Ossec Server & Client Configuration

Ossec is an Open Source Host-based Intrusion Detection System. It performs log analysis, 
integrity checking, Windows registry monitoring, rootkit detection, real-time alerting and active response. [HIDS]

[ SERVER ]
# wget https://github.com/ossec/ossec-hids/archive/2.9.3.tar.gz
# tar -xvf 2.9.3.tar.gz
# cd ossec-hids-2.9.3
# sh install.sh
select server
# /var/ossec/bin/ossec-control start
# /var/ossec/bin/ossec-control restart
# /var/ossec/bin/manage_agents
# /var/ossec/bin/agent_control -l

[ CLIENT ]
# wget https://github.com/ossec/ossec-hids/archive/2.9.3.tar.gz
# tar -xvf 2.9.3.tar.gz
# cd ossec-hids-2.9.3
# sh install.sh
select client
# /var/ossec/bin/ossec-control start
# /var/ossec/bin/ossec-control restart
# /var/ossec/bin/manage_agents

[ check on server side agents are active or not ]
/var/ossec/bin/agent_control -l
e.g
OSSEC HIDS agent_control. List of available agents:
ID: 000, Name: amazonlinux2 (server), IP: 127.0.0.1, Active/Local
ID: 01, Name: amazonlinux2, IP: 192.168.1.52, Active
ID: 03, Name: glsupport, IP: 192.168.1.110, Never connected
ID: 04, Name: glsupport_3, IP: 192.168.1.3, Active

[ Get blocked ips on ossec agent ]
# tail -f /var/ossec/logs/active-responses.log
Wed Oct 23 10:40:43 UTC 2019 /var/ossec/active-response/bin/host-deny.sh add - 192.168.1.30 1571827243.473519 5712
Wed Oct 23 10:40:43 UTC 2019 /var/ossec/active-response/bin/firewall-drop.sh add - 192.168.1.30 1571827243.473519 5712

[ Unblock block ip using below command ]
# /var/ossec/active-response/bin/host-deny.sh delete - 192.168.1.30 1571827243.473519 5712
# /var/ossec/active-response/bin/firewall-drop.sh delete - 192.168.1.30 1571827243.473519 5712
[remove from ip /etc/hosts.deny]
# vim /etc/hosts.deny