a powerful open-source Host-based Intrusion Detection System on RamNode VPS. Real-time log analysis, file integrity monitoring, and active response.

    Ubuntu / Debian / AlmaLinux
    File Integrity
    Active Response

    What is OSSEC?

    OSSEC (Open Source Security Event Correlator) is a powerful, open-source Host-based Intrusion Detection System (HIDS) that provides comprehensive security monitoring, log analysis, file integrity checking, rootkit detection, and active response capabilities.

    Log Analysis

    Real-time analysis of log files from various sources

    File Integrity

    Detection of unauthorized file changes

    Rootkit Detection

    Identification of system-level compromises

    Architecture Options

    • Local Installation: Single-server setup (recommended for VPS)
    • Agent-Server: Centralized monitoring of multiple systems
    • Agentless: Monitoring remote systems via SSH
    1

    Prerequisites

    • Ubuntu 22.04/24.04 LTS, Debian 11/12, AlmaLinux 9, or Rocky Linux 9
    • Minimum 512MB RAM (1GB+ recommended)
    • 500MB disk space for installation, plus space for logs
    • 1 CPU core minimum (2+ recommended for high-traffic servers)
    • Root or sudo access
    2

    Install OSSEC

    Update system and install dependencies:

    Ubuntu/Debian
    sudo apt update && sudo apt upgrade -y

# Install build dependencies
sudo apt install -y build-essential gcc make libc6-dev curl \
  apt-transport-https gnupg2 wget libssl-dev libpcre2-dev \
  zlib1g-dev libsystemd-dev
    AlmaLinux/Rocky Linux
    sudo yum update -y

# Install build dependencies
sudo yum install -y gcc make wget tar gzip pcre2-devel \
  openssl-devel systemd-devel zlib-devel

    Download and install OSSEC:

    Download and install OSSEC
    cd /tmp
wget https://github.com/ossec/ossec-hids/archive/refs/tags/3.7.0.tar.gz
tar -xzf 3.7.0.tar.gz
cd ossec-hids-3.7.0

# Run installation script
sudo ./install.sh

    Installation prompts (recommended responses):

    Installation responses
    1. Installation type: local
2. Installation directory: [Press ENTER for /var/ossec]
3. Email notification: y
   - Email address: your-email@example.com
   - SMTP server: localhost
4. Integrity check daemon: y
5. Rootkit detection engine: y
6. Active response: y
   - Enable host-deny and firewall-drop: y
7. Remote syslog: n
    3

    Post-Installation Configuration

    Configure alert levels:

    /var/ossec/etc/ossec.conf
    <alerts>
  <log_alert_level>3</log_alert_level>
  <email_alert_level>7</email_alert_level>
</alerts>

<!-- log_alert_level: Minimum level to log (1-16) -->
<!-- email_alert_level: Minimum level to send email (1-16) -->
    4

    File Integrity Monitoring

    Configure directories to monitor for unauthorized changes:

    Syscheck configuration
    <syscheck>
  <frequency>7200</frequency>
  <scan_on_start>yes</scan_on_start>
  <directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories>
  <directories check_all="yes">/bin,/sbin,/boot</directories>
  <directories check_all="yes">/var/www</directories>
  
  <!-- Ignore frequently changing files -->
  <ignore>/etc/mtab</ignore>
  <ignore>/etc/hosts.deny</ignore>
  <ignore>/etc/mail/statistics</ignore>
  <ignore>/etc/random-seed</ignore>
  <ignore>/etc/adjtime</ignore>
  <ignore>/etc/httpd/logs</ignore>
</syscheck>
    5

    Rootkit Detection

    Rootcheck configuration
    <rootcheck>
  <rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files>
  <rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans>
  <system_audit>/var/ossec/etc/shared/system_audit_rcl.txt</system_audit>
  <system_audit>/var/ossec/etc/shared/cis_debian_linux_rcl.txt</system_audit>
  <system_audit>/var/ossec/etc/shared/cis_rhel_linux_rcl.txt</system_audit>
  <frequency>7200</frequency>
</rootcheck>
    6

    Active Response

    Configure automatic threat response:

    Active response rules
    <active-response>
  <command>host-deny</command>
  <location>local</location>
  <level>6</level>
  <timeout>600</timeout>
</active-response>

<active-response>
  <command>firewall-drop</command>
  <location>local</location>
  <level>6</level>
  <timeout>600</timeout>
</active-response>

    Important: Test active response carefully to avoid accidentally blocking legitimate traffic.

