OSSEC remoted not allowing a client to connect
Posted: Mon Sep 19, 2011 7:09 pm
I'm having some trouble with the OSSEC. I contacted Daniel Cid on the OSSEC users mailing list, but the problem isn't reproducible with the latest vanilla OSSEC source. I could reproduce the problem when using the Atomic Corp RPMs.
I have a RHEL6 client running:
ossec-hids-2.6-5.el6.art.x86_64
ossec-hids-client-2.6-5.el6.art.x86_64
I have a RHEL5 server running:
ossec-hids-server-2.6-5.el5.art
ossec-hids-2.6-5.el5.art
I generated my SSL keys and ran
# /var/ossec/bin/ossec-authd -p 1515 >/dev/null 2>&1 &
My client connects and gets its key. The keys match. I restart OSSEC
on server and client.
The client ossec log complains:
ossec-agentd: INFO: Trying to connect to server (1.2.3.4:1514).
ossec-agentd: INFO: Using IPv4 for: 1.2.3.4 .
ossec-agentd(4101): WARN: Waiting for server reply (not started). Tried: '1.2.3.4'.
ossec-agentd: INFO: Trying to connect to server (1.2.3.4:1514).
ossec-agentd: INFO: Using IPv4 for: 1.2.3.4 .
The server ossec log says:
ossec-remoted(1213): WARN: Message from 1.2.3.3 not allowed.
ossec-remoted(1213): WARN: Message from 1.2.3.3 not allowed.
ossec-remoted(1213): WARN: Message from 1.2.3.3 not allowed.
ossec-remoted(1213): WARN: Message from 1.2.3.3 not allowed.
ossec-remoted(1213): WARN: Message from 1.2.3.3 not allowed.
I replaced the Atomic OSSEC packages on BOTH the agent and server with the OSSEC vanilla source. This resulted in successful client -> server communications with no errors.
I have a RHEL6 client running:
ossec-hids-2.6-5.el6.art.x86_64
ossec-hids-client-2.6-5.el6.art.x86_64
I have a RHEL5 server running:
ossec-hids-server-2.6-5.el5.art
ossec-hids-2.6-5.el5.art
I generated my SSL keys and ran
# /var/ossec/bin/ossec-authd -p 1515 >/dev/null 2>&1 &
My client connects and gets its key. The keys match. I restart OSSEC
on server and client.
The client ossec log complains:
ossec-agentd: INFO: Trying to connect to server (1.2.3.4:1514).
ossec-agentd: INFO: Using IPv4 for: 1.2.3.4 .
ossec-agentd(4101): WARN: Waiting for server reply (not started). Tried: '1.2.3.4'.
ossec-agentd: INFO: Trying to connect to server (1.2.3.4:1514).
ossec-agentd: INFO: Using IPv4 for: 1.2.3.4 .
The server ossec log says:
ossec-remoted(1213): WARN: Message from 1.2.3.3 not allowed.
ossec-remoted(1213): WARN: Message from 1.2.3.3 not allowed.
ossec-remoted(1213): WARN: Message from 1.2.3.3 not allowed.
ossec-remoted(1213): WARN: Message from 1.2.3.3 not allowed.
ossec-remoted(1213): WARN: Message from 1.2.3.3 not allowed.
I replaced the Atomic OSSEC packages on BOTH the agent and server with the OSSEC vanilla source. This resulted in successful client -> server communications with no errors.