Setting up any system analyzer, we want to always keep a track on all events happened in our machines. The best way to make that – email alerts. It means every time when application gets alert, it’s going to forward the copy of it to your email.
By default applications like OSSEC supports only local mail servers. But what if we just don’t have them? What if we use only tools like Gmail, Yahoo etc.? At that rate we could build mail relay listening on 25 port for applications work.
What is the OSSEC?
OSSEC is the HIDS which means host-based intrusion detection system. This software basically has client-server architecture. So, you can connect to one server (manager) all your nodes as agents and watch all these activity. At first, OSSEC tracks any system actions suspected as malicious. It could be multiple SSH authentication attempts or /etc/passwd file change. The main OSSEC subjects are:
- logfile analysis (like /var/log/auth.log to analyse SSH connections);
- file integrity control (send alerts when MD5 file checksum has been changed). Useful to monitor PATH-directories from which you run commands.
- rootkit detection. OSSEC generates an alert when something strange happened in your system.
Generally OSSEC has much more features than I described. To get started, you would be better to read software documentation.
Just find out ssmtp and postfix packages in your package manager It could be…
sudo apt-get install -y ssmtp mailutils postfix
sudo yum install -y ssmtp mailutils postfix
Add the following lines to your ssmtp configuration at /etc/ssmtp/ssmtp.conf.
AuthUseremail@example.com AuthPass=your_strong_password FromLineOverride=YES mailhub=smtp.gmail.com:587 UseSTARTTLS=YES
Now postfix server could use these credentials to let Gmail account automatically ship alerts.
Send test email
Try to use mail command. It should use 25 port to make the test email.
echo "This is a test" | mail -s "Test" firstname.lastname@example.org
Look at your mail inbox to verify that it works.
Open the main OSSEC config /var/ossec/etc/ossec.conf and change the settings of email configuration.
yes email@example.com localhost firstname.lastname@example.org
Yes, you have to point localhost as SMTP server. Don’t worry! Local postfix will redirect all delivery requests to gmail user set in SSMTP.
After configuration restart OSSEC service to apply configuration changes.
sudo service ossec restart
..or for CentOS/Debian…
sudo systemctl restart ossec
Check the mail inbox
Now you should receive security alerts generated by OSSEC.
It might be such useful if you configured OSSEC agents on your nodes. This is just a file integrity alert. This event is not a big deal, because I have daily mysqldump backup at this period of time. But sometimes this sort of events seems unexpected for you. Watch out on this kind of events. Binary files, configs in /etc could be modified unexpectedly, so it will probably mean hacker attack.
Will it work with other applications?
Generally, yes. For security reasons you can also customize Fail2ban to prevent attacks from single IP. It also provides email alerts and also needs to have 25 port listening. The same thing matters almost every alert-used application like monitoring systems, cron etc..