OSSEC

Anyone to use OSSEC with virtualmin? What is your experience? Or other solution for intrusion protection?

Best and thank you.

I have used OSSEC for some time, and I like it a lot. In particular I use it with APF firewall to block the IPs of bad guys up to no good.

You say “… with virtualmin”. Really OSSEC has no relationship with Virtualmin I’d say. Compatibilty issues don’t arise.

Very good. Thank you. I installed it in the meanwhile, and found out, that it sends me a bunch of emails everyday, each talking about webmin/virtualmin file changes. I had installed the serveredition, and will move on to the agent as well. How do you deal with that? And wouldn’t it make sense, having a virtualmin module for OSSEC? :wink:
Best
j_m

Yes, it’s important to get the right level of warnings. Too many and it’s “cry wolf”!

In OSSEC you can tune that. First you can decide globally at what level you want to get email alerts. eg “only level 10” or something. Then secondly you can modify the warning levels that different events trigger. So that should help, no?

i am wondering. i added a new virtual server yesterday and this morning i did an softwware upgrade for Webmin and Virtualmin. around 14hrs later OSSEC comes up with a bunch of error messages like this:

OSSEC HIDS Notification.
2015 May 13 21:02:57

Received From: backup->syscheck
Rule: 552 fired (level 7) -> “Integrity checksum changed again (3rd time).”
Portion of the log(s):

Integrity checksum changed for: ‘/etc/webmin/miniserv.users’
Size changed from ‘256’ to ‘258’
Old md5sum was: ‘ee9e920ad3e854da55e31b8eecf97c45’
New md5sum is : ‘2eb1357e068d6a7ee8ac784faca55f33’
Old sha1sum was: ‘d6453ed3ca35bcf76ecb46dd2bda495a79c99311’
New sha1sum is : ‘29dc6441aee1f11c98e75d35ddf62f0a9a1850cf’

–END OF NOTIFICATION

would that be save to ignore, since it is level 7, or do i have a problem here which i have to solve and how?

Shouldn’t it report the filechanges immediately instead of 14hrs later?

Perhaps some1 can shed a little light on that :slight_smile:

Thanks and best
j_m

Looking at that, I would say there is nothing you need do as regards that warning.

You can configure the frequency of checksum change alerts. Check out: http://ossec-docs.readthedocs.org/en/latest/manual/syscheck/

(For help with OSSEC, I think your best bet may be to try an OSSEC forum for support. OSSEC is not a part of VirtualMin)