    Whitelist trusted IPs:

    Whitelist configuration
    <global>
  <white_list>your.management.ip.address</white_list>
  <white_list>127.0.0.1</white_list>
</global>
    7

    Custom Rules (Optional)

    Create custom rules
    sudo nano /var/ossec/rules/local_rules.xml

    Example: WordPress brute force detection:

    Custom rule example
    <group name="wordpress,">
  <rule id="100001" level="10" frequency="5" timeframe="120">
    <if_matched_sid>31103</if_matched_sid>
    <description>WordPress brute force attack detected</description>
    <group>authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,</group>
  </rule>
</group>
    8

    Start OSSEC

    Create systemd service
    sudo nano /etc/systemd/system/ossec.service
    ossec.service
    [Unit]
Description=OSSEC Host Intrusion Detection System
After=network.target

[Service]
Type=forking
ExecStart=/var/ossec/bin/ossec-control start
ExecStop=/var/ossec/bin/ossec-control stop
ExecReload=/var/ossec/bin/ossec-control restart
Restart=on-failure
RestartSec=5s

[Install]
WantedBy=multi-user.target
    Enable and start OSSEC
    sudo systemctl daemon-reload
sudo systemctl enable ossec
sudo /var/ossec/bin/ossec-control start
    Expected output
    Starting OSSEC HIDS v3.7.0...
Started ossec-maild...
Started ossec-execd...
Started ossec-analysisd...
Started ossec-logcollector...
Started ossec-syscheckd...
Started ossec-monitord...
Completed.
    9

    Verification & Testing

    Check OSSEC status
    sudo /var/ossec/bin/ossec-control status
    Monitor real-time alerts
    sudo tail -f /var/ossec/logs/alerts/alerts.log

    Test file integrity monitoring:

    Test FIM
    # Create test file in monitored directory
sudo touch /etc/test-ossec-file

# Wait a few moments, then check for alert
sudo grep "test-ossec-file" /var/ossec/logs/alerts/alerts.log

    Check blocked IPs:

    View blocked IPs
    # For host-deny
sudo cat /etc/hosts.deny | grep OSSEC

# For iptables
sudo iptables -L -n | grep OSSEC
    10

    Log Analysis

    View OSSEC logs
    # Main alert log
sudo tail -f /var/ossec/logs/alerts/alerts.log

# Archive log (all events)
sudo tail -f /var/ossec/logs/archives/archives.log

# OSSEC internal log
sudo tail -f /var/ossec/logs/ossec.log

# Generate daily reports
sudo /var/ossec/bin/ossec-reportd

# Search for authentication failures
sudo grep "authentication" /var/ossec/logs/alerts/alerts.log

# Search for rootkit detection
sudo grep "rootkit" /var/ossec/logs/alerts/alerts.log
    11

    Maintenance

    Configure log rotation:

    /etc/logrotate.d/ossec
    /var/ossec/logs/alerts/alerts.log {
    daily
    rotate 30
    compress
    delaycompress
    missingok
    notifempty
    create 0640 ossec ossec
    postrotate
        /var/ossec/bin/ossec-control restart > /dev/null 2>&1 || true
    endscript
}

    Database cleanup:

    Clean OSSEC databases
    sudo /var/ossec/bin/ossec-control stop
sudo rm -rf /var/ossec/queue/alerts/*
sudo rm -rf /var/ossec/queue/diff/*
sudo /var/ossec/bin/ossec-control start

    Troubleshooting

    OSSEC Won't Start

    Debug startup issues
    # Check internal log
sudo tail -f /var/ossec/logs/ossec.log

# Verify configuration syntax
sudo /var/ossec/bin/ossec-analysisd -t

    High CPU Usage

    Reduce syscheck frequency or exclude busy directories:

    Performance tuning
    <syscheck>
  <frequency>43200</frequency> <!-- 12 hours -->
  <ignore>/var/log</ignore>
  <ignore>/tmp</ignore>
</syscheck>

    Email Notifications Not Working

    Install and configure MTA
    # Test mail delivery
echo "Test email from OSSEC" | mail -s "Test" your-email@example.com

# Install postfix if needed
sudo apt install postfix mailutils  # Ubuntu/Debian
sudo yum install postfix mailx      # AlmaLinux/Rocky

sudo systemctl enable postfix
sudo systemctl start postfix

    Next Steps

    • Consider upgrading to Wazuh for advanced features
    • Integrate with ELK Stack for advanced visualization
    • Set up agent-server architecture for multi-host monitoring
    Official DocumentationGitHub Repository