ossec Setup with Virtual Machine - security

How does one set up ossec to have the host work as a server, and the guests have agents in them? Specifically, at least one point in the installation confuses me as to how this would work-how do you set the sever IP, if you are running ossec on a laptop, the IP address will change. How do you resolve the host that is running the guests ip dynamically?
Maybe the question should in that case be retitled to that, but the base cause for asking this question is for an ossec setup, and I will likely have more questions later, I'd rather them all be related to this.
Perhaps there is a guide to explain how to do what I want, which is to set up a mac os X lion host running ossec as the server, and have several vm guests with agent setups on them that talk to the host.

One deployment scenario is to create one OSSEC server and then to install OSSEC agents on everything you would like to watch for security events.
Regarding DHCP configured OSSEC agents, you can check out "Agent systems behind NAT or with dynamic IPs (DHCP)" http://www.ossec.net/doc/manual/agent/agent-dhcp-nat.html
If you have a specific DHCP or network range you would like any OSSEC agent to be able use and to be able to connect to the OSSEC server, then you can modify the following lines in the ossec.conf file (snippet borrowed from the OSSEC book):
We can also use the <allowed-ips></allowed-ips> tag to explicitly state which IP address
we allow connections from. In the following example, we used the <allowed-ips></allowed-ips>
tag in conjunction with the <connection></connection> tag to indicate that we expect OSSEC
HIDS agent connections from the 192.168.10.0/24 network
<ossec_config>
<remote>
<connection>secure</connection>
<allowed-ips>192.168.10.0/24</allowed-ips>
</remote>
</ossec_config>

I found out from vmware that the host VM's that are using a NAT configuration have a static IP address that corresponds to the host: 192.168.231.1 will reach the host from within the guest VM. This way, when you set up agents within the guest VM's you can use this address, and it will work.

Related

Install DVWA On VirtualBox

I want to install Damn Vulnerable Web Application (DVWA) on VirtualBox, so I downloaded the DVWA.iso and I'm following this tutorial for its installation.
At step 9, they say to choose internal network, but I don't really understand why (is it a security problem if I don't choose this option?). Because if I select internal network after I've got an IP like 10.0.something and when I try to connect from my computer (not the VM) to 10.0.something/login.php that doesn't work. But if I select bridge networking, I've got an IP like 192.168.something and it works.
Could you explain me why is it important to choose internal network, and why that doesn't work when I choose this?
Internal network on VirtualBox creates a network between boxes on the same host . I can't see the next steps of the tutorial you linked but my guess is that it will ask you to install Kali (or similar distro) on another box on that same host. This is what most people do.
Setting 'internal network' allows the 2 machines to talk to each other without any contact with the outside.
It is considered a security measure because the DVWA is a vulnerable machine so some people think that you shouldn't be giving access to internet to it, but I guess it's more about 'best practice' than a real security risk because in most cases firewalls, routers and ISP will prevent outside attackers to connect directly to that machine in any case.
Anyways, if you are using another computer on the same network to connect to DVWA you should be ok in using a 'bridged' connection on VirtualBox (this it will give to the DVWA an IP sitting on the same network of the host and of your computer). In NAT mode VirtualBox acts like a router, it may still be a good solution for you but not sure if the box is reachable from other computers as I think VB settings may affect this case.
If you are using instead the Host as a penetration testing machine, 'host only' should be good to allow the host and the VM to talk.
Try to put both of the machines on the NAT so that you can ping onto the dvwa from wherever you're doing the hacking from! so essentially both of the machines should be on NAT setting if the they're both on a virtual machine.

Port Forwarding An Linux IP In Virtualbox ISSUES

Here's The Scoop,
I used SET (Social Engineering Toolkit) and made duplicite of a login page, the ip that was used was 10.0.2.15 (Mind you this is on a virtual machine Virtualbox), and when I tried to view it on another computer, it says the server is not responding.I tried to port forward but it was giveing me issues.
is there anything I can do to port forward or do something like that to make the web page connected to the IP viewable on the World Wide Web of another computer.
In other words, the IP's page is only viewable on the same computer who's ip I used to host, can you make it viewable on any computers browser by port forwarding it or something that will work like that.
Use bridging networking for the guest machine. Then, that IP address should be accessible on your network if there are no firewalls enabled.
There are several issues with directly accessing this IP from a separate computer.
First, the forwarding: the computer with the VirtualMachine must accept ip forwarding. This is easy to enable:
https://wiki.archlinux.org/index.php/Internet_sharing
Second, the routing: other computers must know who to ask when looking for 10.0.2.15. This is the hardest part. You could try adding a special route rule on the other computer, to set the host as a gateway for 10.0.2.15, but it requires you to make this on every machine that wishes to access the VM.
As Ahmed said, the easiest way is probably to use a network bridge, where the virtual machine will act as any other computer on the network, with a visible IP.

