Agent with static ip, server with dynamic ip

kla_tls · Unread post by **kla_tls** » Mon Apr 28, 2025 3:42 pm

Hi,

I have this situation:

_one agent inside a LAN whose default gateway has a static ip
_and a server that I use, inside the same LAN with the static dhcp ip and outside the LAN with dynamic ip

I configured in the server's ossec.conf both the agent ips ( the LAN ip and the router static ip with a
port forwarding )
The agent's ossec conf with the LAN server ip and with "any"

When I'm inside the LAN agent and server connects
When I'm outside the LAN with the server they don't connect

Does the server search for agents to the two ips I set in the server's ossec conf ? or is it only the agent
that try to connect to the server (in this last case there is no way the agent can find the server)

The agent's log:

2025/04/28 21:07:24 ossec-agentd: INFO: Trying next server in the line: 'any'.
2025/04/28 21:07:25 ossec-agentd: INFO: Closing connection to server any, port 1514.
2025/04/28 21:07:25 ossec-agentd: INFO: Trying to connect to server any, port 1514.
2025/04/28 21:07:25 getaddrinfo: Name or service not known
2025/04/28 21:08:09 ossec-syscheckd: INFO: Starting syscheck scan (forwarding database).
2025/04/28 21:08:09 ossec-syscheckd: WARN: Process locked. Waiting for permission...

Is there a way to enable connection when the server is out of LAN ?

thnks

Unread post by **mikeshinn** » Mon May 05, 2025 4:30 pm

Could you share a copy of your agent and hubs config files?

kla_tls · Unread post by **kla_tls** » Mon May 05, 2025 4:49 pm

mikeshinn wrote: ↑Mon May 05, 2025 4:30 pm Could you share a copy of your agent and hubs config files?

Agent ossec.conff

Code: Select all

# cat ossec.conf
<ossec_config>
  <client>
    <server-hostname>xxx.xxx.xxx.xxx</server-hostname>     <------ LAN server ip
    <server-hostname>any</server-hostname>
    <config-profile></config-profile>
  </client>

  <syscheck>
    <!-- Frequency that syscheck is executed - default to every 22 hours -->
    <frequency>79200</frequency>
    
    <!-- Directories to check  (perform all possible verifications) -->
    <directories report_changes="yes" realtime="yes" check_all="yes">/etc,/usr/bin,/usr/sbin,/usr/local/bin</directories>
    <directories report_changes="yes" realtime="yes" check_all="yes">/bin,/sbin,/boot,/usr/local/sbin,/snap/bin</directories>

    <!-- Files/directories to ignore -->
    <ignore>/etc/mtab</ignore>
    <ignore>/etc/mnttab</ignore>
    <ignore>/etc/hosts.deny</ignore>
    <ignore>/etc/mail/statistics</ignore>
    <ignore>/etc/random-seed</ignore>
    <ignore>/etc/adjtime</ignore>
    <ignore>/etc/httpd/logs</ignore>
    <ignore>/etc/utmpx</ignore>
    <ignore>/etc/wtmpx</ignore>
    <ignore>/etc/cups/certs</ignore>
    <ignore>/etc/dumpdates</ignore>
    <ignore>/etc/svc/volatile</ignore>
    <ignore>/etc/cups/subscriptions.conf</ignore>
    <ignore>/etc/cups/subscriptions.conf.O</ignore>

    <!-- Windows files to ignore -->
    <ignore>C:\WINDOWS/System32/LogFiles</ignore>
    <ignore>C:\WINDOWS/Debug</ignore>
    <ignore>C:\WINDOWS/WindowsUpdate.log</ignore>
    <ignore>C:\WINDOWS/iis6.log</ignore>
    <ignore>C:\WINDOWS/system32/wbem/Logs</ignore>
    <ignore>C:\WINDOWS/system32/wbem/Repository</ignore>
    <ignore>C:\WINDOWS/Prefetch</ignore>
    <ignore>C:\WINDOWS/PCHEALTH/HELPCTR/DataColl</ignore>
    <ignore>C:\WINDOWS/SoftwareDistribution</ignore>
    <ignore>C:\WINDOWS/Temp</ignore>
    <ignore>C:\WINDOWS/system32/config</ignore>
    <ignore>C:\WINDOWS/system32/spool</ignore>
    <ignore>C:\WINDOWS/system32/CatRoot</ignore>
  </syscheck>

