ossec-authd: Unable to connect

[Ali Khan]

Hi All,

I am  trying to use ossec agent-auth to auto agent key registration with ossec server.

I did the followoing on server

1. openssl genrsa -out /var/ossec/etc/sslmanager.key 2048
2. openssl req -new -x509 -key /var/ossec/etc/sslmanager.key -out /var/ossec/etc/sslmanager.cert -days 365
3. /var/ossec/bin/ossec-authd -p 1515 -i >/dev/null 2>&1 &
4. add the following rule to /etc/ossim/firewall_include : 
5. -A INPUT –p tcp –-dport 1515 –j ACCEPT
6. Run ossim-reconfig and then again started  /var/ossec/bin/ossec-authd -p 1515 -i >/dev/null 2>&1 & and the process starts.

   However when i run  ./agent-auth -m 192.168.10.246 -p 1515 on agent i get the following error :

2016/10/03 12:34:58 ossec-authd: INFO: Started (pid: 9656).

2016/10/03 12:34:58 ossec-authd: Unable to connect to 192.168.10.246:1515

Any kind of help would be appreciated.

Looking forward to your reply .

[Pedro Sanchez]

Hi Ali,

Could you confirm that ossec-authd is running and listening on the sensor? You could use

netstat -pna | grep 1515

The expected output will be similar to:

tcp        0      0 0.0.0.0:1515            0.0.0.0:*               LISTEN      9684/ossec-authd

It seems like you have some connectivity problems, be sure that the agent can actually access to 1515 port, you could use tcpdump at OSSEC Manager to listen for incoming packets to 1515 port:

root@ubuntu5:/var/ossec/etc# tcpdump -i eth0 port 1515 -vv
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
01:20:11.033864 IP (tos 0x0, ttl 128, id 22397, offset 0, flags [DF], proto TCP (6), length 52)
    192.168.1.30.57495 > 192.168.1.10.1515: Flags [S], cksum 0x4748 (correct), seq 2326532896, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
01:20:11.033931 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 52)
    192.168.1.10.1515 > 192.168.1.30.57495: Flags [S.], cksum 0x839f (incorrect -> 0x141f), seq 3245350808, ack 2326532897, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
01:20:11.034075 IP (tos 0x0, ttl 128, id 22398, offset 0, flags [DF], proto TCP (6), length 40)
    192.168.1.30.57495 > 192.168.1.10.1515: Flags [.], cksum 0xbefc (correct), seq 1, ack 1, win 2053, length 0
01:20:11.035593 IP (tos 0x0, ttl 128, id 22399, offset 0, flags [DF], proto TCP (6), length 203)
    192.168.1.30.57495 > 192.168.1.10.1515: Flags [P.], cksum 0xeedb (correct), seq 1:164, ack 1, win 2053, length 163
01:20:11.035668 IP (tos 0x0, ttl 64, id 37466, offset 0, flags [DF], proto TCP (6), length 40)

Best regards,

Pedro S.

--

---
You received this message because you are subscribed to the Google Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Dodain Dodo]

Hi Pedro,

 Thanks for replying. Sorry, I forgot to mention few details . Firstly I am using Alienvault USM .Secondly  the ossec server is listening , so the server part is working, the prob i am getting is that agent/client isn't able to connect to the server on port 1515 and I am not able to find out why my agent isnt able to communicate with ossec server on port 1515. For that i even added port 1515 in iptables , Since agent isn't able to communicate so tcpdump on server shows 0 packets. 

tcp        0      0 0.0.0.0:1515            0.0.0.0:*               LISTEN      5504/ossec-authd

 

--

---
You received this message because you are subscribed to a topic in the Google Groups "ossec-list" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/ossec-list/2Nhb2FDqLBU/unsubscribe.
To unsubscribe from this group and all its topics, send an email to ossec-list+unsubscribe@googlegroups.com.

[Pedro Sanchez]

Hi,

I think this could be a connectivity issue, ossec-authd looks listening correctly, did you try to add the agent manually and check for 1514 connectivity? I am not sure if both server are able to communicate on a different way, try to use tcpdump on server side and telnet on other.

Server:

tcpdump -i eth0 port 1515 -vv

 

Agent:

telnet server_ip 1515

Try to add it manually, if that works, we can keep going with ossec authd deployment.

[Dodain Dodo]

The manual agent installation works perfectly and it even shows hids events /alarm for my host/PC .

>>>> To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com.

>>>> For more options, visit https://groups.google.com/d/optout.
>>>
>>>
>>> --
>>>
>>> ---
>>> You received this message because you are subscribed to a topic in the Google Groups "ossec-list" group.
>>> To unsubscribe from this topic, visit https://groups.google.com/d/topic/ossec-list/2Nhb2FDqLBU/unsubscribe.

>>> To unsubscribe from this group and all its topics, send an email to ossec-list+...@googlegroups.com.

>>> For more options, visit https://groups.google.com/d/optout.
>>
>>
>> --
>>
>> ---
>> You received this message because you are subscribed to the Google Groups "ossec-list" group.

