OSSEC Agent specific port instead of random port

Customer support forums for Atomic OSSEC. There is no such thing as a bad question here. New customers feel free to get help getting started or asking questions that may be obvious. Regular users are asked to be gentle. :-)
mmudabbir
New Forum User
New Forum User
Posts: 2
Joined: Fri May 28, 2021 6:55 am

OSSEC Agent specific port instead of random port

Unread post by mmudabbir »

Hello,

For client server communication ossec agent connects using random hgih port. I want to specify a prot for the client rather than random ports.

Is it possible? and how can i achieve it?
User avatar
mikeshinn
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 4149
Joined: Thu Feb 07, 2008 7:49 pm
Location: Chantilly, VA

Re: OSSEC Agent specific port instead of random port

Unread post by mikeshinn »

When you mean random port, do you mean the port the agent is trying to connect to? That should be 1514 by default.

If you mean the port the client computer uses to establish the connection, thats controlled by the operating system. Its going to use a high port thats not in use by another outbound connection.

Is there some reason you want to constrain that to a specific port?
mmudabbir
New Forum User
New Forum User
Posts: 2
Joined: Fri May 28, 2021 6:55 am

Re: OSSEC Agent specific port instead of random port

Unread post by mmudabbir »

Hello,

Yes I mean the port client computer uses to establish connection, that are unused high ports.

There is a limitation of network architecture from layer 3. Only specifics ports are allowed to be used and all the other ports are blocked.
The range of ports are usually from 49152-65535 which is not feasible to be open or even be unused as per IT policies.

It is then proposed that we should work on agent to specify the ports. I suppose these amendments might be done in the code files of the agent. Am I right? Any help would be great.

Plus I have been working with the agent from more than a year so feel free to propose any complex solution.

Regards,
Last edited by mmudabbir on Mon May 31, 2021 5:02 am, edited 1 time in total.
scott
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 8355
Joined: Wed Dec 31, 1969 8:00 pm
Location: earth
Contact:

Re: OSSEC Agent specific port instead of random port

Unread post by scott »

You can set the ephemeral port range in linux with sysctl or /proc:

https://tldp.org/LDP/solrhe/Securing-Op ... sec70.html
User avatar
mikeshinn
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 4149
Joined: Thu Feb 07, 2008 7:49 pm
Location: Chantilly, VA

Re: OSSEC Agent specific port instead of random port

Unread post by mikeshinn »

Yeah, thats a better option as the OS is what sets the outbound normally.
mmudabbir
New Forum User
New Forum User
Posts: 2
Joined: Fri May 28, 2021 6:55 am

Re: OSSEC Agent specific port instead of random port

Unread post by mmudabbir »

Thank you for the response !

Actually i have tried this for windows and the range of ports that will be open is 250 or more.
Below is what I followed.
https://docs.microsoft.com/en-us/troubl ... cpip-chang

What my problem is that It has to be deployed in restricted environment with network limitation and only few ports are allowed to be open on client(end host) and server both.

I think this change will be possible by editing the code files of ossec agent and do amendments to use only specific ports. If anyone of you can help me find the actual code files where ports used are assigned, that will be great.

Regards,
Last edited by mmudabbir on Wed Jun 02, 2021 3:13 am, edited 2 times in total.
scott
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 8355
Joined: Wed Dec 31, 1969 8:00 pm
Location: earth
Contact:

Re: OSSEC Agent specific port instead of random port

Unread post by scott »

That would only be able to control the dst port, the src port is something you have to control from the IP stack in the OS.
Post Reply