{"id":392,"date":"2015-12-09T18:01:00","date_gmt":"2015-12-09T18:01:00","guid":{"rendered":"https:\/\/defragged.org\/ossec\/?p=392"},"modified":"2020-07-03T18:21:36","modified_gmt":"2020-07-03T18:21:36","slug":"ossec-updated-with-geoip-support","status":"publish","type":"post","link":"https:\/\/defragged.org\/ossec\/2015\/12\/ossec-updated-with-geoip-support\/","title":{"rendered":"OSSEC Updated With GeoIP Support"},"content":{"rendered":"\n<p>We recently made an&nbsp;improvement to OSSEC with the integration of the&nbsp;MaxMind GeoIP database (that maps an IP to a country and\/or a city). This update was important to us, as it makes it a lot easier to monitor logs and understand what is going inside your network.<\/p>\n\n\n\n<!--more-->\n\n\n\n<p>Here is a very quick example of how much easier things look:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">Src IP: IP ADDRESS \/ USA \/ New Jersey\nUser: daniel\nDec 6 13:28:26 support sshd[22031]: Accepted publickey for daniel from ..<\/pre>\n\n\n\n<p>Compared to the original without GeoIP:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">Src IP: IP ADDRESS\nUser: daniel\nDec 6 13:28:26 support sshd[22031]: Accepted publickey for daniel from ..<\/pre>\n\n\n\n<p>See the difference? It adds the country (and city) to the alerts, instead of just displaying the IP address. It also affects ossec-reported which now displays the geo information. This might feel rudimentary, but for anyone monitoring the logs this small change can make a lot of difference.<\/p>\n\n\n\n<h5>Installing GeoIP<\/h5>\n\n\n\n<p>Let\u2019s get started with the installation process. You must first download the latest versions of OSSEC and GeoIP.<\/p>\n\n\n\n<p>We\u2019ll start with&nbsp;<strong>OSSEC<\/strong>:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"># wget https:\/\/github.com\/maxmind\/geoip-api-c\/releases\/download\/v1.6.7\/GeoIP-1.6.7.tar.gz\n# wget https:\/\/bitbucket.org\/dcid\/ossec-hids\/get\/tip.tar.gz\n<\/pre>\n\n\n\n<p>Then install&nbsp;<strong>GeoIP<\/strong>:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"># tar -zxvf GeoIP-1.6.7.tar.gz\n# cd GeoIP-1.6.7\n# .\/configure; make; make install\n<\/pre>\n\n\n\n<p>Once the installation is completed, you should see GeoIP installed inside \/usr\/local\/lib:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"># ls -la \/usr\/local\/lib\/libGeoIP.so\nlrwxrwxrwx 1 root root 17 Dec 6 13:17 \/usr\/local\/lib\/libGeoIP.so -&gt; libGeoIP.so.1.6.7\n<\/pre>\n\n\n\n<p>If you do not have&nbsp;<strong>\/usr\/local\/lib<\/strong>&nbsp;inside your library loading path, you can add it by modifying<strong>&nbsp;\/etc\/ld.so.conf<\/strong>:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"># echo \"\/usr\/local\/lib\" &gt;&gt; \/etc\/ld.so.conf\n# ldconfig\n<\/pre>\n\n\n\n<p>Or just set<strong>&nbsp;LD_PRELOAD<\/strong>&nbsp;before starting OSSEC:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"># export LD_LIBRARY_PATH=\/usr\/local\/lib:$LD_LIBRARY_PATH\n<\/pre>\n\n\n\n<p>Once completed, you need to download the latest GeoLiteCity database directly from MaxMind and copy it to&nbsp;<strong>\/usr\/share\/GeoIP<\/strong>:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"># wget http:\/\/geolite.maxmind.com\/download\/geoip\/database\/GeoLiteCity.dat.gz\n# gunzip -d GeoLiteCity.dat.gz\n# mkdir \/usr\/share\/GeoIP\/\n# mv GeoLiteCity.dat \/usr\/share\/GeoIP\/\n<\/pre>\n\n\n\n<h4>Install OSSEC<\/h4>\n\n\n\n<p>Once GeoIP is installed, you are ready to install OSSEC. You can follow the instructions from the&nbsp;<a href=\"http:\/\/dcid.me\/texts\/my-ossec-setup-manual.html\">step-by-step link above<\/a>&nbsp;or just run these 3 commands that will guide you into the right direction:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">$ wget https:\/\/bitbucket.org\/dcid\/ossec-hids\/get\/tip.tar.gz\n$ tar -zxvf tip.tar.gz\n$ cd dcid-ossec-hids-*\n$ .