First, follow the instructions in this post to build a firewall host.
In AWS EC2, launch the FreeBSD 10.3 ftpssl instance.
Attach 1 interface eth0 to the ftpssl instance.
Subnet | Interface | Address |
---|---|---|
DMZ | eth0 | 10.20.1.13 |
The ftpssl instance will use 10.20.1.1 for its default gateway.
From the firewall instance, you should be able to login to the ftpssl instance using your ssh key.
ssh -i key.pem ec2-user@10.20.1.13
Modify the following files
vi /etc/rc.conf ------------------------------ cut here ------------------------------ ec2_configinit_enable=YES ec2_fetchkey_enable=YES ec2_ephemeralswap_enable=YES ec2_loghostkey_enable=YES firstboot_freebsd_update_enable=YES firstboot_pkgs_enable=YES growfs_enable="YES" ifconfig_DEFAULT="SYNCDHCP" sshd_enable="YES" firstboot_pkgs_list="awscli" ------------------------------ cut here ------------------------------ vi /etc/dhclient.conf ------------------------------ cut here ------------------------------ supersede host-name "ftpssl-host.domain"; supersede domain-name "domain"; supersede domain-name-servers 127.0.0.1; ------------------------------ cut here ------------------------------ vi /etc/hosts ------------------------------ cut here ------------------------------ ::1 localhost localhost.domain 127.0.0.1 localhost localhost.domain 10.20.1.10 firewall-host.domain firewall-host 10.20.1.13 ftpssl-host.domain ftpssl-host ------------------------------ cut here ------------------------------ vi /etc/nsswitch.conf ------------------------------ cut here ------------------------------ group: files passwd: files services: files ------------------------------ cut here ------------------------------ vi /etc/group ------------------------------ cut here ------------------------------ ftpssl:*:21: ------------------------------ cut here ------------------------------ vipw ------------------------------ cut here ------------------------------ superftpuser:*:1100:21::0:0:Super FTP User:/home/proftpd/root/super:/usr/local/bin/bash downloaduser:*:1101:21::0:0:Download User:/home/proftpd/root/super/download:/usr/sbin/nologin uploaduser:*:1101:21::0:0:Upload User:/home/proftpd/root/super/upload:/usr/sbin/nologin ------------------------------ cut here ------------------------------
Add swap file and a second disk for /usr
dd if=/dev/zero of=/boot/swap1 bs=1m count=1024 chmod 0600 /boot/swap1
In EC2, create a new EBS Volume (10G) and attach it to the ftpssl instance (/dev/sdf).
sysctl kern.disks ------------------------------ cut here ------------------------------ kern.disks: xbd5 ada0 ------------------------------ cut here ------------------------------ gpart create -s GPT xbd5 gpart add -t freebsd-ufs -a 1M xbd5 gpart show ------------------------------ cut here ------------------------------ => 3 20971515 ada0 GPT (10G) 3 32 1 freebsd-boot (16K) 35 20971483 2 freebsd-ufs (10G) => 34 20971453 xbd5 GPT (10G) 34 2014 - free - (1.0M) 2048 20967424 1 freebsd-ufs (10G) 20969472 2015 - free - (1.0M) ------------------------------ cut here ------------------------------ newfs -U /dev/xbd5p1 mkdir /newdisk mount /newdisk cd /usr tar cf - . | ( cd /newdisk/.; tar xpf - ) mkdir /newhome cd /home tar cf - . | ( cd /newhome/.; tar xpf - ) mv /home /home- mv /newhome /home mv /usr /usr- mkdir /usr vi /etc/fstab ------------------------------ cut here ------------------------------ /dev/gpt/rootfs / ufs rw 1 1 /dev/xbd5p1 /usr ufs rw 2 2 md99 none swap sw,file=/boot/swap1,late 0 0 ------------------------------ cut here ------------------------------ swapon -aL swapinfo -k reboot /bin/rm -f /home- chflags -R noschg /usr- /bin/rm -rf /usr-