Understanding ossec and VMs: does a server perform an agent's work too?

So I have a mac host and some virtual machines. I want to use ossec to monitor my virtual machines and my host, mac OS X lion. (I've already fixed the compliation issue with lion, it compiled). See this
I'm having trouble understanding what all the server and agent's roles are. If you only want ossec to run locally, you set up under local. But I have VMs to monitor, so I must select sever. But does server do what agent does on the host, as in, is there some kind of agent functionality to ensure that the same monitoring and checking is also occurring on the server just as it is on the VMs with agent?
If not, then how do I make sure that the host is also being monitored with ossec? What I had thought was that ossec would have to be set up on the host as both a server and client, but if you go to run the installer twice, it will want to delete the server's installation and remake it as an agent only.
The server does all the things an agent does, and on top of that it centralizes log collection and processing. You don't need to install OSSEC as server and agent on your server, just as server.

How can I develop using a local VM server without using URLs with ports in them?

I'm setting up a linux server in a VM for my development.
Previously I've had PHP, MySQL etc etc all installed locally on my Mac. Apart from being a security risk, it's a drag to maintain and keep up to date, and there's a risk that an OS upgrade will wipe part of your setup out as the changes you make are fairly non-standard.
Having the entire server contained within a VM makes it easily upgradable and portable between machines. It means I can have the same configuration as the destination server and with shared folders even if the VM gets corrupted my work is safe on the host machine.
Previously with the local installation I was able to develop on convenient URLs like http://site.dev. I'd quite like to carry this over to the VM way of development but I'm struggling to figure out how, if it's possible at all.
Here's the problem:
In Bridged mode, the VM is part of the same network as the host. This is great but I can't choose a fixed IP address as I may be joining other networks and that address may be taken already. I'd like a consistent way of addressing my VM.
In NAT mode I can't directly address the VM without using port forwarding. I can use http://site.dev if I use the hosts file to forward that to localhost and then localhost:8080 forwards to the vm:80. The trouble is I have to access http://site.dev:8080 which is inconvenient for URL construction.
Does anyone know a way around this? I'm using ubuntu server and virtualbox.
Thanks!
The answer is to define a separate host-only network adapter and use that for host->guest communication.
You can do this by powering down the guest and adding the adapter in the VM settings. Once that's done you can boot the guest again and configure the new network interface however suits you best. I chose a fixed IP address in an unused range.

Web Access to Virtual Machine

Is their a way to access a web server such as windows server 2003 installed on a virtual box such as vmware from the host machine?
If VMware is set to use bridged networking, then each guest OS effectively has its own IP address, like brien said, you just point your browser to that address.
If you configure your virtual machine to use bridged networking, instead of NAT, it will have its own IP address "beside" the host machine, instead of a local IP address "behind" it. Then you can connect to the virtual machine, using that IP number.
(Disclaimer: I've used VMware workstation for several years, but not their server products.)
Yes, you should just be able to point to the IP address of the VM.
How is your VM networking configured?
I am doing this all over the place, just make sure that the vm has an ip configured.
i believe vmware (workstation?) also has built in a virtual network client (VNC) that you can connect to - enable it by going to the configuration properties of the vm, and in the last tab there is a checkbox for it.
IP address should do it.
I faced the same issue. You have to set your networkconnection to "bridged mode" in your VM. Then you have to find out the IP of your Webserver.
Sometimes Webservers have a redirect to a specific URL. In this case you can edit your host-file in C:/Windows/System32/drivers/etc/hosts and add your IP with the redirected URL like this:
192.168.0.37 some.url-you.need
Then your Host can go to the Webserver. Even participants of your Ethernet can access the Webserver.

Resources