ossec-remoted not listening IPv4 #1611
Comments
|
Mine says the same thing: But it works on ipv4. I think your problem is elsewhere. Try running the server in debug mode ( Check the agent's ossec.log to see if it's reporting any issues. |
|
Concur. I’d look at the actual IP address the agent stream is sourced from and compare to what the server is expecting. I suspect a mismatch but the log should be indicating this too.
Tony
… On Dec 24, 2018, at 01:09, Dan Parriott ***@***.***> wrote:
Mine says the same thing:
***@***.*** ~]$ sudo netstat -tulpan
udp6 0 0 192.168.18.204:1514 :::* 1781/ossec-remoted
But it works on ipv4. I think your problem is elsewhere.
Try running the server in debug mode (/var/ossec/bin/ossec-control enable debug && /var/ossec/bin/ossec-control restart) and check the ossec.log for errors.
Check the agent's ossec.log to see if it's reporting any issues.
Use tcpdump on the server to make sure the packets from the agent are seen as arriving from the configured IP address (no NAT devices or anything in between).
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub, or mute the thread.
|
|
Hello folks... --> First a description of this machine, as of before installing ossec-server: Ubuntu Server 18.04.01, kernel 4.15.0-43-generic, running in a local x86_64 VM (VirtualBox) on my laptop. Previously installed packages are: make, gcc, libtool, autoconf, automake, needrestart, whois, nmap, virtualbox guest agent, mate desktop. Please note that as I'm using the atomic's repo for ubuntu, this is not about ossec most current version, but the version "3.1.0-5732bionic", as I stated on the first post. --> Steps taken & diagnostics: 1 ) Netstat before installing ossec. 2 ) Install ossec server. 3 ) Create an agent key with manage_agents . 4 ) Restart ossec server and new netstat. 5 ) Enable debug and restart ossec service.
6 ) I'm not showing the ossec.log as of this step, since I'm gonna show how it was after step 7. 7 ) Change ossec.conf (just added my local ipv4 address on remoted section). 8 ) Restart service on debug mode again.
9 ) Netstat again. 10 ) ossec.log (starting from the shutdown caused by the restart command). This step 10 is attached as a txt file. --> Comments: I didn't test the stream from the agent this time because on that first test I did it (with netcat in the server, listening on udp ipv4 port 1415) and it was OK; also, the problem seems to be with the ossec server (remoted) ipv4 listening. But if you tell me that this netstat output I got is the expected behavior I could try some other tests with ossec agent. |
|
You don’t need to do steps 7 and 8.
How did you specify the server target when you installed the agent? If you used a host name, try using the IPv4 address of the server instead. That will confine the agent<->server connection to IPv4.
Tony
… On Dec 29, 2018, at 15:25, mr-cortex-dot-io ***@***.***> wrote:
Hello folks...
So, this time I'll be able to properly paste some diagnostics as suggested.
--> First a description of this machine, as of before installing ossec-server: Ubuntu Server 18.04.01, kernel 4.15.0-43-generic, running in a local x86_64 VM (VirtualBox) on my laptop. Previously installed packages are: make, gcc, libtool, autoconf, automake, needrestart, whois, nmap, virtualbox guest agent, mate desktop.
--> Steps taken & diagnostics:
1 ) Netstat before installing ossec.
***@***.***:~ # netstat -tulpan # this is before installing ossec.
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN 512/systemd-resolve
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1263/sshd
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 585/cupsd
tcp 0 196 192.168.56.16:22 192.168.56.1:58936 ESTABLISHED 1372/sshd: elrondic
tcp6 0 0 :::22 :::* LISTEN 1263/sshd
tcp6 0 0 ::1:631 :::* LISTEN 585/cupsd
udp 0 0 127.0.0.53:53 0.0.0.0:* 512/systemd-resolve
udp 0 0 192.168.0.134:68 0.0.0.0:* 498/systemd-network
udp 0 0 0.0.0.0:53677 0.0.0.0:* 591/avahi-daemon: r
udp 0 0 0.0.0.0:631 0.0.0.0:* 828/cups-browsed
udp 0 0 0.0.0.0:5353 0.0.0.0:* 591/avahi-daemon: r
udp6 0 0 :::5353 :::* 591/avahi-daemon: r
udp6 0 0 :::60741 :::* 591/avahi-daemon: r
2 ) Install ossec server.