Enable unbound (local caching DNS resolver)
vi /etc/rc.conf.d/local_unbound ------------------------------ cut here ------------------------------ local_unbound_enable="YES" local_unbound_forwarders="8.8.8.8" ------------------------------ cut here ------------------------------ vi /etc/resolvconf.conf ------------------------------ cut here ------------------------------ resolv_conf="/dev/null" resolvconf="NO" ------------------------------ cut here ------------------------------
Fetch and extract the ports tree
portsnap fetch portsnap extract portsnap fetch update
Install portmaster and rpl utilities
cd /usr/ports/ports-mgmt/portmaster make clean all install make clean portmaster -d misc/rpl
Adjust sshd
vi /etc/ssh/sshd_config ------------------------------ cut here ------------------------------ ClientAliveInterval 900 IgnoreRhosts yes LoginGraceTime 30 MaxAuthTries 3 PermitEmptyPasswords no PermitRootLogin no PubkeyAuthentication yes ------------------------------ cut here ------------------------------ sh /etc/rc.d/sshd restart
Adjust syslog
vi /etc/syslog.conf ------------------------------ cut here ------------------------------ *.* /var/log/all.log ------------------------------ cut here ------------------------------ touch /var/log/all.log chmod 0640 /var/log/all.log chown root:wheel /var/log/all.log sh /etc/rc.d/syslogd restart vi /etc/newsyslog.conf -------------------------- cut here -------------------------- /var/log/all.log 600 12 * $M1D0 J -------------------------- cut here --------------------------
Enable NTP
ntpdate 0.freebsd.pool.ntp.org vi /etc/ntp.conf ------------------------------ cut here ------------------------------ server 0.pool.ntp.org iburst maxpoll 9 server 1.pool.ntp.org iburst maxpoll 9 server 2.pool.ntp.org iburst maxpoll 9 restrict default limited kod nomodify notrap nopeer noquery restrict -6 default limited kod nomodify notrap nopeer noquery restrict 127.0.0.1 restrict -6 ::1 restrict 127.127.1.0 ------------------------------ cut here ------------------------------ vi /etc/rc.conf.d/ntpd ------------------------------ cut here ------------------------------ ntpd_enable="YES" ntpd_program="/usr/sbin/ntpd" ntpd_config="/etc/ntp.conf" ntpd_sync_on_start="YES" ntpd_flags="-p /var/run/ntpd.pid" ------------------------------ cut here ------------------------------ sh /etc/rc.d/ntpd start
Install postfix
portmaster -d mail/postfix vi /etc/periodic.conf ------------------------------ cut here ------------------------------ daily_clean_hoststat_enable="NO" daily_status_mail_rejects_enable="NO" daily_status_include_submit_mailq="NO" daily_submit_queuerun="NO" ------------------------------ cut here ------------------------------ sh /etc/rc.d/sendmail stop vi /etc/rc.conf.d/sendmail ------------------------------ cut here ------------------------------ sendmail_enable="NONE" ------------------------------ cut here ------------------------------ vi /etc/rc.conf.d/postfix ------------------------------ cut here ------------------------------ postfix_enable="YES" ------------------------------ cut here ------------------------------ sh /usr/local/etc/rc.d/postfix start
Update FreeBSD
freebsd-update fetch freebsd-update fetch install
Fetch and extract the src tree
