Configure OSSEC to send alerts from Gmail

Setting up any system analyzer, we want to always keep a track on all events happened in our machines. The best way to make that – email alerts. It means every time when application gets alert, it’s going to forward the copy of it to your email.

By default applications like OSSEC supports only local mail servers. But what if we just don’t have them? What if we use only tools like Gmail, Yahoo etc.? At that rate we could build mail relay listening on 25 port for applications work.

What is the OSSEC?


OSSEC is the HIDS which means host-based intrusion detection system. This software basically has client-server architecture. So, you can connect to one server (manager) all your nodes as agents and watch all these activity. At first, OSSEC tracks any system actions suspected as malicious. It could be multiple SSH authentication attempts or /etc/passwd file change. The main OSSEC subjects are:

  • logfile analysis (like /var/log/auth.log to analyse SSH connections);
  • file integrity control (send alerts when MD5 file checksum has been changed). Useful to monitor PATH-directories from which you run commands.
  • rootkit detection. OSSEC generates an alert when something strange happened in your system.

Generally OSSEC has much more features than I described. To get started, you would be better to read software documentation.

Setup packages


Just find out ssmtp and postfix packages in your package manager It could be…

sudo apt-get install -y ssmtp mailutils postfix

…or…

sudo yum install -y ssmtp mailutils postfix

Configure ssmtp


Add the following lines to your ssmtp configuration at /etc/ssmtp/ssmtp.conf.

AuthUser=youruser@gmail.com
AuthPass=your_strong_password
FromLineOverride=YES
mailhub=smtp.gmail.com:587
UseSTARTTLS=YES

Now postfix server could use these credentials to let Gmail account automatically ship alerts.

Send test email


Try to use mail command. It should use 25 port to make the test email.

echo "This is a test" | mail -s "Test" myuser@gmail.com

Look at your mail inbox to verify that it works.

Configure OSSEC


Open the main OSSEC config /var/ossec/etc/ossec.conf and change the settings of email configuration.

    yes
    alert_user@gmail.com
    localhost
    relay_user@gmail.com

Yes, you have to point localhost as SMTP server. Don’t worry! Local postfix will redirect all delivery requests to gmail user set in SSMTP.

After configuration restart OSSEC service to apply configuration changes.

sudo service ossec restart

..or for CentOS/Debian…

sudo systemctl restart ossec

Check the mail inbox


Now you should receive security alerts generated by OSSEC.

t8din3yjhke

It might be such useful if you configured OSSEC agents on your nodes. This is just a file integrity alert. This event is not a big deal, because I have daily mysqldump backup at this period of time. But sometimes this sort of events seems unexpected for you. Watch out on this kind of events. Binary files, configs in /etc could be modified unexpectedly, so it will probably mean hacker attack.

Will it work with other applications?


Generally, yes. For security reasons you can also customize Fail2ban to prevent attacks from single IP. It also provides email alerts and also needs to have 25 port listening. The same thing matters almost every alert-used application like monitoring systems, cron etc..

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s