  <rootcheck>
    <rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files>
    <rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans>
    <system_audit>/var/ossec/etc/shared/system_audit_rcl.txt</system_audit>
    <system_audit>/var/ossec/etc/shared/cis_debian_linux_rcl.txt</system_audit>
    <system_audit>/var/ossec/etc/shared/cis_rhel_linux_rcl.txt</system_audit>
    <system_audit>/var/ossec/etc/shared/cis_rhel5_linux_rcl.txt</system_audit>
  </rootcheck>
  <!-- Files to monitor (localfiles) -->

  <localfile>
    <log_format>syslog</log_format>
    <location>/var/log/auth.log</location>
  </localfile>

  <localfile>
    <log_format>syslog</log_format>
    <location>/var/log/syslog</location>
  </localfile>

  <localfile>
    <log_format>syslog</log_format>
    <location>/var/log/vsftpd.log</location>
  </localfile>

  <localfile>
    <log_format>syslog</log_format>
    <location>/var/log/dpkg.log</location>
  </localfile>

  <localfile>
    <log_format>command</log_format>
    <command>df -P</command>
  </localfile>

  <localfile>
    <log_format>full_command</log_format>
    <command>netstat -tan |grep LISTEN |egrep -v '(127.0.0.1| ::1)' | sort</command>
  </localfile>

  <localfile>
    <log_format>full_command</log_format>
    <command>last -n 5</command>
  </localfile>

  <localfile>
    <log_format>full_command</log_format>
    <command>/usr/sbin/iptables -nL</command>
  </localfile>
</ossec_config>

Server ossec.conf

Code: Select all


# cat ossec.conf 
<ossec_config>
  <global>
    <email_notification>yes</email_notification>
    <email_to>user@localhost</email_to>
    <smtp_server>127.0.0.1</smtp_server>
    <email_from>ossecm@server</email_from>
  </global>

  <rules>
    <include>rules_config.xml</include>
    <include>pam_rules.xml</include>
    <include>sshd_rules.xml</include>
    <include>telnetd_rules.xml</include>
    <include>syslog_rules.xml</include>
    <include>arpwatch_rules.xml</include>
    <include>symantec-av_rules.xml</include>
    <include>symantec-ws_rules.xml</include>
    <include>pix_rules.xml</include>
    <include>named_rules.xml</include>
    <include>smbd_rules.xml</include>
    <include>vsftpd_rules.xml</include>
    <include>pure-ftpd_rules.xml</include>
    <include>proftpd_rules.xml</include>
    <include>ms_ftpd_rules.xml</include>
    <include>ftpd_rules.xml</include>
    <include>hordeimp_rules.xml</include>
    <include>roundcube_rules.xml</include>
    <include>wordpress_rules.xml</include>
    <include>cimserver_rules.xml</include>
    <include>vpopmail_rules.xml</include>
    <include>vmpop3d_rules.xml</include>
    <include>courier_rules.xml</include>
    <include>web_rules.xml</include>
    <include>web_appsec_rules.xml</include>
    <include>apache_rules.xml</include>
    <include>nginx_rules.xml</include>
    <include>php_rules.xml</include>
    <include>mysql_rules.xml</include>
    <include>postgresql_rules.xml</include>
    <include>ids_rules.xml</include>
    <include>squid_rules.xml</include>
    <include>firewall_rules.xml</include>
    <include>apparmor_rules.xml</include>
    <include>cisco-ios_rules.xml</include>
    <include>netscreenfw_rules.xml</include>
    <include>sonicwall_rules.xml</include>
    <include>postfix_rules.xml</include>
    <include>sendmail_rules.xml</include>
    <include>imapd_rules.xml</include>
    <include>mailscanner_rules.xml</include>
    <include>dovecot_rules.xml</include>
    <include>ms-exchange_rules.xml</include>
    <include>racoon_rules.xml</include>
    <include>vpn_concentrator_rules.xml</include>
    <include>spamd_rules.xml</include>
    <include>msauth_rules.xml</include>
    <include>mcafee_av_rules.xml</include>
    <include>trend-osce_rules.xml</include>
    <include>ms-se_rules.xml</include>
    <!-- <include>policy_rules.xml</include> -->
    <include>zeus_rules.xml</include>
    <include>solaris_bsm_rules.xml</include>
    <include>vmware_rules.xml</include>
    <include>ms_dhcp_rules.xml</include>
    <include>asterisk_rules.xml</include>
    <include>ossec_rules.xml</include>
    <include>attack_rules.xml</include>
    <include>openbsd_rules.xml</include>
    <include>clam_av_rules.xml</include>
    <include>dropbear_rules.xml</include>
    <include>sysmon_rules.xml</include>
    <include>opensmtpd_rules.xml</include>
    <include>exim_rules.xml</include>
    <include>openbsd-dhcpd_rules.xml</include>
    <include>dnsmasq_rules.xml</include>
    <include>nsd_rules.xml</include>
    <include>unbound_rules.xml</include>
    <include>local_rules.xml</include>
  </rules>  