portmaster -d devel/subversion portmaster -d security/ca_root_nss svn co https://svn0.us-west.FreeBSD.org/base/releng/10.3 /usr/src svn up /usr/src cd /usr/src make clean make update SVN_UPDATE=yes vi /etc/make.conf ------------------------------ cut here ------------------------------ WITHOUT_X11=yes WITHOUT_ATM=yes WITHOUT_I4B=yes WITHOUT_IPX=yes WITHOUT_NIS=yes DEFAULT_VERSIONS+=ssl=openssl ------------------------------ cut here ------------------------------ vi /etc/src.conf ------------------------------ cut here ------------------------------ WITHOUT_X11=yes WITHOUT_ATM=yes WITHOUT_I4B=yes WITHOUT_IPX=yes WITHOUT_NIS=yes ------------------------------ cut here ------------------------------
Install the following ports
portmaster -d shells/bash portmaster -d sysutils/lsof portmaster -d security/sudo portmaster -d security/openssl cp /usr/local/openssl/openssl.cnf.sample /usr/local/openssl/openssl.cnf
Install ProFTPD
portmaster -d ftp/proftpd vi /etc/rc.conf.d/proftpd ------------------------------ cut here ------------------------------ proftpd_enable="YES" proftpd_config="/home/proftpd/etc/proftpd.conf" ------------------------------ cut here ------------------------------
Integrate ClamAV into ProFTPd for virus scanning
portmaster -d security/proftpd-mod_clamav vi /etc/rc.conf.d/clamav_clamd ------------------------------ cut here ------------------------------ clamav_clamd_enable="YES" clamav_clamd_socket="/var/run/clamav/clamd.sock" ------------------------------ cut here ------------------------------ vi /etc/rc.conf.d/clamav_freshclam ------------------------------ cut here ------------------------------ clamav_freshclam_enable="YES" ------------------------------ cut here ------------------------------ freshclam rpl '#TCPSocket 3310' 'TCPSocket 3310' /usr/local/etc/clamd.conf sh /usr/local/etc/rc.d/clamav-freshclam start sh /usr/local/etc/rc.d/clamav-clamd start
Install MySQL backend
portmaster -d databases/mysql57-server vi /usr/local/etc/rc.d/mysql-server ------------------------------ cut here ------------------------------ eval $mysql_install_db $mysql_install_db_args # >/dev/null 2>/dev/null eval `/usr/bin/limits ${mysql_limits_args}` # 2>/dev/null ------------------------------ cut here ------------------------------ vi /etc/rc.conf.d/mysql ------------------------------ cut here ------------------------------ mysql_enable="YES" mysql_limits="NO" mysql_args="" ------------------------------ cut here ------------------------------ sh /usr/local/etc/rc.d/mysql-server start mysqladmin -u root -p password 'password' portmaster -d databases/proftpd-mod_sql_mysql
Configure and start ProFTPD
mkdir /home/proftpd mkdir /home/proftpd/conf mkdir /home/proftpd/empty mkdir /home/proftpd/etc mkdir /home/proftpd/etc/users mkdir /home/proftpd/log mkdir /home/proftpd/root mkdir /home/proftpd/root/super mkdir /home/proftpd/root/super/download mkdir /home/proftpd/root/super/upload mkdir /home/proftpd/ssh mkdir /home/proftpd/ssl cp /etc/ssh/ssh_host_rsa_key /home/proftpd/ssh/ssh_host_rsa_key cp /usr/local/etc/proftpd.conf /home/proftpd/etc/proftpd.conf rpl "ProFTPD Default Installation" "FTPSSL" /home/proftpd/etc/proftpd.conf rpl '#DefaultRoot ~' 'DefaultRoot ~' /home/proftpd/etc/proftpd.conf vi /home/proftpd/etc/proftpd.conf ------------------------------ cut here ------------------------------ ServerName "FTPSSL" ServerType standalone DefaultServer on MasqueradeAddress elastic-ip-address-of-the-firewall-instance PassivePorts 60000 65535 ScoreboardFile /var/run/proftpd/proftpd.scoreboard Port 21 LoadModule mod_clamav.c LoadModule mod_tls.c TLSEngine on TLSLog /home/proftpd/log/tls.log TLSProtocol SSLv3 TLSv1 TLSRequired on TLSRSACertificateFile /home/proftpd/ssl/crt.pem TLSRSACertificateKeyFile /home/proftpd/ssl/key.rsa.null.pem TLSCACertificateFile /home/proftpd/ssl/ca-crt.pem TLSVerifyClient off TLSRenegotiate none TLSOptions AllowDotLogin NoSessionReuseRequired ClamAV on ClamServer localhost ClamPort 3310 LoadModule mod_sql.c LoadModule mod_sql_mysql.c LoadModule mod_sql_passwd.c SQLBackend mysql SQLEngine on SQLPasswordEngine on SQLAuthenticate on SQLAuthTypes SHA1 SQLConnectInfo proftpd@localhost root password SQLDefaultUID 1100 SQLDefaultGID 21 SQLUserInfo users userid passwd NULL NULL homedir shell SQLGroupInfo groups groupname gid members SQLUserWhereClause "disabled != 1" SQLLogFile /home/proftpd/log/sql SQLLog PASS updatecount SQLNamedQuery updatecount UPDATE "login_count=login_count+1, last_login=now() WHERE userid='%u'" users SQLLog RETR bytes-out-count SQLNamedQuery bytes-out-count UPDATE "bytes_out_used=bytes_out_used+%b WHERE userid='%u'" users SQLLog RETR files-out-count SQLNamedQuery files-out-count UPDATE "files_out_used=files_out_used+1 WHERE userid='%u'" users SQLLog STOR bytes-in-count SQLNamedQuery bytes-in-count UPDATE "bytes_in_used=bytes_in_used+%b WHERE userid='%u'" users SQLLog STOR files-in-count SQLNamedQuery files-in-count UPDATE "files_in_used=files_in_used+1 WHERE userid='%u'" users CreateHome on 775 AuthOrder mod_sql.c UseIPv6 off Umask 002 MaxInstances 30 CommandBufferSize 512 User ftp Group ftp DefaultRoot ~ AllowOverwrite on DisplayConnect /home/proftpd/conf/connect.msg ExtendedLog /home/proftpd/log/extended IdentLookups off MaxClients 20 "Sorry, max %m users -- try again later" MaxClientsPerHost 4 "Sorry, you may not connect more than 4 times." MaxClientsPerUser 4 "Sorry, you may not connect more than 4 times." MaxHostsPerUser 4 "Sorry, you may not connect more than 4 times." MaxLoginAttempts 6 MultilineRFC2228 on RequireValidShell off ServerIdent on "FTPSSL server ready" ServerLog /home/proftpd/log/server SystemLog /home/proftpd/log/system TransferLog /home/proftpd/log/transfer UseReverseDNS off <Limit SITE_CHMOD> DenyAll </Limit> Include /home/proftpd/etc/users/*.conf ------------------------------ cut here ------------------------------ vi /home/proftpd/etc/users/downloaduser.conf ------------------------------ cut here ------------------------------ <Directory ~downloaduser> <Limit WRITE> DenyAll AllowUser superftpuser </Limit> </Directory> ------------------------------ cut here ------------------------------ vi /home/proftpd/etc/users/uploaduser.conf ------------------------------ cut here ------------------------------ <Directory ~uploaduser> <Limit ALL> DenyAll AllowUser superftpuser </Limit> <Limit CDUP CWD PWD XCWD XCUP> AllowAll </Limit> <Limit STOR STOU> AllowAll </Limit> </Directory> ------------------------------ cut here ------------------------------ vi /home/proftpd/conf/connect.msg ------------------------------ cut here ------------------------------ Restricted access only ------------------------------ cut here ------------------------------ vi /home/proftpd/conf/login.msg ------------------------------ cut here ------------------------------ Welcome / FTPSSL ------------------------------ cut here ------------------------------ vi /home/proftpd/conf/quit.msg ------------------------------ cut here ------------------------------ Goodbye / FTPSSL ------------------------------ cut here ------------------------------ chown -R downloaduser:ftpssl /home/proftpd/root/super/download/. chown -R uploaduser:ftpssl /home/proftpd/root/super/upload/. chown -R superftpuser:ftpssl /home/proftpd/root/. chmod 775 /home/proftpd/root/super/download chmod 775 /home/proftpd/root/super/upload sh /usr/local/etc/rc.d/proftpd start
