Greetings,
The Samhain host-based intrusion detection system (HIDS) provides file integrity checking and log file monitoring/analysis, as well as rootkit detection, port monitoring, detection of rogue SUID executables, and hidden processes.
Samhain been designed to monitor multiple hosts with potentially different operating systems, providing centralized logging and maintenance, although it can also be used as standalone application on a single host.
Samhain is an open-source multiplatform application for POSIX systems (Unix, Linux, Cygwin/Windows).
First of all,
Install postfix with "No Configuration"
# dpkg-reconfigure postfix
General type of mail configuration: Internet Site
System mail name: localhost
Root and postmaster mail recipient: anyname (e.g.John)
Other destinations for mail: (your hostname), localhost.localdomain, localhost
Force synchronous updates on mail queue?: No
Local networks: 127.0.0.0/8
Yes doesn't appear to be requested in current config
Mailbox size limit (bytes): 0
Local address extension character: +
Internet protocols to use: all
you can find this in here https://help.ubuntu.com/community/Postfix
Now once you have configured Postfix, We need to reconfigure it so that we can receive our Email Notification in our Gmail or Yahoomail or Hotmail etc.
This is one of the best link that guided me so that I could redirect my local mail to gmail
https://help.ubuntu.com/community/GmailPostfixFetchmail
after you finish that process don't forget to try this but before that you need to install
# apt-get install mailutils && sudo apt-get install heirloom-mailx
Then use the following to see if you receive mail in gmail or yahoomail etc.
# echo 'Testing Testing | mail -s 'This is Test mail' your@mailaddress.com
If this is working then that means now you need to configure AIDE, Samhain and Ossec
For now I'll talk about Samhain
# vim /etc/samhainrc
First just configure what you want your samhain to scan and comments few files and directories which you don't have, then initialise the database
# samhain -t init
Now check for any warning message in foreground or else it will run as daemon
# samhain -t check -p warn --foreground
It will give few warning and alerts, now your ready to configure email part.
The reason we get Email notification that is because we have already created a database baseline
and now we are going to configure /etc/samhainrc, this is going change ctime, mtime, checksum etc. and this is very serious because main conf file is itself being changed. But we want to see Notification that is why we will do it now,
Remeber that your IP must be 127.0.0.1 and now Make these changes
MailSeverity=warn
SetMailAddress=xxxxxxx@gmail.com
SetMailRelay = 127.0.0.1
Now again run,
# samhain -t check -p warn --foreground
I'm 100% sure your going to get Email Notification Right away.
Good Enjoy Samhain
The Samhain host-based intrusion detection system (HIDS) provides file integrity checking and log file monitoring/analysis, as well as rootkit detection, port monitoring, detection of rogue SUID executables, and hidden processes.
Samhain been designed to monitor multiple hosts with potentially different operating systems, providing centralized logging and maintenance, although it can also be used as standalone application on a single host.
Samhain is an open-source multiplatform application for POSIX systems (Unix, Linux, Cygwin/Windows).
«We have samhain running on over 200 servers being managed by beltane. Its working really well so far. Excellent software.»
-- Mike
First of all,
Install postfix with "No Configuration"
# dpkg-reconfigure postfix
General type of mail configuration: Internet Site
System mail name: localhost
Root and postmaster mail recipient: anyname (e.g.John)
Other destinations for mail: (your hostname), localhost.localdomain, localhost
Force synchronous updates on mail queue?: No
Local networks: 127.0.0.0/8
Yes doesn't appear to be requested in current config
Mailbox size limit (bytes): 0
Local address extension character: +
Internet protocols to use: all
you can find this in here https://help.ubuntu.com/community/Postfix
Now once you have configured Postfix, We need to reconfigure it so that we can receive our Email Notification in our Gmail or Yahoomail or Hotmail etc.
This is one of the best link that guided me so that I could redirect my local mail to gmail
https://help.ubuntu.com/community/GmailPostfixFetchmail
after you finish that process don't forget to try this but before that you need to install
# apt-get install mailutils && sudo apt-get install heirloom-mailx
Then use the following to see if you receive mail in gmail or yahoomail etc.
# echo 'Testing Testing | mail -s 'This is Test mail' your@mailaddress.com
If this is working then that means now you need to configure AIDE, Samhain and Ossec
For now I'll talk about Samhain
# vim /etc/samhainrc
First just configure what you want your samhain to scan and comments few files and directories which you don't have, then initialise the database
# samhain -t init
Now check for any warning message in foreground or else it will run as daemon
# samhain -t check -p warn --foreground
It will give few warning and alerts, now your ready to configure email part.
The reason we get Email notification that is because we have already created a database baseline
and now we are going to configure /etc/samhainrc, this is going change ctime, mtime, checksum etc. and this is very serious because main conf file is itself being changed. But we want to see Notification that is why we will do it now,
Remeber that your IP must be 127.0.0.1 and now Make these changes
MailSeverity=warn
SetMailAddress=xxxxxxx@gmail.com
SetMailRelay = 127.0.0.1
Now again run,
# samhain -t check -p warn --foreground
I'm 100% sure your going to get Email Notification Right away.
Good Enjoy Samhain
No comments:
Post a Comment