Re: [security-onion] New Security Onion Master Server - Squert Login Issues
69 views
Skip to first unread message
Wes Lambert
Oct 25, 2018, 11:41:11 AM10/25/18
to securit...@googlegroups.com
Have you tried setting a very simple password to see if it could somehow be due to the composition of the password?
Have you tried adding an additional user to see if you experience the same effect?
Thanks,
Wes
On Wed, Oct 24, 2018 at 9:31 PM <tcri...@gmail.com> wrote:
I'm running into a strange issue with a brand new install of Security Onion running 16.04.5.3.
Once I get my master server stood up, I'm unable to log into Squert. I immediately see "The user name or password is incorrect" even when I'm using an uncached browser. When I click submit, the screen flashes and takes me back to the login page.
I know my password is correct, because I'm able to log into SGUIL without any problems and resetting that password doesn’t resolve the issue. Creating a new user results in the same behavior.
https://github.com/Security-Onion-Solutions/security-onion/wiki/Passwords
sudo nsm_server_user-passwd
----------------
Do you want to change the password of <USER>? (Y/N) [Y]: Y
Changing password for: <USER> => securityonion
Password for <USER> successfully changed.
----------------
I thought this might have been a fluke, I redeployed a new VM and started over... still the same issue.
I downloaded the ISO from the Security Onion Github repo and the verify came back with "Good signature"
https://github.com/Security-Onion-Solutions/security-onion/blob/master/Verify_ISO.md
mysqlcheck shows the databases are OK:
root@<MASTER_SERVER>:/var/www/so/squert/.inc# mysqlcheck -u readonly -p securityonion_db
Enter password:
securityonion_db.autocat OK
securityonion_db.data OK
securityonion_db.data_<SENSOR>-ossec_20181024 OK
securityonion_db.data_<MASTER_SERVER>-ossec_20181023 OK
securityonion_db.data_<MASTER_SERVER>-ossec_20181024 OK
securityonion_db.event OK
securityonion_db.event_<SENSOR>-ossec_20181024 OK
securityonion_db.event_<MASTER_SERVER>-ossec_20181023 OK
securityonion_db.event_<MASTER_SERVER>-ossec_20181024 OK
securityonion_db.filters OK
securityonion_db.history OK
securityonion_db.icmphdr OK
securityonion_db.icmphdr_<SENSOR>-ossec_20181024 OK
securityonion_db.icmphdr_<MASTER_SERVER>-ossec_20181023 OK
securityonion_db.icmphdr_<MASTER_SERVER>-ossec_20181024 OK
securityonion_db.ip2c OK
securityonion_db.mappings OK
securityonion_db.nessus OK
securityonion_db.nessus_data OK
securityonion_db.object_mappings OK
securityonion_db.pads OK
securityonion_db.portscan OK
securityonion_db.sensor OK
securityonion_db.stat_types OK
securityonion_db.stats OK
securityonion_db.status OK
securityonion_db.tcphdr OK
securityonion_db.tcphdr_<SENSOR>-ossec_20181024 OK
securityonion_db.tcphdr_<MASTER_SERVER>-ossec_20181023 OK
securityonion_db.tcphdr_<MASTER_SERVER>-ossec_20181024 OK
securityonion_db.udphdr OK
securityonion_db.udphdr_<SENSOR>-ossec_20181024 OK
securityonion_db.udphdr_<MASTER_SERVER>-ossec_20181023 OK
securityonion_db.udphdr_<MASTER_SERVER>-ossec_20181024 OK
securityonion_db.user_info OK
securityonion_db.version OK
root@<MASTER_SERVER>:/opt# so-status
Status: securityonion
* sguil server [ OK ]
Status: HIDS
* ossec_agent (sguil) [ OK ]
However, I did see in the Apache error logs, this triggers every time I submit a username/password. From my understanding, this might be the issue but I don't know how to resolve it.
/var/log/apache2/error.log
[Wed Oct 24 21:22:14.458015 2018] [:error] [pid 25184] [client <SOURCE_IP:PORT>] PHP Notice: Undefined index: PHP_AUTH_USER in /var/www/so/squert/login.php on line 40, referer: https://<MASTER_SERVER>/squert/login.php
[Wed Oct 24 21:22:14.458087 2018] [:error] [pid 25184] [client <SOURCE_IP:PORT>] PHP Notice: Undefined index: PHP_AUTH_PW in /var/www/so/squert/login.php on line 41, referer: https://<MASTER_SERVER>/squert/login.php
The issues kind of seems similar to these topics but not exactly:
1. https://groups.google.com/forum/#!searchin/security-onion/squert$20the$20user$20name$20or$20password$20is$20incorrect|sort:date/security-onion/3EXfALKe65k/UFXuMbsAAgAJ
Has anyone ever seen anything like this?
--
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
To post to this group, send email to securit...@googlegroups.com.
Visit this group at https://groups.google.com/group/security-onion.
For more options, visit https://groups.google.com/d/optout.
tcri...@gmail.com
Oct 25, 2018, 12:00:54 PM10/25/18
to security-onion
Hey Wes, thanks for getting back to me!
Yes, I create a new user with the a very simple password and then restart SO. No effect and I still saw the same Apache error logs.
root@<MASTER_SERVER>:/var/log/apache2# so-user-add
User Name
Enter the name of the new user that will be granted privilege to connect to Sguil/Squert/Kibana: user
User Pass
Enter the password for the new user that will be granted privilege to connect to this server:
Verify:
Add User to Server
The following information has been collected:
user: user
Do you want to create? (Y/N) [Y]: y
Adding user: user
user successfully added.
root@<MASTER_SERVER>:/var/log/apache2# so-restart
=========================================================================
Restarting NSM services...
=========================================================================
Restarting: securityonion
* stopping: sguil server [ OK ]
* starting: sguil server [ OK ]
Restarting: HIDS
* stopping: ossec_agent (sguil) [ OK ]
* starting: ossec_agent (sguil) [ OK ]
Yes, I create a new user with the a very simple password and then restart SO. No effect and I still saw the same Apache error logs.
root@<MASTER_SERVER>:/var/log/apache2# so-user-add
User Name
Enter the name of the new user that will be granted privilege to connect to Sguil/Squert/Kibana: user
User Pass
Enter the password for the new user that will be granted privilege to connect to this server:
Verify:
Add User to Server
The following information has been collected:
user: user
Do you want to create? (Y/N) [Y]: y
Adding user: user
user successfully added.
root@<MASTER_SERVER>:/var/log/apache2# so-restart
=========================================================================
Restarting NSM services...
=========================================================================
Restarting: securityonion
* stopping: sguil server [ OK ]
* starting: sguil server [ OK ]
Restarting: HIDS
* stopping: ossec_agent (sguil) [ OK ]
* starting: ossec_agent (sguil) [ OK ]
Steven J
Oct 25, 2018, 7:10:40 PM10/25/18
to securit...@googlegroups.com
Wes, does it matter that logged in as root?
I only connect through ssh, not as root, and have to sudo most things.
I only connect through ssh, not as root, and have to sudo most things.
Sjm
Wes Lambert
Oct 25, 2018, 9:26:07 PM10/25/18
to securit...@googlegroups.com
I'm assuming you experience the same issue when trying to login to Kibana?
@Steven,
To my knowledge, that shouldn't matter.
Thanks,
Wes
tcri...@gmail.com
Oct 25, 2018, 10:02:05 PM10/25/18
to security-onion
I actually have Kibana disabled. We heavily use a different SIEM solution to aggregate Bro and Snort logs for threat hunting. Squert is used more for incident response tasks.
Wes Lambert
Oct 27, 2018, 7:43:17 AM10/27/18
to securit...@googlegroups.com
Out of curiousity, what does the login screen look like?
Thanks,
Wes
tcri...@gmail.com
Oct 27, 2018, 9:50:47 AM10/27/18
to security-onion
Hey Wes,
Attached you will find a screenshot of the login page. This is the first time navigating to this page on an uncached browser and I have not attempted to enter any credentials but yet the failed username and password message is present.
Thanks!
Attached you will find a screenshot of the login page. This is the first time navigating to this page on an uncached browser and I have not attempted to enter any credentials but yet the failed username and password message is present.
Thanks!
Wes Lambert
Oct 27, 2018, 4:11:55 PM10/27/18
to securit...@googlegroups.com
Do you receive this login page every time you try to login to Squert?
Do you're receive it if you try to navigate to the following?
Also, if you re-enable Kibana (shouldn't affect), do receive a different login page, or different results?
Thanks,
Wes
Doug Burks
Oct 28, 2018, 9:54:31 AM10/28/18
to securit...@googlegroups.com
It sounds like when you ran Setup you chose to disable the Elastic stack and so the Apache SSO config was never copied into place. Please try running the following:
sudo so-elastic-configure-apacheTo unsubscribe from this group and stop receiving emails from it, send an email to security-onion+unsubscribe@googlegroups.com.
To post to this group, send email to security-onion@googlegroups.com.
Visit this group at https://groups.google.com/group/security-onion.
For more options, visit https://groups.google.com/d/optout.
Doug Burks
CEO
Security Onion Solutions, LLC
CEO
Security Onion Solutions, LLC
tcri...@gmail.com
Oct 28, 2018, 11:04:31 PM10/28/18
to security-onion
That fixed it! Thank you Doug and Wes for helping me through this issue!
Doug Burks
Oct 29, 2018, 6:30:08 AM10/29/18
to securit...@googlegroups.com
I've created Issue 1355 to update Setup to do this automatically:
To unsubscribe from this group and stop receiving emails from it, send an email to security-onion+unsubscribe@googlegroups.com.
To post to this group, send email to security-onion@googlegroups.com.
Visit this group at https://groups.google.com/group/security-onion.
For more options, visit https://groups.google.com/d/optout.
Reply all
Reply to author
Forward
0 new messages