\/install.sh\n<\/pre>\n\n\n\n<p>Installing OSSEC is fairly straight forward&nbsp;and will give you a lot of value out of the box, with minimal changes. If you have used OSSEC before, you will now see the Country\/City in addition to the IP address in every alert log.<\/p>\n\n\n\n<p><strong>Example:<\/strong><\/p>\n\n\n\n<blockquote class=\"wp-block-quote\"><p>** Alert 1449426506.153: mail \u2013 syslog,fts,authentication_success<br>2015 Dec 06 13:28:26 support-&gt;\/var\/log\/secure<br>Rule: 10100 (level 4) -&gt; \u2018First time user logged in.\u2019<br>Src IP: [IPADDRESS] \/ USA \/ New Jersey<br>User: daniel<br>Dec 6 13:28:26 support sshd[22031]: Accepted publickey for daniel from [IPADDRESS] port 44848 ssh2<\/p><\/blockquote>\n\n\n\n<p>Note GeoIP support is&nbsp;<a href=\"https:\/\/bitbucket.org\/dcid\/ossec-hids\/\">only available<\/a>&nbsp;in the repository I provided in this post. If you are using OSSEC already, try it out.<\/p>\n\n\n\n<p>If you are responsible for managing a dedicated server (or VPS), I also recommend adding it to your arsenal to know what is going on with your servers. An early warning system in case of a compromise can make a difference between a successful or a failed response.<\/p>\n\n\n\n<h2>Need Help with OSSEC?<\/h2>\n\n\n\n<p>We leverage&nbsp;<a rel=\"noreferrer noopener\" href=\"http:\/\/dcid.me\/ossec\" target=\"_blank\">OSSEC<\/a>&nbsp;extensively across all our products to help monitor and protect our servers. If you are not familiar with OSSEC, it is an open source Intrusion Detection System (HIDS); with a powerful correlation and analysis engine that integrates log analysis, file integrity monitoring, rootkit detection, real-time alerting, and active response.<\/p>\n\n\n\n<p>It provides complete coverage if you are looking for an endpoint (server) security solution. <\/p>\n\n\n\n<ul><li>If you have not used OSSEC before, I recommend reading my guide&nbsp;to get started:&nbsp;<a rel=\"noreferrer noopener\" href=\"http:\/\/dcid.me\/texts\/my-ossec-setup-manual.html\" target=\"_blank\">http:\/\/dcid.me\/texts\/my-ossec-setup-manual.html<\/a><\/li><li>If you need help with your OSSEC implementation, we provide professional consultation at <a href=\"https:\/\/coldpath.net\/ossec-support\/\">ColdPath<\/a><\/li><\/ul>\n\n\n\n<p><em>Note that OSSEC requires root access to your servers and is meant for network \/ server administrators with Linux skills.<\/em><\/p>\n","protected":false},"excerpt":{"rendered":"<p>We recently made an&nbsp;improvement to OSSEC with the integration of the&nbsp;MaxMind GeoIP database (that maps an IP to a country and\/or a city). This update was important to us, as it makes it a lot easier to monitor logs and understand what is going inside your network.<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[4],"tags":[],"_links":{"self":[{"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/posts\/392"}],"collection":[{"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/comments?post=392"}],"version-history":[{"count":3,"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/posts\/392\/revisions"}],"predecessor-version":[{"id":407,"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/posts\/392\/revisions\/407"}],"wp:attachment":[{"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/media?parent=392"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/categories?post=392"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/tags?post=392"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}