store | blogs | forums | twitter | facebook | wiki | downloads | support portal
Atomic Secure Linux
It is currently Thu Jul 24, 2014 10:45 am

» Feed - Atomicorp

All times are UTC - 5 hours [ DST ]




Post new topic Reply to topic  [ 12 posts ] 
Author Message
 Post subject: OSSEC remoted not allowing a client to connect
Unread postPosted: Mon Sep 19, 2011 7:09 pm 
Offline
Forum User
Forum User

Joined: Mon Sep 19, 2011 6:58 pm
Posts: 5
Location: San Jose, CA
I'm having some trouble with the OSSEC. I contacted Daniel Cid on the OSSEC users mailing list, but the problem isn't reproducible with the latest vanilla OSSEC source. I could reproduce the problem when using the Atomic Corp RPMs.

I have a RHEL6 client running:
ossec-hids-2.6-5.el6.art.x86_64
ossec-hids-client-2.6-5.el6.art.x86_64

I have a RHEL5 server running:
ossec-hids-server-2.6-5.el5.art
ossec-hids-2.6-5.el5.art

I generated my SSL keys and ran
# /var/ossec/bin/ossec-authd -p 1515 >/dev/null 2>&1 &

My client connects and gets its key. The keys match. I restart OSSEC
on server and client.

The client ossec log complains:
ossec-agentd: INFO: Trying to connect to server (1.2.3.4:1514).
ossec-agentd: INFO: Using IPv4 for: 1.2.3.4 .
ossec-agentd(4101): WARN: Waiting for server reply (not started). Tried: '1.2.3.4'.
ossec-agentd: INFO: Trying to connect to server (1.2.3.4:1514).
ossec-agentd: INFO: Using IPv4 for: 1.2.3.4 .

The server ossec log says:
ossec-remoted(1213): WARN: Message from 1.2.3.3 not allowed.
ossec-remoted(1213): WARN: Message from 1.2.3.3 not allowed.
ossec-remoted(1213): WARN: Message from 1.2.3.3 not allowed.
ossec-remoted(1213): WARN: Message from 1.2.3.3 not allowed.
ossec-remoted(1213): WARN: Message from 1.2.3.3 not allowed.

I replaced the Atomic OSSEC packages on BOTH the agent and server with the OSSEC vanilla source. This resulted in successful client -> server communications with no errors.


Top
 Profile  
 
 Post subject: Re: OSSEC remoted not allowing a client to connect
Unread postPosted: Tue Sep 20, 2011 6:25 pm 
Offline
Forum User
Forum User

Joined: Mon Sep 19, 2011 6:58 pm
Posts: 5
Location: San Jose, CA
I've done some more testing. I think the problem lies with the use of "any" when configuring agents, whether by hand, with manage_agents or using the new authd.

When I download and install the client and server from the ossec "nightly" mercurial repo, the client is able to connect to the server when the IP address is set to "any".

When I use your RPMS (client and server) the client is unable to connect to the server when I specify "any" for the IP address. In addition, the remoted fails to log this message on ossec.log. To see this error, I have to run remoted with -d and -f. Then I see error 1213, "Message from x.x.x. not allowed".

Could there be an issue with the RPMs? I noticed a spec file for ossec-hids-2.6-7 but didn't see any rpms yet. I'd be happy to test.


Top
 Profile  
 
 Post subject: Re: OSSEC remoted not allowing a client to connect
Unread postPosted: Wed Sep 21, 2011 11:45 am 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin

Joined: Wed Dec 31, 1969 8:00 pm
Posts: 7863
Location: earth
Well Im not using the snapshots any more, so maybe this is related to running a later version than the packages. Did you try your test case with vanilla 2.6? Also ossec-hids-2.6-7 might only be in the ASL channel, they're supposed to get duplicated across both repos but that might have been implemented after 2.6-7 was done


Top
 Profile  
 
 Post subject: Re: OSSEC remoted not allowing a client to connect
Unread postPosted: Thu Sep 29, 2011 8:51 pm 
Offline
New Forum User
New Forum User

Joined: Thu Sep 29, 2011 8:42 pm
Posts: 1
Location: Athens, Ohio
I am experiencing the same issue, when I add an agent using client-authd/ossec-authd and the IP is <any>, it won't connect. If I update the client.keys file and change from <any> to the agent IP, it works fine. Currently, I am using RPM 2.6-5 from the repos which is dated August 19. Any time frame of when the package will get updated?


