PerezBox

Tony Perez On Security, Business, And Life

  • Security
  • Business
  • Life
  • About
  • Contact
standard post icon

OSSEC For Website Security: PART II – Distributed Architectures Using Agents and Managers

Published in Security on November 30, 2018

This article assumes you already have OSSEC deployed. If you need a refresher, refer to the Part I of OSSEC for website security, written March 2013.

OSSEC is popular open-source Host Intrusion Detection System (HIDS). It was founded by Daniel Cid, and currently maintained by a very large community of security professionals. Please note that I don’t my installations off the official repo, instead I run directly off Daniel’s repo (instructions in the last post).

In the following series I’m going to share the foundational elements of my OSSEC deployments. We’ll start by placing emphasis on the importance of deploying a distributed architecture in this article, making use of the Agent / Manager options. In future articles you can expect insights into the best way to configure for CMS applications like WordPress, tuning the engine to make use of the alerts, and notifications.

If you have questions, don’t hesitate to ask.

Read More

Analysis Website Security Hacklink post icon

Forensics: Analyzing a WordPress Attack / Hack

Published in Security on November 8, 2013

Recently one of our honeypots was it by an attacker and in the process we were able to gather a bunch of good intelligence on the actions taken by the attacker.

I write and detail the forensics of the attack in my latest post, for Sucuri: Case Study: Analyzing a WordPress Attack – Dissecting the webr00t cgi shell – Part I. My goal is to put out a part II next week in which we break down the shell used.

All in all, it was pretty interesting and amusing at the same time. Any questions or insight let me know.

Check Out The Article

emailstandard post icon

OSSEC: Stop Agent Email Notifications from Being Grouped

Published in Security on August 22, 2013

This a quick post, for those of you that manage multiple agents under your manager, there might be instances where your email notifications will group different agent notifications together.

This has to do with two things:

  1. Number of emails sent in an hour
  2. Grouping setting is On

Default Max Emails

By default, OSSEC has a max email setting in their configuration, when it reaches the max, it will then group and email all remaining emails. In this instance, it bundles them all together, which leads to different messages from different agents being bundled.

Read More

Securitystandard post icon

OSSEC – Detecting New Files – Understanding How it Works

Published in Security on July 27, 2013

I recently saw some discussion in the OSSEC distribution list of someone having an issue with getting OSSEC syscheck to work right in real-time. It reminded me of a similar issue I had with my own configuration and others I have read about, so I figured I’d write something to shed light on how OSSEC’s syscheck works in real-time. Thanks ofcourse to Dani for the assist.

Syscheck – Integrity Checking Daemon

If you’re familiar with OSSEC, then you know syscheck, if you’re not then this section will get you caught up – I hope.

Syscheck is the integrity checking daemon within OSSEC. It’s purpose is simple, identify and report on changes within the system files. The way it works is simple, when you first install OSSEC it runs an initial syscheck scan, this scan will go through and capture the check sum of every file on the system (every file you have identified in your configuration file – /var/ossec/etc/ossec.conf). Once the baseline is set, syscheck is able to perform change detection by comparing all the checksums on each scan. If it’s not a 1 for 1 match, it reports it as a change. If new files are added, it identifies it as new, and reports it.

Simple, right? Right…

Read More

Secure Webstandard post icon

OSSEC – Error: PostgreSQL client libraries not installed.

Published in Security on May 10, 2013

I was playing with OSSEC HIDS this afternoon and trying to get it configured to work with MySQL and when I was running make on the DB setup I was getting this error:

Error: PostgreSQL client libraries not installed.

I was a bit frustrated with it, it seems as it if requires both MySQL and PostgreSQL to be installed to finish compiling. To get around this just install PostgreSQL that seems to do the trick.

Read More

video post icon

Curious to See a DDOS in Action?

Published in Security on April 26, 2013

I’ve always wondered what a Distributed Denial of Service (DDOS) really looks like. Fortunately, there is now this pretty awesome video illustration of what it looks like:

Read More

standard post icon

OSSEC For Website Security: Part I

Published in Security on March 13, 2013

OSSEC HIDS is my preferred host-based intrusion detection system (HIDS). I have to admit I am a bit partial to it because my good friend Daniel Cid built it and sold it to Trend Micro / Third Brigade back in 2008. I have what many don’t have, that’s the ability to pester Daniel until he tells me and guides through all my issues. In the process I have learned a number of things and made some very interesting observations about the product, here is where I will be sharing them.

Being that my focus is on website security my employment and utilization of the product will be as such. I won’t talk much to the configuration and monitoring of large scale enterprises, but will likely get into large n-tier implementations of web enterprises. This could include the utilization of load balancers, web servers and database servers, and possibly some storage devices. Pretty straight forward stuff.

Read More

Website Serversstandard post icon

OSSEC Agent to Server Connection Issues

Published in Security on October 9, 2012

So naturally, as of late, I have found myself doing more than I probably need to on my servers and in the process causing more headaches then required. One of those issues has been with the communication between my agents and the mother-ship (command control) server with my OSSEC installs. For more details information, be sure to check out the OSSEC Host-Based Intrusion Detection Guide by Daniel.

The first thing to understand is how to check the status of your agents and easiest way to do that is running the following on the server install (my mothership):

# /var/ossec/bin/agent_control -lc

This will list out all your agents and if they are active it’ll read Active. If they are inactive, they don’t read inactive unfortunately, they just don’t show up.

Read More

Tony Perez CEO Sucuri

About Tony Perez

I've spent the better part of the past 15 years dabbling in various technical industries, and these days my focus is website security and business. This blog, regardless of topic is a chronicle of my thoughts and life as I navigate those things that interest me the most.

  • Facebook
  • Twitter
  • LinkedIn

CleanBrowsing

How To Block Porn

Recent Security Posts

Feelings Have No Place in the World of Security

Unleashing the Power of Authoritative DNS

Content Filtering with CleanBrowsing

You Don’t Need a VPN

3 Tips to Secure Your Home Network

View All Security Posts

Recent Business Posts

Stop Thinking, Start Doing

The Selling Process

Negotiations are a Game of Chess, Not Checkers

Yes, You will Have to Hustle

Decentralizing Social Platforms

View All Business Posts

Recent Life Posts

What Are the Trade-Offs that Make Trump Ok?

Thanks FaceBook, Bye

A World of Absolutes

Thank You GoDaddy / Sucuri. A New Chapter Begins | CleanBrowsing

Don’t fear failure. Embrace Your Scars. 

View All Life Posts

Like what I have to say?

Subscribe to hear more...

I don't always have something to say, but when I do I will aim to make it insightful. Subscribe to hear my thoughts as I make them available.

PerezBox

  • Facebook
  • Twitter
  • LinkedIn

Copyright © 2021 Tony Perez, PerezBox. All Rights Reserved | Security | Privacy