OSSEC is an open-source, host-based intrusion detection system (HIDS) that performs log analysis, integrity checking, Windows registry monitoring, rootkit detection, time-based alerting, and active response. It can be installed to monitor a single server or thousands of servers.
This tutorial shows how to upgrade an installation of OSSEC 2.8.1 to the latest release, OSSEC 2.8.2, which addresses a recently-discovered bug.
If you installed OSSEC 2.8.1 on FreeBSD 10.1 using this tutorial, you can easily perform the upgrade using that distribution’s package manager instead, and don’t need to follow this guide.
The first step to upgrading OSSEC is to download the tarball and its checksum file, which will be used to verify that the tarball has not been compromised.
First, download the new tarball.
- wget -U ossec http://www.ossec.net/files/ossec-hids-2.8.2.tar.gz
Then download the checksum file.
- wget -U ossec http://www.ossec.net/files/ossec-hids-2.8.2-checksum.txt
To verify that the tarball has not been compromised, first verify the MD5 checksum.
- md5sum -c ossec-hids-2.8.2-checksum.txt
The output should be:
ossec-hids-2.8.2.tar.gz: OK
md5sum: WARNING: 1 line is improperly formatted
Then verify the SHA1 checksum.
- sha1sum -c ossec-hids-2.8.2-checksum.txt
The expected output is:
ossec-hids-2.8.2.tar.gz: OK
sha1sum: WARNING: 1 line is improperly formatted
Though OSSEC 2.8.2 fixed a security bug, it did not address a longstanding bug that caused OSSEC to overwrite the contents of the /etc/hosts.deny
file. The fix for that has to be applied manually before initiating the upgrade. And the fix involves editing a file in the newly downloaded tarball.
That means we must first unpack the tarball.
- tar xf ossec-hids-2.8.2.tar.gz
It should be unpacked into a directory whose name includes the version number of the program. Change (cd
) into that directory.
- cd ossec-hids-2.8.2
The file that we need to edit, host-deny.sh
, is in the active-response
directory. So open it using:
- nano active-response/host-deny.sh
Towards the end of the file, look for two lines in the code that begin with TMP_FILE =, underneath the # Deleting from hosts.deny comment. Edit both lines to remove the spaces on either side of the = sign so the code block looks like this.
# Deleting from hosts.deny
elif [ "x${ACTION}" = "xdelete" ]; then
lock;
TMP_FILE=`mktemp /var/ossec/ossec-hosts.XXXXXXXXXX`
if [ "X${TMP_FILE}" = "X" ]; then
# Cheap fake tmpfile, but should be harder then no random data
TMP_FILE="/var/ossec/ossec-hosts.`cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -1 `"
fi
Save and close the file.
Now we can initiate the upgrade.
- sudo ./install.sh
You’ll be prompted to select the language of installation. Press ENTER to accept the default, or type in the 2-letter code that represents your preferred language, then press ENTER. Following the on screen instructions, at some point, you’ll be asked two simple questions. For each, type y, then press ENTER.
- You already have OSSEC installed. Do you want to update it? (y/n): y
- Do you want to update the rules? (y/n): y
The upgrade process should take about two minutes. The installer will stop then restart OSSEC at the end, and you should receive an email confirming that OSSEC has restarted.
You can double-check this by querying for OSSEC’s status.
- sudo /var/ossec/bin/ossec-control status
The output should indicate that all the processes are running.
By following these simple steps, you have just upgraded OSSEC 2.8.1 to OSSEC 2.8.2.
Thanks for learning with the DigitalOcean Community. Check out our offerings for compute, storage, networking, and managed databases.
This textbox defaults to using Markdown to format your answer.
You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!
Sign up for Infrastructure as a Newsletter.
Working on improving health and education, reducing inequality, and spurring economic growth? We'd like to help.
Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.