OSSEC 2.7 + MAMP Pro on Mountain Lion

I am a huge fan of OSSEC for knocking down or out the noise that comes from daily life on the internet.  Be it some annoying bot from China, Brazil, India, Russia, or the Netherlands, a targeted attack or scan of your site, or a researcher like HD Moore and the Critical.IO project, your server(s) get scanned constantly for security weaknesses.  This gets worse during US holidays as the volume of scan traffic increases significantly.  Hell, you can even set your watch based on the interval of some of the SIP and SSH scans.

OSSEC is a Host Based Intrusion Detection/Prevention solution (HIDS or HIPS for short).  It monitors your various system and service logs looking for common attack traffic such as, configuration scans and weak password attacks, as well as rootkits and blocks the offending IP address from the system and notifies someone that you are being attacked.

By leveraging a solution like this, you can get a bit of proactive security by automatically locking out an attacker’s IP address.  By doing this, you also reduce the amount of noise that makes its way into your various system logs.  Thus reducing filesize and “crap” that needs to be investigated.

Getting OSSEC up and running on Linux, Windows, and most other OSes is a breeze.  OSX leaves a bit to be desired (aka i’m not a fan of the latest versions of Xcode from the past two years – I shouldn’t be forced to install nearly 2 gigs of iOS crap just to get a decent dev environment going on a desktop system).  Couple this with the fact that I’m using MAMP as alternative  to the native Apache install that comes with OSX (because unlike Apple the MAMP group actually updates Apache and PHP on a semi-regular basis) and you are left with a bit of “fun” to get things up and running smoothly.

So how to get started – I could get long winded here but i’m going to cheat, several sites already have the important part of how to get OSSEC up and running on Mountain Lion, I’ll just start with how to get MAMP working with it.

So, Step 1 – Go Here and follow the guides to get Xcode and GCC running on OSX, substitute the version of OSSEC with the latest (2.7) and install.

Step 2 – To properly catch scanner activity, you will need access to both the error log and the access log from Apache.  MAMP only creates the error log by default.  Follow the steps outlined HERE to enable the Apache Access log file.

Step 3 – edit your ossec.conf file and add the Apache logs (and any of the other ones from MAMP) to the list of local files for OSSEC to read and monitor:

Create a new entry for each log file you want to monitor (start at the bottom of the config file)

Step 4 – tweak OSSEC as needed, and test.. you can use nikto or wpscan against your server… you should get a warning you are getting scanned and when OSSEC blocked the IP address.


It’s the Most Wonderful Time of the Year… or something like that.

Wow what a Year 2012 was and I’m actually looking forward to 2013!!

So as you can tell, I haven’t posted much of anything in quite a while here on the personal site. But I do have a few excuses… that kind of hold up to argument :)

So what have I been up to? Simple I started my own company with a few friends at the beginning of this year – DirectDefense.

Why? Why not! The timing was right, and after 15 years of working for someone else, it was time to put things in place for ourselves. Sides – I already know my boss is an A’hole so no surprises down the road :D .

Hopefully 2013 will let me get back to doing some podcasting with Dan and Michael… its been too long.

Regardless, be on the look out for changes and new services coming from DirectDefense.

On a personal level, my poor mac mini that ran the site for the past 4 years finally died, so I’ve upgraded to a newer model and I’m playing around with the latest and greatest software and settings. Mountain Lion was a bit of a pain to get around in, but after a few cuss words and some hair pulling all things seemed to fall into place.

PS – To Microsoft and Apple – what’s up with the dumbing down of desktops? I get it… tablet is the wave of the future, but please introduce a “power user” setting for us poor schlubs that get 90%+ of things done from the command prompt and basic desktop environments.

If you are a tablet user – Windows 8 is “good”, if you are a desktop user Windows 8 is big fat ball of “Meh!”. I’ll be waiting until SP1 or Windows 9 comes out before switching.

So what should you look forward too from me this year… hmm lets see:

  • The joys and pains of running a small and growing business
  • The joys and pains of watching my oldest daughter become a young adult… and make me feel older as the day’s go on
  • The joys and pains of watching my youngest daughter become smarter than me
  • Hopefully some podcasting
  • A whole lot more of geek writing

Any way hope to have more here soon.

An Information Security Place Podcast – Episode 04 for 2012

Hmmm Lets see if I even remember how to enter this stuff anymore… Yeap you guessed it, we finally recorded another episode – WOOT!
Show Notes:

InfoSec News Update – 

  • Howard Schmidt is Retiring – Link Here
  • Vulnerability Stats of Publicly Traded Companies – Link Here
  • Tool Update – Threadfix from Denim Group – Link Here
  • The Mission Impossible Self-Destructing SATA SSD Drive – Link Here
  • The WAF Wars – Link 1 / Link 2 / Link 3
  • PwnieExpress Releases PwnPlugUI/OS 1.1 – Link Here
  • App for scanning faces to gauge age at bars – Link Here
  • Business Logic Testing defined – Link 1
  • ErrataSec – Wants your hotel PCAP Files – Link 1 / Link 2

Discussion Topic –

  1. Should specific security efforts be validated when the program as a whole is crap? Link Here

Music Notes:

Special Thanks to the guys at RivetHead for use of their tracks – http://www.rivetheadonline.com/

Tour Dates:

  1. June 1 – Dallas – Curtain Club

Intro – RivetHead – The 13th Step”
News Bed – RivetHead - “Beautiful Disaster”
Discussion Bed – RivetHead - “Difference”
Outro – RivetHead – “Zero Gravity”

Link to MP3
Local Link To MP3

An Information Security Place Podcast – Episode 01 for 2012

Wow! 6 Months…and 2 job changes later, we are finally back to recording! YEAH!….Here the latest show from our intrepid hosts.

Show Notes:

InfoSec News Update – 

  • The Hacker News Hacking Awards : Best of Year 2011 – Link Here
  • Japan’s Anti-Virus Virus – Link Here
  • Nginx (pronunciation: “engine-ex”) becomes #2 web server
  • Saudi hackers break into Israeli site – Link Here
  • 3 Surefire Ways to Tick Off an Auditor – Link Here
  • OWASP AJAX Crawling Tool – Link1 / Link2

Discussion Topic – 2012 Breach Report

  1. Care2 Discloses Breach; Company Has Nearly 18 Million Members – Link Here
  2. AntiSec hit California and NY Law Enforcement Sites – Link Here
  3. Anonymous Nabs 50,000 Credit Card Numbers From Security Think Tank – Link Here

Music Notes:

Special Thanks to the guys at RivetHead for use of their tracks – http://www.rivetheadonline.com/

Tour Dates:

  1. Jan 6 – Dallas – Curtain Club
  2. Jan 27 – Dallas – Trees
  3. Jan 28 – Dallas – Trees
  4. Mar 2 – Dallas – Curtain Club – 7th Album CD Release Party
  5. Mar 3 – Houston – BFE Rock Club
  6. Mar 24 – Fort Worth – The Rail Club
  7. May 5 – Dallas – Renos Chop Shop

Intro – RivetHead – The 13th Step”
News Bed – RivetHead - “Beautiful Disaster”
Discussion Bed – RivetHead - “Difference”
Outro – RivetHead – “Zero Gravity”

Link to MP3
Local Link To MP3