***@***.***:~ # wget -q -O - https://www.atomicorp.com/RPM-GPG-KEY.atomicorp.txt | sudo apt-key add -
***@***.***:~ # source /etc/lsb-release
***@***.***:~ # echo "deb https://updates.atomicorp.com/channels/atomic/ubuntu $DISTRIB_CODENAME main" >> /etc/apt/sources.list.d/atomic.list
***@***.***:~ # apt update
***@***.***:~ # apt install ossec-hids-server
3 ) Create an agent key with manage_agents .
***@***.***:~ # /var/ossec/bin/manage_agents
****************************************
* OSSEC HIDS v3.1.0 Agent manager. *
* The following options are available: *
****************************************
(A)dd an agent (A).
(E)xtract key for an agent (E).
(L)ist already added agents (L).
(R)emove an agent (R).
(Q)uit.
Choose your action: A,E,L,R or Q: a
- Adding a new agent (use '\q' to return to the main menu).
Please provide the following:
* A name for the new agent: agent1
* The IP Address of the new agent: 192.168.56.1
* An ID for the new agent[001]:
Agent information:
ID:001
Name:agent1
IP Address:192.168.56.1
Confirm adding it?(y/n): y
Agent added.
****************************************
* OSSEC HIDS v3.1.0 Agent manager. *
* The following options are available: *
****************************************
(A)dd an agent (A).
(E)xtract key for an agent (E).
(L)ist already added agents (L).
(R)emove an agent (R).
(Q)uit.
Choose your action: A,E,L,R or Q: q
** You must restart OSSEC for your changes to take effect.
manage_agents: Exiting.
4 ) Restart ossec server and new netstat.
***@***.***:~ # /etc/init.d/ossec restart
ossec-monitord not running ..
ossec-logcollector not running ..
ossec-remoted not running ..
ossec-syscheckd not running ..
ossec-analysisd not running ..
ossec-maild not running ..
ossec-execd not running ..
OSSEC HIDS v3.1.0 Stopped
Starting OSSEC HIDS v3.1.0 (by Trend Micro Inc.)...
Started ossec-execd...
Started ossec-analysisd...
Started ossec-logcollector...
Started ossec-remoted...
Started ossec-syscheckd...
Started ossec-monitord...
Completed.
***@***.***:~ # netstat -tulpan
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN 512/systemd-resolve
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1263/sshd
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 585/cupsd
tcp 0 0 192.168.56.16:22 192.168.56.1:58936 ESTABLISHED 1372/sshd: elrondic
tcp6 0 0 :::22 :::* LISTEN 1263/sshd
tcp6 0 0 ::1:631 :::* LISTEN 585/cupsd
udp 0 0 127.0.0.53:53 0.0.0.0:* 512/systemd-resolve
udp 0 0 192.168.0.134:68 0.0.0.0:* 498/systemd-network
udp 0 0 0.0.0.0:53677 0.0.0.0:* 591/avahi-daemon: r
udp 0 0 0.0.0.0:631 0.0.0.0:* 828/cups-browsed
udp 0 0 0.0.0.0:5353 0.0.0.0:* 591/avahi-daemon: r
udp6 0 0 :::5353 :::* 591/avahi-daemon: r
udp6 0 0 :::60741 :::* 591/avahi-daemon: r
udp6 0 0 :::1514 :::* 3664/ossec-remoted
5 ) Enable debug and restart ossec service.
***@***.***:~ # /var/ossec/bin/ossec-control enable debug && /var/ossec/bin/ossec-control restart
6 ) I'm not showing the ossec.log as of this step, since I'm gonna show how it was after step 7.