Optionally install client certificate for ftpssl users
Example :
cp client-crt.pem /home/proftpd/root/super/download/.tlslogin chmod 644 /home/proftpd/root/super/download/.tlslogin chown superftpuser:ftpssl /home/proftpd/root/super/download/.tlslogin
Install Apache, PHP and ProFTPd-Admin
portmaster -d -m 'WITH_PROXY_MODULES=yes' -m 'WITH_SUEXEC_MODULES=yes' www/apache24 ------------------------------ cut here ------------------------------ [X] SUEXEC ------------------------------ cut here ------------------------------ rpl /usr/local/etc/apache24/httpd.conf /home/apache/conf/httpd.conf /usr/local/etc/rc.d/apache24 rpl /var/run/httpd /home/apache/pid/httpd /usr/local/etc/rc.d/apache24 rpl -q '.pid' '' /usr/local/etc/rc.d/apache24 mkdir /home/apache mkdir /home/apache/conf mkdir /home/apache/empty mkdir /home/apache/lock mkdir /home/apache/logs mkdir /home/apache/logs/data chown www:www /home/apache/logs/data mkdir /home/apache/pid mkdir /home/apache/conf/ssl.crl mkdir /home/apache/conf/ssl.crt mkdir /home/apache/conf/ssl.crt/ftpssl mkdir /home/apache/conf/ssl.key mkdir /home/apache/conf/ssl.key/ftpssl mkdir /home/apache/virtual touch /home/apache/logs/access touch /home/apache/logs/error cd /usr/local/etc/apache24; tar cf - . |(cd /home/apache/conf/.; tar xf -) rpl 'ServerRoot "/usr/local"' 'ServerRoot "/home/apache"' /home/apache/conf/httpd.conf rpl 'LoadModule userdir_module' '#LoadModule userdir_module' /home/apache/conf/httpd.conf rpl '#LoadModule ssl_module' 'LoadModule ssl_module' /home/apache/conf/httpd.conf rpl 'ServerAdmin you@example.com' 'ServerAdmin root@securesc.ca' /home/apache/conf/httpd.conf rpl 'DirectoryIndex index.html' 'DirectoryIndex index.html index.php' /home/apache/conf/httpd.conf rpl 'ErrorLog "/var/log/httpd-error.log"' 'ErrorLog "/home/apache/logs/error"' /home/apache/conf/httpd.conf rpl 'CustomLog "/var/log/httpd-access.log"' 'CustomLog "/home/apache/logs/access"' /home/apache/conf/httpd.conf rpl 'Listen 80' '#Listen 80' /home/apache/conf/httpd.conf rpl libexec/apache24/ /usr/local/libexec/apache24/ /home/apache/conf/httpd.conf rpl etc/apache24/ /home/apache/conf/ /home/apache/conf/httpd.conf vi /home/apache/conf/httpd.conf ------------------------------ cut here ------------------------------ ServerName ftpssl.domain:80 PidFile "/home/apache/pid/httpd" AddType application/x-httpd-php .php AddType application/x-httpd-php-source .phps LoadFile /usr/local/lib/libxml2.so LoadModule cgi_module /usr/local/libexec/apache24/mod_cgi.so LoadModule unique_id_module /usr/local/libexec/apache24/mod_unique_id.so LoadModule suexec_module /usr/local/libexec/apache24/mod_suexec.so LoadModule xml2enc_module /usr/local/libexec/apache24/mod_xml2enc.so LoadModule suphp_module /usr/local/libexec/apache24/mod_suphp.so #LoadModule security2_module /usr/local/libexec/apache24/mod_security2.so LoadModule proxy_html_module /usr/local/libexec/apache24/mod_proxy_html.so ExtendedStatus On ProxyHTMLLinks a href ProxyHTMLLinks area href ProxyHTMLLinks link href ProxyHTMLLinks img src longdesc usemap ProxyHTMLLinks object classid codebase data usemap ProxyHTMLLinks q cite ProxyHTMLLinks blockquote cite ProxyHTMLLinks ins cite ProxyHTMLLinks del cite ProxyHTMLLinks form action ProxyHTMLLinks input src usemap ProxyHTMLLinks head profile ProxyHTMLLinks base href ProxyHTMLLinks script src for ProxyHTMLEvents onclick ondblclick onmousedown onmouseup \ onmouseover onmousemove onmouseout onkeypress \ onkeydown