  <syscheck>
    <!-- Frequency that syscheck is executed - default to every 22 hours -->
    <frequency>79200</frequency>
    
    <!-- Directories to check  (perform all possible verifications) -->
    <directories report_changes="yes" realtime="yes" check_all="yes">/etc,/usr/bin,/usr/sbin,/usr/local/bin</directories>
    <directories report_changes="yes" realtime="yes" check_all="yes">/bin,/sbin,/boot,/usr/local/sbin,/snap/bin</directories>

    <!-- Files/directories to ignore -->
    <ignore>/etc/mtab</ignore>
    <ignore>/etc/mnttab</ignore>
    <ignore>/etc/hosts.deny</ignore>
    <ignore>/etc/mail/statistics</ignore>
    <ignore>/etc/random-seed</ignore>
    <ignore>/etc/adjtime</ignore>
    <ignore>/etc/httpd/logs</ignore>
    <ignore>/etc/utmpx</ignore>
    <ignore>/etc/wtmpx</ignore>
    <ignore>/etc/cups/certs</ignore>
    <ignore>/etc/dumpdates</ignore>
    <ignore>/etc/svc/volatile</ignore>
    <ignore>/etc/cups/subscriptions.conf</ignore>
    <ignore>/etc/cups/subscriptions.conf.O</ignore>

    <!-- Windows files to ignore -->
    <ignore>C:\WINDOWS/System32/LogFiles</ignore>
    <ignore>C:\WINDOWS/Debug</ignore>
    <ignore>C:\WINDOWS/WindowsUpdate.log</ignore>
    <ignore>C:\WINDOWS/iis6.log</ignore>
    <ignore>C:\WINDOWS/system32/wbem/Logs</ignore>
    <ignore>C:\WINDOWS/system32/wbem/Repository</ignore>
    <ignore>C:\WINDOWS/Prefetch</ignore>
    <ignore>C:\WINDOWS/PCHEALTH/HELPCTR/DataColl</ignore>
    <ignore>C:\WINDOWS/SoftwareDistribution</ignore>
    <ignore>C:\WINDOWS/Temp</ignore>
    <ignore>C:\WINDOWS/system32/config</ignore>
    <ignore>C:\WINDOWS/system32/spool</ignore>
    <ignore>C:\WINDOWS/system32/CatRoot</ignore>
  </syscheck>

  <rootcheck>
    <rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files>
    <rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans>
    <system_audit>/var/ossec/etc/shared/system_audit_rcl.txt</system_audit>
    <system_audit>/var/ossec/etc/shared/cis_debian_linux_rcl.txt</system_audit>
    <system_audit>/var/ossec/etc/shared/cis_rhel_linux_rcl.txt</system_audit>
    <system_audit>/var/ossec/etc/shared/cis_rhel5_linux_rcl.txt</system_audit>
  </rootcheck>

  <global>
    <allow_list>127.0.0.1</allow_list>
    <allow_list>::1</allow_list>
    <allow_list>localhost.localdomain</allow_list>
    <allow_list>127.0.0.53</allow_list>
  </global>

  <remote>
    <connection>syslog</connection>
  </remote>

  <remote>
    <connection>secure</connection>
    <allowed-ips>xxx.xxx.xxx.xxx</allowed-ips>        <-- LAN agent ip
    <allowed-ips>xxx.xxx.xxx.xxx</allowed-ips>        <-- router static public ip of the agent with port-forwarding
  </remote>

  <alerts>
    <log_alert_level>1</log_alert_level>
    <email_alert_level>7</email_alert_level>
  </alerts>

  <command>
    <name>host-deny</name>
    <executable>host-deny.sh</executable>
    <expect>srcip</expect>
    <timeout_allowed>yes</timeout_allowed>
  </command>  

  <command>
    <name>firewall-drop</name>
    <executable>firewall-drop.sh</executable>
    <expect>srcip</expect>
    <timeout_allowed>yes</timeout_allowed>
  </command>  