7 ) Change ossec.conf (just added my local ipv4 address on remoted section).
<remote>
<connection>secure</connection>
<local_ip>192.168.56.16</local_ip>
</remote>
8 ) Restart service on debug mode again.
***@***.***:~/ossec-debug-feedback # /var/ossec/bin/ossec-control enable debug && /var/ossec/bin/ossec-control restart
9 ) Netstat again.
***@***.***:~/ossec-debug-feedback # netstat -tulpan
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN 512/systemd-resolve
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1263/sshd
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 585/cupsd
tcp 0 196 192.168.56.16:22 192.168.56.1:60958 ESTABLISHED 5367/sshd: elrondic
tcp6 0 0 :::22 :::* LISTEN 1263/sshd
tcp6 0 0 ::1:631 :::* LISTEN 585/cupsd
udp 0 0 127.0.0.53:53 0.0.0.0:* 512/systemd-resolve
udp 0 0 192.168.0.134:68 0.0.0.0:* 498/systemd-network
udp 0 0 0.0.0.0:53677 0.0.0.0:* 591/avahi-daemon: r
udp 0 0 0.0.0.0:631 0.0.0.0:* 828/cups-browsed
udp 0 0 0.0.0.0:5353 0.0.0.0:* 591/avahi-daemon: r
udp6 0 0 :::5353 :::* 591/avahi-daemon: r
udp6 0 0 :::60741 :::* 591/avahi-daemon: r
udp6 0 0 192.168.56.16:1514 :::* 5710/ossec-remoted
10 ) ossec.log (starting from the shutdown caused by the restart command).
This step 10 is attached as a txt file.
ossec.log_debug-mode_after-ipv4-specified.txt
--> Comments:
I didn't test the stream from the agent this time because on that first test I did it (with netcat in the server, listening on udp ipv4 port 1415) and it was OK; also, the problem seems to be with the ossec server (remoted) ipv4 listening. But if you tell me that this netstat output I got is the expected behavior I could try some other tests with ossec agent.
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub, or mute the thread.
|
|
Sorry, but I'm not sure of what you asked exactly... So I'm answering two things.
|
|
I have exactly the same issue. Is there any chance, that #1880 would fix it? |
|
Disable IPv6 if you don't need it. sysctl -a -N | grep -P 'net\.ipv6\.conf\..*\.disable_ipv6' | xargs -I{} sysctl -w '{}=1'
systemctl restart ossec-hids |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-- OS: Ubuntu Server 18.04.01 (Linux 4.15.0-43-generic).
-- OSSEC version: 3.1.0-5732bionic (from atomic's ubuntu repo).
-- System context: this was tested and replicated on a plain semi-vanilla install on a VirtualBox VM. After OS installation I added a mate-desktop and the VirtualBox Guest Additions. Anyways, the results were the same I had on the remote VPS server (same distro/kernel, no desktop/GUI, no VirtualBox stuff, no kernel tainting of any kind).
-- Simplest path to replicate the problem:
-- Some tests I did after those three steps:
1.1) netstat after specifying an IPv4 address:
Sorry that I'm not pasting it (nor the next test results) here, but it was very odd: ossec-remoted was listening on udp 1514 , BUT, at a local IPv6 address number ending with the IPv4 address that I specified on ossec.conf. And nothing was listening on IPv4.
2) netcat on IPv4 UDP 1514 :
Result is that the agent stream was indeed being delivered at the IPv4 UDP 1514 on server machine. And ossec server couldn't get any info from the agent.
3) ossec server logs on debug level 2:
Not a thing about IPv4. But mentions IPv6 binding (not sure now, but I think it said it couldn't bind to IPv6).
-- Sorry for the missing ctrl+v's on the tests but I really had to post this issue today (better than tomnever). And thanks to the developer team for everything! 😃
The text was updated successfully, but these errors were encountered: