- Instant OSSEC Host-based Intrusion Detection System
- Brad Lhotsky
- 124字
- 2021-08-13 16:28:01
How to do it...
Now that the server is ready, we'll have to double-check the remote namespace in the /var/ossec/etc/ossec.conf file:
- To configure the remote daemon and to communicate with them, we just need to make sure that we implement the following configuration:
<remote> <connection>secure</connection> <allowed-ips>192.168.0.0/23</allowed-ips> </remote> - Another key setting in server mode is the whitelist for active response. Set it up now as illustrated in the following configuration, even if you don't plan on utilizing the active response:
<global> <!—Our LAN --> <white_list>192.168.0.0/23</white_list> <!-- MS Exchange Server --> <white_list>1.2.3.4</white_list> </global>
- We will then verify and configure our e-mail settings as follows:
<global> <email_notification>yes</email_notification> <email_to>security.alerts@example.com</email_to> <smtp_server>localhost</smtp_server> <email_from>ossecm@server.example.com</email_from> </global> - We can then establish our basic e-mail and log thresholds as follows:
<alerts> <log_alert_level>1</log_alert_level> <email_alert_level>7</email_alert_level> </alerts> - Don't forget to restart the server for the changes to take effect:
$ sudo /var/ossec/bin/ossec-control restart