Instant OSSEC Host-based Intrusion Detection System
上QQ阅读APP看书,第一时间看更新
上一章目录下一章

How to do it...

Now that the server is ready, we'll have to double-check the remote namespace in the /var/ossec/etc/ossec.conf file:

  1. To configure the remote daemon and to communicate with them, we just need to make sure that we implement the following configuration: 
    <remote>
     <connection>secure</connection>
     <allowed-ips>192.168.0.0/23</allowed-ips>
</remote>
  2. Another key setting in server mode is the whitelist for active response. Set it up now as illustrated in the following configuration, even if you don't plan on utilizing the active response: 
    <global>
  <!—Our LAN -->
  <white_list>192.168.0.0/23</white_list>
  <!-- MS Exchange Server --> 
  <white_list>1.2.3.4</white_list> 
</global>
  3. We will then verify and configure our e-mail settings as follows: 
      <global>
    <email_notification>yes</email_notification>
    <email_to>security.alerts@example.com</email_to>
    <smtp_server>localhost</smtp_server>
    <email_from>ossecm@server.example.com</email_from>
  </global>
  4. We can then establish our basic e-mail and log thresholds as follows: 
      <alerts>
    <log_alert_level>1</log_alert_level>
    <email_alert_level>7</email_alert_level>
  </alerts>
  5. Don't forget to restart the server for the changes to take effect: 
    $ sudo /var/ossec/bin/ossec-control restart
上一章目录下一章