Introduction To OSSEC Host Based Intrusion Detection (HIDS)
Prevention of a security incident is ideal, but detection is a must. To detect a security incident is easier said than done. Host Based Intrusion Detection is a great concept to point out unusual activity and can help to concentrate on the most potential issues. To answer what is OSSEC Host Based Intrusion Detection in practice, you must understand the concept of Intrusion Detection.
Intrusion Detection in general aims to automatically recognise and alert about unusual or harmful activity or state of the system or network. With a host based intrusion detection system like OSSEC the intrusion detection system is installed in the certain host. Detection is in host not in the network (e.g. OSSEC is installed and runs on Linux server).
In practice this means that for example OSSEC is running on a Linux server. OSSEC will actively watch the activities in the file system, logs etc. and the goal is to be able to determine which activities are normal and relevant for the system and which are unusual or potentially harmful. If something unusual or harmful occurs, OSSEC will alert about an event with a criticality level from 1 to 10 (higher value means higher risk). OSSEC also contains features for active intrusion prevention. Meaning that the OSSEC is able to stop potentially harmful actions or attacks for example by automatically adding firewall rules to drop potentially malicious actor’s connection from a certain IP address.
First time I heard about “host based intrusion detection (HIDS)” I was quite confused. The HIDS didn’t ring any bells. From the name I couldn’t figure out what it is and what could be the benefits. Many years later the concept of HIDS feels like bread and butter in a successfully hardened system. In a nutshell, HIDS is a great system for securing the server and adding one important protective layer and moving towards defence in depth! In this post I will explain how HIDS works, how to use it and what are the benefits in my opinion.
Why HIDS And OSSEC Matters, The Defence In Depth Principle
Let’s say you have a valuable asset. For example Linux server which is used to deliver and store sensitive business critical information. The server is connected to the Internet because of high and flexible use-case related availability requirements. It is quite obvious that the server must be secure from an information security perspective (confidentiality, integrity and availability of data). There is no single magic trick or silver bullet that will make sure the server is protected. Instead multiple threat aspects must be noted and many different security controls must be in place. At this point, the principle of defence in depth appears in the spotlight. Defence in depth in practice means adding multiple protective layers and measures to secure valuable assets.
To ensure defence in depth in the Linux server, effective prevention methods of external attacks are ideal. Detection of the attack on the other hand is a must and lets not forget capabilities to response to the incident. In Linux server context, when we think about prevention techniques, following are quite basics to start from:
- Security updates (always, not just today)
- Limited user accounts and privileges in general (least privilege with the system’s own capabilities)
- Mandatory Access Control (SELinux, AppArmor, etc. to enhance access control after previous)
- Just necessary mandatory software installed/running (remove or deactivate everything that you don’t need)
- Hardened administration channels (ssh hardening etc.)
- Strict firewall rules
- Web application firewall (in case of web server)
In my opinion, the previous are mandatory to any system that is connected to the Internet. But what happens when the attacker is able to break through one of the previous protection layers or even all of these? And it really is about when it happens, not if it happens. In that case we need detection capabilities and active reaction. This is the stage for host based intrusion detection like OSSEC. Detection and alerting includes following aspects:
- Active monitoring of different logs and matching to known attack patterns or risky actions (syslog, apache logs, auth log, etc.)
- File system monitoring based on file integrity (did some files suddenly changed under /etc or /var/www)
- Is there a malware or rootkit somewhere in the system
What Is OSSEC Host Based Intrusion Detection
The idea is to monitor certain hosts and actively alert in real-time of unusual or harmful security related events. The monitoring with OSSEC can be performed locally or with server/agent combination.
Lets say you have a Linux based production web-server called “main web”. The main web server can work as an OSSEC agent and another separate server can work as an OSSEC server. In this case the “main web” will send all the alerts to the OSSEC server and perform monitoring based on the rules configured in the server.
On the high level OSSEC contains following features
- Log based Intrusion Detection (LIDs)
- Rootkit and Malware Detection
- Active Response
- Compliance Auditing
- File Integrity Monitoring (FIM)
- System Inventory
For What OSSEC Is Used For
OSSEC has many use cases, it can be used to monitor multiple different servers with different operating systems (Linux, Windows, FreeBSD, etc.) in realtime from another monitoring server. In a minimalistic approach, OSSEC simply runs locally and monitors the system and alerts can be seen locally or received via email (there is actually even a Slack integration).
How I Use OSSEC
In my case I have typically monitored critical Internet facing assets (mostly Linux servers). OSSEC is running on critical assets in agent mode. I monitor that critical asset with OSSEC running in server mode on another host. Between these two servers I have established a UDP connection that is encrypted by OSSEC. At the end I use Splunk to visualise all the data and I can monitor the critical Internet facing asset easily with a browser.
How to Install And Configure OSSEC
To install OSSEC on Ubuntu 20.04 I followed this guide on Digital Ocean the guide contains a few basic configuration examples as well. During the installation in my case everything worked smoothly even the guide is made for Ubuntu 14.04. The OSSEC comes with a handy installation script which guides you. OSSEC documentation is also quite handy.
There are multiple deployment/installation possibilities. As said I chosed agent & server method in which agent I am running in a critical asset and all the OSSEC alerts will be sent to the OSSEC server running on another environment.
My pro tips for installing:
- Follow the OSSEC installation tutorial for Ubuntu 14.04 on Digital Ocean
- Read the OSSEC documentation (it is useful even it looks a bit weird)
- Try installation script few times, it is quite nice
- If you need to uninstall OSSEC on Linux, check OSSEC uninstall tips on projects Github page
How To Configure Splunk to Visualize The OSSEC Alerts
Once you have an OSSEC agent and server running on Linux and communication is working. Well on that point you can access OSSEC alerts at /var/ossec/alerts, or configure the OSSEC to send alerts via email. I like the possibility of accessing the data with a browser and I think Splunk works quite smoothly.
One thing to notice is that as far as I know, OSSEC doesn’t support rsyslog or any other methods to smoothly send alert data to remote hosts that are not running OSSEC server. For that reason I have decided to run Splunk and OSSEC server on the same host.
If you don’t know how to install Splunk, you will have to read the documentation and do some googling. Or you can choose the lazy way like I did. I am a big fan of the Linode hosting environment. In the management console they offer a marketplace which contains a few click installation GUI which actually deploys Splunk that is ready to use.
When you have Splunk running you can just install OSSEC server on the same host. After that there is quite easy to follow guide on how to configure OSSEC to send alerts to Splunk and Splunk to show the data. Unfortunately the guide doesn’t contain all the details and there is actually reference to OSSEC documentation. If you have problems seeing the data in Splunk check this section of OSSEC documentation carefully (you need to enable client-syslog etc.).
Conclusion of OSSEC Host Based Intrusion Detection
- Prevention of a security incident is ideal, but detection is a must OSSEC will help with that
- Host Based Intrusion Detection is one of the key elements when aiming for “defence in depth” of Internet facing critical server
- OSSEC is a handy and feature rich Host Based Intrusion Detection system with active response capabilities
- Alerts from OSSEC can be sent to you via email, Slack or you can visualise them for example with Splunk
- I am sure you will have serious fun with OSSEC and it’s configuration capabilities if you haven’t tried it before and you like to explore Linux server related stuff