OSSEC Installation Steps.

1. Download latest ossec source file from http://www.ossec.net/ 

cd /usr/local/src/

wget http://www.ossec.net/files/ossec-hids-2.7.tar.gz

2. tar -xzvf ossec-hids-2.7.tar.gz

3. cd ossec-hids-2.7

4. ./install.sh

5. Follow instructions.

OSSEC HIDS v2.7 Installation Script - http://www.ossec.net

You are about to start the installation process of the OSSEC HIDS.

You must have a C compiler pre-installed in your system.

If you have any questions or comments, please send an e-mail

to dcid@ossec.net (or daniel.cid@gmail.com).

- System: FreeBSD example.com 9.0-RELEASE

- User: root

- Host: example.com

-- Press ENTER to continue or Ctrl-C to abort. --

1- What kind of installation do you want (server, agent, local, hybrid or help)? local

- Local installation chosen.

2- Setting up the installation environment.

- Choose where to install the OSSEC HIDS [/var/ossec]:

- Installation will be made at /var/ossec .

3- Configuring the OSSEC HIDS.

3.1- Do you want e-mail notification? (y/n) [y]: y

- What's your e-mail address? < Your mail id>

- We found your SMTP server as: ALT1.ASPMX.L.GOOGLE.com.

- Do you want to use it? (y/n) [y]: y

--- Using SMTP server: ALT1.ASPMX.L.GOOGLE.com.

3.2- Do you want to run the integrity check daemon? (y/n) [y]: y

- Running syscheck (integrity check daemon).

3.3- Do you want to run the rootkit detection engine? (y/n) [y]: y

- Running rootcheck (rootkit detection).

3.4- Active response allows you to execute a specific

command based on the events received. For example,

you can block an IP address or disable access for

a specific user.

More information at:

http://www.ossec.net/en/manual.html#active-response

- Do you want to enable active response? (y/n) [y]: y

- Active response enabled.

- By default, we can enable the host-deny and the

firewall-drop responses. The first one will add

a host to the /etc/hosts.deny and the second one

will block the host on iptables (if linux) or on

ipfilter (if Solaris, FreeBSD or NetBSD).

- They can be used to stop SSHD brute force scans,

portscans and some other forms of attacks. You can

also add them to block on snort events, for example.

- Do you want to enable the firewall-drop response? (y/n) [y]: y

- firewall-drop enabled (local) for levels >= 6

- Default white list for the active response:

- 10.0.80.11

- 10.0.80.12

- Do you want to add more IPs to the white list? (y/n)? [n]: y

- IPs (space separated): <IP1> <IP2> likewise

3.6- Setting the configuration to analyze the following logs:

-- /var/log/messages

-- /var/log/auth.log

-- /var/log/userlog

-- /var/log/security

-- /var/log/xferlog

-- /var/log/maillog

- If you want to monitor any other file, just change

the ossec.conf and add a new localfile entry.

Any questions about the configuration can be answered

by visiting us online at http://www.ossec.net .

--- Press ENTER to continue ---

5- Installing the system

- Running the Makefile

.......

....

.

- System is FreeBSD.

- Init script modified to start OSSEC HIDS during boot.

- Configuration finished properly.

- To start OSSEC HIDS:

/var/ossec/bin/ossec-control start

- To stop OSSEC HIDS:

/var/ossec/bin/ossec-control stop

- The configuration can be viewed or modified at /var/ossec/etc/ossec.conf

Thanks for using the OSSEC HIDS.

If you have any question, suggestion or if you find any bug,

contact us at contact@ossec.net or using our public maillist at

ossec-list@ossec.net

( http://www.ossec.net/main/support/ ).

More information can be found at http://www.ossec.net

--- Press ENTER to finish (maybe more information below). ---

Delete Files Older Than x Days on Linux

Command Syntax

find /path/to/files* -mtime +5 -exec rm {} \;


Explanation

The first argument is the path to the files. This can be a path, a directory, or a wildcard as in the example above. I would recommend using the full path, and make sure that you run the command without the exec rm to make sure you are getting the right results.

The second argument, -mtime, is used to specify the number of days old that the file is. If you enter +5, it will find files older than 5 days.

The third argument, -exec, allows you to pass in a command such as rm. The {} \; at the end is required to end the command.

Postfix Commands

View the postfix version
#  postconf  mail_version
mail_version = 2.3.3

Check the postfix installation
#  postfix check

Show default postfix values
#  postconf -d

To show non default postfix values
#  postconf -n

To restart postfix mail server 

# postfix reload

Flush the mail queue
#  postfix  flush
Or you can use:
#  postfix  -f

To see mail queue
#  mailq
( in send mail sendmail -bp )
#  mailq | wc -l
(will give the total no of mails in queue )

To remove all mail from the queue
#  postsuper -d ALL

To remove all mails in the deferred queue
#  postsuper -d ALL deferred

To see the mails in a tree structure
#  qshape

View the mail content
#  postcat -q  AFD4A228 37C

You will get the above id from mailq . Or you can view the mails from postfix mail spool. Usually postfix will store the mails in /var/spool/postfix/active/ from this location also you can view the mails .  We can change the queue directory from the postfix conf.

Sort by from address

# mailq | awk '/^[0-9,A-F]/ {print $7}' | sort | uniq -c | sort -n

To remove all mails sent by user@adminlogs.info from the queue

#  mailq| grep '^[A-Z0-9]'|grep user@adminlogs.info|cut -f1 -d' ' |tr -d \*|postsuper -d -

To remove all mails being sent using the From address “user@adminlogs.info”

#  mailq | awk '/^[0-9,A-F].*user@adminlogs.info / {print $1}' | cut -d '!' -f 1 | postsuper -d -

To remove all mails sent by the domain adminlogs.info from the queue 

#  mailq| grep '^[A-Z0-9]'|grep @adminlogs.info|cut -f1 -d' ' |tr -d \*|postsuper -d -

Test your own Mailserver against attacks
telnet mail-abuse.org