onkeyup onfocus onblur onload \ onunload onsubmit onreset onselect onchange ProxyHTMLLinks frame src longdesc ProxyHTMLLinks iframe src longdesc ProxyHTMLLinks body background ProxyHTMLLinks applet codebase ------------------------------ cut here ------------------------------ vi /etc/rc.conf.d/apache24 ------------------------------ cut here ------------------------------ apache24_enable="YES" apache24_profiles="" apache24limits_enable="NO" apache24_flags="-f /home/apache/conf/httpd.conf" apache24limits_args="-e -C daemon" apache24_http_accept_enable="YES" ------------------------------ cut here ------------------------------ touch /home/apache/logs/suexec portmaster -d lang/php56 portmaster -d textproc/php56-simplexml portmaster -d databases/php56-mysqli cp /usr/local/etc/php.ini-production /usr/local/etc/php.ini rpl ';date.timezone =' 'date.timezone = America/Montreal' /usr/local/etc/php.ini rpl ';include_path = ".:/php/includes"' 'include_path = ".:/php/includes"' /usr/local/etc/php.ini rpl 'max_execution_time = 30' 'max_execution_time = 300' /usr/local/etc/php.ini rpl 'short_open_tag = Off' 'short_open_tag = On' /usr/local/etc/php.ini rpl 'post_max_size = 8M' 'post_max_size = 32M' /usr/local/etc/php.ini rpl 'memory_limit = 128M' 'memory_limit = 512M' /usr/local/etc/php.ini portmaster -d -m 'WITH_SETID_MODE=force' www/suphp cp /usr/local/etc/suphp.conf-example /usr/local/etc/suphp.conf vi /usr/local/etc/suphp.conf ------------------------------ cut here ------------------------------ ;docroot=/usr/local/www/*:${HOME}/public_html docroot=/ check_vhost_docroot=false umask=0022 min_uid=0 min_gid=0 ------------------------------ cut here ------------------------------ mkdir /home/apache/virtual/proftpd_admin mkdir /home/apache/logs/proftpd_admin cd /root fetch https://github.com/ChristianBeer/ProFTPd-Admin/archive/master.zip unzip master.zip cd ProFTPd-Admin-master tar cf - . |(cd /home/apache/virtual/proftpd_admin/.; tar xpf -) rpl '0000-00-00 00:00:00' '1970-01-01 00:00:01' tables.sql mysql -u root -p mysql> drop database proftpd; mysqladmin -p create proftpd mysql -u root -p proftpd < tables.sql cd /home/apache/virtual/proftpd_admin cp configs/config_example.php configs/config.php vi /home/apache/virtual/proftpd_admin/configs/config.php ------------------------------ cut here ------------------------------ $cfg['default_homedir'] = "/home/proftpd/root/super/changeme"; $cfg['min_uid'] = -1; $cfg['max_uid'] = -1; $cfg['min_gid'] = -1; $cfg['max_gid'] = -1; $cfg['db_name'] = "proftpd"; $cfg['db_user'] = "root"; $cfg['db_pass'] = "XXX"; ------------------------------ cut here ------------------------------ chmod 400 /home/apache/virtual/proftpd_admin/configs/config.php chown -R ftp:ftp /home/apache/virtual/proftpd_admin/. vi /home/apache/conf/Includes/10.20.1.13.conf ------------------------------ cut here ------------------------------ Listen 10.20.1.13:443 ------------------------------ cut here ------------------------------ vi /home/apache/conf/Includes/ftpssl.conf ------------------------------ cut here ------------------------------ <VirtualHost 10.20.1.13:443> ServerAdmin apache@securesc.ca ServerName ftpssl.domain ServerAlias ftpssl DocumentRoot /home/apache/virtual/proftpd_admin ErrorLog /home/apache/logs/proftpd_admin/error CustomLog /home/apache/logs/proftpd_admin/access combined SSLEngine on SSLProtocol all -SSLv2 SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:!LOW:!SSLv2:!EXPORT SSLCertificateFile /home/apache/conf/ssl.crt/ftpssl/crt.pem SSLCertificateKeyFile /home/apache/conf/ssl.key/ftpssl/key.pem SSLCertificateChainFile /home/apache/conf/ssl.crt/ftpssl/ca-crt.pem SuexecUserGroup ftp ftp suPHP_Engine on suPHP_UserGroup ftp ftp suPHP_AddHandler application/x-httpd-php AddType application/x-httpd-php .php <Location /> Order deny,allow Allow from all AuthName "FTPSSL Admin Access" AuthType Basic AuthUserFile /home/proftpd/etc/htpasswd.users Require valid-user </Location> </VirtualHost> ------------------------------ cut here ------------------------------ htpasswd -bc /home/proftpd/etc/htpasswd.users admin XXX sh /usr/local/etc/rc.d/apache24 start
Install OSSEC
portmaster -d security/ossec-hids-server rpl daniel.cid@xxx.com root@host.domain /usr/local/ossec-hids/etc/ossec.conf rpl smtp.xxx.com. host.domain /usr/local/ossec-hids/etc/ossec.conf rpl ossecm@ossec.xxx.com. ossecm@host.domain /usr/local/ossec-hids/etc/ossec.conf vi /usr/local/ossec-hids/etc/ossec.conf ------------------------------ cut here ------------------------------ <global> <white_list>127.0.0.1</white_list> </global> <localfile> <log_format>syslog</log_format> <location>/var/log/all.log</location> </localfile> <localfile> <log_format>syslog</log_format> <location>/home/proftpd/log/server</location> </localfile> <localfile> <log_format>syslog</log_format> <location>/home/proftpd/log/transfer</location> </localfile> ------------------------------ cut here ------------------------------ vi /etc/rc.conf.d/ossechids ------------------------------ cut here ------------------------------ ossechids_enable="YES" ossechids_user="ossec" ossechids_group="ossec" ------------------------------ cut here ------------------------------ cp /etc/localtime /usr/local/ossec-hids/var/etc/localtime chown root:ossec /usr/local/ossec-hids/var/etc/localtime sh /usr/local/etc/rc.d/ossec-hids start
Optionally install Wazuh agent (if you have a Wazuh manager)
portmaster -d lang/gcc cd /root fetch https://github.com/wang/gcczuh/wazuh/archive/v2.1.0.tar.gz tar zxf v2.1.0.tar.gz cd wazuh-2.1.0 ./install.sh vi /var/ossec/etc/ossec.conf ------------------------------ cut here ------------------------------ <localfile> <log_format>syslog</log_format> <location>/var/log/all.log</location> </localfile> <localfile> <log_format>syslog</log_format> <location>/home/proftpd/log/server</location> </localfile> <localfile> <log_format>syslog</log_format> <location>/home/proftpd/log/transfer</location> </localfile> ------------------------------ cut here ------------------------------ vi /usr/local/etc/rc.d/wazuh-agent ------------------------------ cut here ------------------------------ #!/bin/sh # # PROVIDE: wazuhagent # REQUIRE: DAEMON # BEFORE: LOGIN # KEYWORD: shutdown . /etc/rc.subr name="wazuhagent" rcvar=wazuhagent_enable load_rc_config $name : ${wazuhagent_enable="NO"} start_cmd="wazuhagent_command start" stop_cmd="wazuhagent_command stop" restart_cmd="wazuhagent_command restart" status_cmd="wazuhagent_command status" reload_cmd="wazuhagent_command reload" command="/var/ossec/bin/ossec-control" required_files="/var/ossec/etc/ossec.conf" extra_commands="reload" wazuhagent_command() { ${command} ${rc_arg} } run_rc_command "$1" ------------------------------ cut here ------------------------------ vi /etc/rc.conf.d/wazuhagent ------------------------------ cut here ------------------------------ wazuhagent_enable="YES" ------------------------------ cut here ------------------------------ /var/ossec/bin/agent-auth -m wazuh_manager_ip_address cp /etc/localtime /var/ossec/etc/localtime sh /usr/local/etc/rc.d/wazuh-agent start