Top
 Profile  
 
 Post subject: Re: OSSEC remoted not allowing a client to connect
Unread postPosted: Fri Sep 30, 2011 10:23 am 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin

Joined: Wed Dec 31, 1969 8:00 pm
Posts: 7863
Location: earth
Im heading out of the country shortly, so probably not until I get back in mid/late-october


Top
 Profile  
 
 Post subject: Re: OSSEC remoted not allowing a client to connect
Unread postPosted: Tue Oct 11, 2011 5:23 pm 
Offline
Forum User
Forum User

Joined: Mon Sep 19, 2011 6:58 pm
Posts: 5
Location: San Jose, CA
So I did some further testing and contacted Daniel Cid of OSSEC. He confirmed the issue when using the Atomic RPMs on the client.

To work around this, manually edit your client.keys file on the server and replace "any" with the IP of the host.


Top
 Profile  
 
 Post subject: Re: OSSEC remoted not allowing a client to connect
Unread postPosted: Wed Oct 19, 2011 5:52 pm 
Offline
Forum User
Forum User

Joined: Mon Sep 19, 2011 6:58 pm
Posts: 5
Location: San Jose, CA
Curious, has anyone been able to fix the OSSEC RPMS yet? Is there anything I can do to help?


Top
 Profile  
 
 Post subject: Re: OSSEC remoted not allowing a client to connect
Unread postPosted: Wed Oct 19, 2011 6:19 pm 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin

Joined: Wed Dec 31, 1969 8:00 pm
Posts: 7863
Location: earth
Well if you could figure out what the difference is between the build processes that would help a lot. Maybe its a library or something, I'm in the dark on this one too


Top
 Profile  
 
 Post subject: Re: OSSEC remoted not allowing a client to connect
Unread postPosted: Wed Oct 19, 2011 6:51 pm 
Offline
Forum User
Forum User

Joined: Mon Sep 19, 2011 6:58 pm
Posts: 5
Location: San Jose, CA
scott wrote:
Well if you could figure out what the difference is between the build processes that would help a lot. Maybe its a library or something, I'm in the dark on this one too


I don't know how you guys build the rpms. I wonder if there is something that is getting added/modified that is causing this. Does the maintainer of the RPMs visit the forums?


Top
 Profile  
 
 Post subject: Re: OSSEC remoted not allowing a client to connect
Unread postPosted: Thu Oct 20, 2011 9:35 am 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin

Joined: Wed Dec 31, 1969 8:00 pm
Posts: 7863
Location: earth
Sure, that would be me. The .spec file is here:


http://www4.atomicorp.com/channels/sour ... -hids.spec

If you look at the %build macro, you'll see how it gets compiled. Above that are the dependencies that get installed into the build environment (called mock).


Top
 Profile  
 
 Post subject: Re: OSSEC remoted not allowing a client to connect
Unread postPosted: Tue Jan 03, 2012 8:38 pm 
Offline
New Forum User
New Forum User

Joined: Tue Jan 03, 2012 8:37 pm
Posts: 1
Location: Rockies
JFYI, the problem with remoted not logging is because /var/ossec/logs isn't g+w, so remoted can't log there.

Fix that, and you'll at least see the errors. :)


Top
 Profile  
 
 Post subject: Re: OSSEC remoted not allowing a client to connect
Unread postPosted: Thu Jan 05, 2012 11:09 am 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin

Joined: Wed Dec 31, 1969 8:00 pm
Posts: 7863
Location: earth
Awesome! Thanks for the follow up on this


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 12 posts ] 

» Feed - Atomicorp

All times are UTC - 5 hours [ DST ]


Who is online

Users browsing this forum: No registered users and 3 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group