  <command>
    <name>disable-account</name>
    <executable>disable-account.sh</executable>
    <expect>user</expect>
    <timeout_allowed>yes</timeout_allowed>
  </command>  

  <command>
    <name>restart-ossec</name>
    <executable>restart-ossec.sh</executable>
    <expect></expect>
  </command>
                  

  <command>
    <name>route-null</name>
    <executable>route-null.sh</executable>
    <expect>srcip</expect>
    <timeout_allowed>yes</timeout_allowed>
  </command>


  <!-- Active Response Config -->
  <active-response>
    <!-- This response is going to execute the host-deny
       - command for every event that fires a rule with
       - level (severity) >= 6.
       - The IP is going to be blocked for  600 seconds.
      -->
    <command>host-deny</command>
    <location>local</location>
    <level>6</level>
    <timeout>600</timeout>
  </active-response>

  <active-response>
    <!-- Firewall Drop response. Block the IP for
       - 600 seconds on the firewall (iptables,
       - ipfilter, etc).
      -->
    <command>firewall-drop</command>
    <location>local</location>
    <level>6</level>
    <timeout>600</timeout>    
  </active-response>  

  <!-- Files to monitor (localfiles) -->

  <localfile>
    <log_format>syslog</log_format>
    <location>/var/log/auth.log</location>
  </localfile>

  <localfile>
    <log_format>syslog</log_format>
    <location>/var/log/syslog</location>
  </localfile>

  <localfile>
    <log_format>syslog</log_format>
    <location>/var/log/dpkg.log</location>
  </localfile>

  <localfile>
    <log_format>command</log_format>
    <command>df -P</command>
  </localfile>

  <localfile>
    <log_format>full_command</log_format>
    <command>netstat -tan |grep LISTEN |egrep -v '(127.0.0.1| ::1)' | sort</command>
  </localfile>

  <localfile>
    <log_format>full_command</log_format>
    <command>last -n 5</command>
  </localfile>

  <localfile>
    <log_format>full_command</log_format>
    <command>/usr/sbin/iptables -nL</command>
  </localfile>
</ossec_config>

Unread post by **mikeshinn** » Thu May 08, 2025 6:09 pm

If I understand what you may be doing, agents connect to the server the server doesnt connect to the agents.

Does the server search for agents to the two ips I set in the server's ossec conf ? or is it only the agent
that try to connect to the server (in this last case there is no way the agent can find the server)

Yes the agents connect to the server, the server never connects to the agents. Only the agents need to be configured with an IP/FQDN for the server. So just put in your server(s) IPs/FQDNs (and the correct protocol) in your agents ossec.conf file, make sure your agent(s) can connect to the server on that IP/FQDN and restart your agent(s). The server doesnt need to know the agents IPs and any of that should be removed from the servers config.

Note: There is a way to pin keys to IPs but you dont need to do that, agents have unique keys and thats how they are identified and pinning a key to an IP will just make it harder for you to change IPs on your agents.

kla_tls · Unread post by **kla_tls** » Fri May 09, 2025 2:32 am

mikeshinn wrote: ↑Thu May 08, 2025 6:09 pm If I understand what you may be doing, agents connect to the server the server doesnt connect to the agents.
Does the server search for agents to the two ips I set in the server's ossec conf ? or is it only the agent
that try to connect to the server (in this last case there is no way the agent can find the server)
Yes the agents connect to the server, the server never connects to the agents. Only the agents need to be configured with an IP/FQDN for the server. So just put in your server(s) IPs/FQDNs (and the correct protocol) in your agents ossec.conf file, make sure your agent(s) can connect to the server on that IP/FQDN and restart your agent(s). The server doesnt need to know the agents IPs and any of that should be removed from the servers config.

Note: There is a way to pin keys to IPs but you dont need to do that, agents have unique keys and thats how they are identified and pinning a key to an IP will just make it harder for you to change IPs on your agents.

My situation is that the server (a laptop), when I'm outside the LAN, has a dynamic ip, usually I connect it to the internet with phone
so how the agents can find the server ?

Atomicorp

Agent with static ip, server with dynamic ip

Agent with static ip, server with dynamic ip

Re: Agent with static ip, server with dynamic ip

Re: Agent with static ip, server with dynamic ip

Re: Agent with static ip, server with dynamic ip

Re: Agent with static ip, server with dynamic ip