Hello,
For client server communication ossec agent connects using random hgih port. I want to specify a prot for the client rather than random ports.
Is it possible? and how can i achieve it?
OSSEC Agent specific port instead of random port
- mikeshinn
- Atomicorp Staff - Site Admin
- Posts: 4149
- Joined: Thu Feb 07, 2008 7:49 pm
- Location: Chantilly, VA
Re: OSSEC Agent specific port instead of random port
When you mean random port, do you mean the port the agent is trying to connect to? That should be 1514 by default.
If you mean the port the client computer uses to establish the connection, thats controlled by the operating system. Its going to use a high port thats not in use by another outbound connection.
Is there some reason you want to constrain that to a specific port?
If you mean the port the client computer uses to establish the connection, thats controlled by the operating system. Its going to use a high port thats not in use by another outbound connection.
Is there some reason you want to constrain that to a specific port?
Michael Shinn
Atomicorp - Security For Everyone
Atomicorp - Security For Everyone
Re: OSSEC Agent specific port instead of random port
Hello,
Yes I mean the port client computer uses to establish connection, that are unused high ports.
There is a limitation of network architecture from layer 3. Only specifics ports are allowed to be used and all the other ports are blocked.
The range of ports are usually from 49152-65535 which is not feasible to be open or even be unused as per IT policies.
It is then proposed that we should work on agent to specify the ports. I suppose these amendments might be done in the code files of the agent. Am I right? Any help would be great.
Plus I have been working with the agent from more than a year so feel free to propose any complex solution.
Regards,
Yes I mean the port client computer uses to establish connection, that are unused high ports.
There is a limitation of network architecture from layer 3. Only specifics ports are allowed to be used and all the other ports are blocked.
The range of ports are usually from 49152-65535 which is not feasible to be open or even be unused as per IT policies.
It is then proposed that we should work on agent to specify the ports. I suppose these amendments might be done in the code files of the agent. Am I right? Any help would be great.
Plus I have been working with the agent from more than a year so feel free to propose any complex solution.
Regards,
Last edited by mmudabbir on Mon May 31, 2021 5:02 am, edited 1 time in total.
-
- Atomicorp Staff - Site Admin
- Posts: 8355
- Joined: Wed Dec 31, 1969 8:00 pm
- Location: earth
- Contact:
Re: OSSEC Agent specific port instead of random port
You can set the ephemeral port range in linux with sysctl or /proc:
https://tldp.org/LDP/solrhe/Securing-Op ... sec70.html
https://tldp.org/LDP/solrhe/Securing-Op ... sec70.html
- mikeshinn
- Atomicorp Staff - Site Admin
- Posts: 4149
- Joined: Thu Feb 07, 2008 7:49 pm
- Location: Chantilly, VA
Re: OSSEC Agent specific port instead of random port
Yeah, thats a better option as the OS is what sets the outbound normally.
Michael Shinn
Atomicorp - Security For Everyone
Atomicorp - Security For Everyone
Re: OSSEC Agent specific port instead of random port
Thank you for the response !
Actually i have tried this for windows and the range of ports that will be open is 250 or more.
Below is what I followed.
https://docs.microsoft.com/en-us/troubl ... cpip-chang
What my problem is that It has to be deployed in restricted environment with network limitation and only few ports are allowed to be open on client(end host) and server both.
I think this change will be possible by editing the code files of ossec agent and do amendments to use only specific ports. If anyone of you can help me find the actual code files where ports used are assigned, that will be great.
Regards,
Actually i have tried this for windows and the range of ports that will be open is 250 or more.
Below is what I followed.
https://docs.microsoft.com/en-us/troubl ... cpip-chang
What my problem is that It has to be deployed in restricted environment with network limitation and only few ports are allowed to be open on client(end host) and server both.
I think this change will be possible by editing the code files of ossec agent and do amendments to use only specific ports. If anyone of you can help me find the actual code files where ports used are assigned, that will be great.
Regards,
Last edited by mmudabbir on Wed Jun 02, 2021 3:13 am, edited 2 times in total.
-
- Atomicorp Staff - Site Admin
- Posts: 8355
- Joined: Wed Dec 31, 1969 8:00 pm
- Location: earth
- Contact:
Re: OSSEC Agent specific port instead of random port
That would only be able to control the dst port, the src port is something you have to control from the IP stack in the OS.