OSSEC remoted not allowing a client to connect

General Discussion of atomic repo and development projects.

Ask for help here with anything else not covered by other forums.
jms703
Forum User
Forum User
Posts: 5
Joined: Mon Sep 19, 2011 6:58 pm
Location: San Jose, CA

OSSEC remoted not allowing a client to connect

Unread post by jms703 »

I'm having some trouble with the OSSEC. I contacted Daniel Cid on the OSSEC users mailing list, but the problem isn't reproducible with the latest vanilla OSSEC source. I could reproduce the problem when using the Atomic Corp RPMs.

I have a RHEL6 client running:
ossec-hids-2.6-5.el6.art.x86_64
ossec-hids-client-2.6-5.el6.art.x86_64

I have a RHEL5 server running:
ossec-hids-server-2.6-5.el5.art
ossec-hids-2.6-5.el5.art

I generated my SSL keys and ran
# /var/ossec/bin/ossec-authd -p 1515 >/dev/null 2>&1 &

My client connects and gets its key. The keys match. I restart OSSEC
on server and client.

The client ossec log complains:
ossec-agentd: INFO: Trying to connect to server (1.2.3.4:1514).
ossec-agentd: INFO: Using IPv4 for: 1.2.3.4 .
ossec-agentd(4101): WARN: Waiting for server reply (not started). Tried: '1.2.3.4'.
ossec-agentd: INFO: Trying to connect to server (1.2.3.4:1514).
ossec-agentd: INFO: Using IPv4 for: 1.2.3.4 .

The server ossec log says:
ossec-remoted(1213): WARN: Message from 1.2.3.3 not allowed.
ossec-remoted(1213): WARN: Message from 1.2.3.3 not allowed.
ossec-remoted(1213): WARN: Message from 1.2.3.3 not allowed.
ossec-remoted(1213): WARN: Message from 1.2.3.3 not allowed.
ossec-remoted(1213): WARN: Message from 1.2.3.3 not allowed.

I replaced the Atomic OSSEC packages on BOTH the agent and server with the OSSEC vanilla source. This resulted in successful client -> server communications with no errors.
jms703
Forum User
Forum User
Posts: 5
Joined: Mon Sep 19, 2011 6:58 pm
Location: San Jose, CA

Re: OSSEC remoted not allowing a client to connect

Unread post by jms703 »

I've done some more testing. I think the problem lies with the use of "any" when configuring agents, whether by hand, with manage_agents or using the new authd.

When I download and install the client and server from the ossec "nightly" mercurial repo, the client is able to connect to the server when the IP address is set to "any".

When I use your RPMS (client and server) the client is unable to connect to the server when I specify "any" for the IP address. In addition, the remoted fails to log this message on ossec.log. To see this error, I have to run remoted with -d and -f. Then I see error 1213, "Message from x.x.x. not allowed".

Could there be an issue with the RPMs? I noticed a spec file for ossec-hids-2.6-7 but didn't see any rpms yet. I'd be happy to test.
scott
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 8355
Joined: Wed Dec 31, 1969 8:00 pm
Location: earth
Contact:

Re: OSSEC remoted not allowing a client to connect

Unread post by scott »

Well Im not using the snapshots any more, so maybe this is related to running a later version than the packages. Did you try your test case with vanilla 2.6? Also ossec-hids-2.6-7 might only be in the ASL channel, they're supposed to get duplicated across both repos but that might have been implemented after 2.6-7 was done
cshafer
New Forum User
New Forum User
Posts: 1
Joined: Thu Sep 29, 2011 8:42 pm
Location: Athens, Ohio

Re: OSSEC remoted not allowing a client to connect

Unread post by cshafer »

I am experiencing the same issue, when I add an agent using client-authd/ossec-authd and the IP is <any>, it won't connect. If I update the client.keys file and change from <any> to the agent IP, it works fine. Currently, I am using RPM 2.6-5 from the repos which is dated August 19. Any time frame of when the package will get updated?
scott
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 8355
Joined: Wed Dec 31, 1969 8:00 pm
Location: earth
Contact:

Re: OSSEC remoted not allowing a client to connect

Unread post by scott »

Im heading out of the country shortly, so probably not until I get back in mid/late-october
jms703
Forum User
Forum User
Posts: 5
Joined: Mon Sep 19, 2011 6:58 pm
Location: San Jose, CA

Re: OSSEC remoted not allowing a client to connect

Unread post by jms703 »

So I did some further testing and contacted Daniel Cid of OSSEC. He confirmed the issue when using the Atomic RPMs on the client.

To work around this, manually edit your client.keys file on the server and replace "any" with the IP of the host.
jms703
Forum User
Forum User
Posts: 5
Joined: Mon Sep 19, 2011 6:58 pm
Location: San Jose, CA

Re: OSSEC remoted not allowing a client to connect

Unread post by jms703 »

Curious, has anyone been able to fix the OSSEC RPMS yet? Is there anything I can do to help?
scott
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 8355
Joined: Wed Dec 31, 1969 8:00 pm
Location: earth
Contact:

Re: OSSEC remoted not allowing a client to connect

Unread post by scott »

Well if you could figure out what the difference is between the build processes that would help a lot. Maybe its a library or something, I'm in the dark on this one too
jms703
Forum User
Forum User
Posts: 5
Joined: Mon Sep 19, 2011 6:58 pm
Location: San Jose, CA

Re: OSSEC remoted not allowing a client to connect

Unread post by jms703 »

scott wrote:Well if you could figure out what the difference is between the build processes that would help a lot. Maybe its a library or something, I'm in the dark on this one too
I don't know how you guys build the rpms. I wonder if there is something that is getting added/modified that is causing this. Does the maintainer of the RPMs visit the forums?
scott
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 8355
Joined: Wed Dec 31, 1969 8:00 pm
Location: earth
Contact:

Re: OSSEC remoted not allowing a client to connect

Unread post by scott »

Sure, that would be me. The .spec file is here:


http://www4.atomicorp.com/channels/sour ... -hids.spec

If you look at the %build macro, you'll see how it gets compiled. Above that are the dependencies that get installed into the build environment (called mock).
atomic punk
New Forum User
New Forum User
Posts: 1
Joined: Tue Jan 03, 2012 8:37 pm
Location: Rockies

Re: OSSEC remoted not allowing a client to connect

Unread post by atomic punk »

JFYI, the problem with remoted not logging is because /var/ossec/logs isn't g+w, so remoted can't log there.

Fix that, and you'll at least see the errors. :)
scott
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 8355
Joined: Wed Dec 31, 1969 8:00 pm
Location: earth
Contact:

Re: OSSEC remoted not allowing a client to connect

Unread post by scott »

Awesome! Thanks for the follow up on this
Post Reply