Updated OSSEC Web UI 0.3 files for OSSEC 2.6

OSSEC is an open source HIDS (Host-based Intrusion Detection System), and a pretty darn good one too. It also has a simple web front-end to view what’s going on, search through alerts and stuff like that  (called OSSEC Web UI, I’ll just call it “WUI” here). Unfortunately the code is a bit outdated (the last official update was from 2008 as far as I can tell) and it doesn’t support newer features of OSSEC like polling data from a database. Something I’d like to tackle if I find the time 😉

The latest version of OSSEC is 2.6, and due to some small changes to the format of the logs WUI no longer works out-of-the-box. I had a look at the code this weekend and am providing patches and downloads of the files needed to change to get everything running again with OSSEC 2.6.

List of changes:

  • Works with the OSSEC 2.6 alert log file format
  • Changed Rule ID Link to better work with the new documentation wiki
  • Added “user” field to alert output
  • Widened the layout by a few pixels (to 1000px) and changed the CSS / alert layout to make the individual alerts better readable
  • Moved some of the hardcoded formatting to CSS

Download Download changed files
Download Patch download

 

Playing around with DD-WRT

I’m currently playing around with my two WL-330GE Access points from asus (see an older posting). Since that posting I was a bit creative using the existing ethernet cabling and ports in the apartment to be able to retire the WiFi bridge without having any cable going through the apartment.

So I decided to use the two access points for something more useful. I’m playing around with dd-wrt to build configurations to use them as WiFi probes (for an IDS), or as Rouge Access Points (for demonstration purposes and to test wireless IDS solutions).  I might compile my own dd-wrt version for the rouge version, there are a few things I miss to build a truly evil device.

I like the size of the devices (very compact) and that you can power them with 5V (you can run them off any USB port, right now the one here is hooked up to the USB port of a printer intended for cameras) the only thing missing to make them perfect would be Power-over-Ethernet and maybe a GSM interface to upload data online.

Fun having a cheap and small device like this with Wifi and ethernet running linux. Provides lots of possibilities and fun.

 

What plugins is that website running?

While having a look at nikito yesterday I stumbled accross cms-explorer. It’s an interesting little program that checks the themes/modules/plugins installed in common CMS systems (Drupal, WordPress, Joomla! and Mambo), with automatic exploration for Drupal and WordPress. It also has some nice bonus features like providing a list of known issues for plugins found by accessing the OSVDB.org database.

Example output:

Running it against my own webspace revealed a possible SQL injection I was unaware of. *) Fixed that, will probably replace that plugin completely this week, anything that has stuff so obviously bad in it is generally not all too sane.

*) I normally look at plugins before I install them, must have missed this one. @ PHP programmers: anyone who passes on the content of a $_REQUEST directly to a SQL query without any sanity checking deserves to be flogged with his own code.

Basic Server Hardening

Ok, here is a list of a few programs I’d advise anyone to use who is running a server on the internet (or thinking of doing so).

  • aide or tripwire (they can check and report if files on your system get changed, configurable levels). If you use tripwire, don’t forget a “tripwire –check -I” after you do any updates.
  • logcheck will check your system logs, and report anything out of the ordinary (“ordinary” is defined by a list of ‘normal’ rules, and anything you add)
  • tiger goes farther than logcheck, it actively checks your system and reports anything strange (files not belonging to packages, users or groups that got added, …)
  • grsecurity adds more security features to your kernel (at least use the basic features and the possibility to turn off module loading after boot)
  • rkhunter, chkrootkit scan the system for signs of rootkits or other malware. just install, make sure they are executed daily by cron, possibly tweak rkhunters config a bit (I had problems with unhide and current kernel versions)

I’m not saying that setting up and tweaking all this software and actually reading the emails they generate will make your server super-duper secure, but they will reduce the risk of running a server open to the internet and alarm you if somthing strange is happening. It is important to read and understand what theese programs mail you. Yes, you will get false positives from time to time. And yes, you will have to adjust the config now and then due to package updates; but I get about 3-4 mails a week, and that is definatly ok considering the amount of data that gets checked.