OSSEC General Settings

OSSEC_ENABLED

  • Enable or Disable OSSEC HIDS.

OSSEC_MODE

  • Operating mode for OSSEC, can be configured as either ‘server’ or ‘client’. When in client mode you will need to set up the OSSEC key from the command line.

OSSEC_SERVER

  • IP address of OSSEC server, when this node is configured to be an OSSEC client. Leave this blank if OSSEC_MODE is set to server.

OSSEC_ACTIVE_RESPONSE

  • Enable/Disable Active response mode. Setting this to yes will enable active firewall blocks when OSSEC detects and attack

OSSEC_SHUN_ENABLE_TIMEOUT

  • Enable/Disable expiration of active response firewall blocks. Setting this to yes will expire blocks after a fixed interval defined in OSSEC_SHUN_TIME. Setting this to no will make all blocks permanent (not recommended).

HIDS_IPSET_DROP

  • This will configure the system to use the ipset instead of iptables. This is newer, faster and less memory intensive method of shunning and is highly recommended on systems that support it.

Note

Virtuzzo and OpenVZ are not known to support ipset. Enabling this option on those platforms may break shunning and other aspects of the firewall.

OSSEC_SHUN_TIME

  • This configuration setting defines the number of seconds to maintain an active response block. [Default: 600 seconds (10 minutes)]

HIDS_SHUN_MULTPLIER

  • Enable a block time exponential multiplier for repeat offenders based on the Shun Time setting.

  • To disable this functionality, set the value to “0”.

  • This feature will multiple the shun time by the HIDS_SHUN_MULTIPLE value for any successive attacks from the same IP. For the first attack from an IP, the shun period will always be the setting OSSEC_SHUN_TIME. For the second, and successive attacks from an IP the Shun Time for that IP will be multipled by the HIDS_SHUN_MULTIPLER number for each successive attack from that IP. That value will then be multipled for the next attack and so on. This causes repeat attackers to be blocked for longer and longer periods based on this setting.

Note

This is exponential, not linear. The shun time for an attack is calculated by multiplying the previous shun time by the multipler. This means the value will not increase linearly to the base Shun Time, but rather the shun time will increase exponentially with each attack.

For example:

  • If the shun time is configured to 600 seconds, and HIDS_SHUN_MULTIPLE is set to “3”. The shun times would be as follows:

    • First attack: 600 seconds

    • Second attack: 1800 seconds

    • Third attack: 5400 seconds

    • Fourth and any following attacks: 16200 seconds

  • The current system does not increase the shun time past the fourth attack.

  • This period is valid for as long as the OSSEC daemon is running, once OSSEC is restarted, all of this data will be lost/reset and the counter returns to the lowest value and the process starts over.

HIDS_LOG_ALERT_LEVEL

  • This controls the minimum level (1-15) an alert will need to be in order to activate an log event. This controls what events are both inserted into the database, and logged. Any event below this level will neither be logged, nor inserted into the database. [Default: 1]

HIDS_CLEAN_DIFF

  • This controls the number of days the File Integrity manager will retain (diff format) changes to files in this directory /var/ossec/queue/diff/. [Default: 60]

Note

Removal of old events occurs nightly. Therefore, if you change this to a lower setting, the older events will be removed within 24 hours of the change.