>> To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com.

[Dodain Dodo]

These are the listening ports on server 

Proto Recv-Q Send-Q Local Address           Foreign Address         State      

tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN     

tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN     

tcp        0      0 0.0.0.0:40001           0.0.0.0:*               LISTEN     

tcp        0      0 0.0.0.0:40002           0.0.0.0:*               LISTEN     

tcp        0      0 0.0.0.0:514             0.0.0.0:*               LISTEN     

tcp        0      0 0.0.0.0:40003           0.0.0.0:*               LISTEN     

tcp        0      0 0.0.0.0:40004           0.0.0.0:*               LISTEN     

tcp        0      0 0.0.0.0:25672           0.0.0.0:*               LISTEN     

tcp        0      0 127.0.0.1:40009         0.0.0.0:*               LISTEN     

tcp        0      0 127.0.0.1:27017         0.0.0.0:*               LISTEN     

tcp        0      0 0.0.0.0:3306            0.0.0.0:*               LISTEN     

tcp        0      0 0.0.0.0:40011           0.0.0.0:*               LISTEN     

tcp        0      0 0.0.0.0:1515            0.0.0.0:*               LISTEN     

tcp        0      0 127.0.0.1:6379          0.0.0.0:*               LISTEN     

tcp        0      0 127.0.0.1:11211         0.0.0.0:*               LISTEN     

tcp        0      0 0.0.0.0:6380            0.0.0.0:*               LISTEN     

tcp        0      0 0.0.0.0:9390            0.0.0.0:*               LISTEN     

tcp        0      0 0.0.0.0:9391            0.0.0.0:*               LISTEN     

tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN     

tcp        0      0 127.0.0.1:28017         0.0.0.0:*               LISTEN     

tcp        0      0 0.0.0.0:4369            0.0.0.0:*               LISTEN     

tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN     

tcp6       0      0 :::3128                 :::*                    LISTEN     

tcp6       0      0 :::514                  :::*                    LISTEN     

tcp6       0      0 :::40005                :::*                    LISTEN     

tcp6       0      0 :::40006                :::*                    LISTEN     

tcp6       0      0 :::5672                 :::*                    LISTEN     

tcp6       0      0 :::6380                 :::*                    LISTEN     

tcp6       0      0 :::22                   :::*                    LISTEN 

Now 1515 is in listening state and is also allowed in iptables but I am not able to telnet it. Moreover when I do manual agent key registration ,it works perfectly. I even checked by doing some fail login attempts and those login attempts  were shown on AV dashboard by HIDS after I did manual key registration, but when i netstat, 1514 it isnt being shown as listening state. Now all these things contradict each other, and I myself dont know whats happening here.Neither 1515 nor 1514 can be telnet , bufail login attempts on the system for which I did manual registration is being shown on the dashboard and Ossec uses 15154 for this purpose but 1514 cant be telnet and isnt in listening state , and when I run nmap none of these ports are open .  

>>>> To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscribe@googlegroups.com.

>>>> For more options, visit https://groups.google.com/d/optout.
>>>
>>>
>>> --
>>>
>>> ---
>>> You received this message because you are subscribed to a topic in the Google Groups "ossec-list" group.
>>> To unsubscribe from this topic, visit https://groups.google.com/d/topic/ossec-list/2Nhb2FDqLBU/unsubscribe.

>>> To unsubscribe from this group and all its topics, send an email to ossec-list+unsubscribe@googlegroups.com.

>>> For more options, visit https://groups.google.com/d/optout.
>>
>>
>> --
>>
>> ---
>> You received this message because you are subscribed to the Google Groups "ossec-list" group.

>> To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscribe@googlegroups.com.

[Pedro S]

Hi again,

I don't really understand how it works if you don't have any OSSEC listening to 1514, maybe you are mistaken the hosts. On my labs if I run

netstat -tunlp

The output for OSSEC will be:

udp        0      0 0.0.0.0:1514            0.0.0.0:*                           14287/ossec-remoted

tcp        0      0 0.0.0.0:1515            0.0.0.0:*               LISTEN      9684/ossec-authd

Another tool for analysis is "traceroute", you can see how many jumps and how are you getting to the OSSEC manager destination.

Debian: apt-get install traceroute

traceroute your_ossec_server

Hope it helps, I am sorry I am not being so helpful but I don't really know your network so.. I am not sure what could be happening there : D

>>>> To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com.

>>>> For more options, visit https://groups.google.com/d/optout.
>>>
>>>
>>> --
>>>
>>> ---
>>> You received this message because you are subscribed to a topic in the Google Groups "ossec-list" group.
>>> To unsubscribe from this topic, visit https://groups.google.com/d/topic/ossec-list/2Nhb2FDqLBU/unsubscribe.

>>> To unsubscribe from this group and all its topics, send an email to ossec-list+...@googlegroups.com.

>>> For more options, visit https://groups.google.com/d/optout.
>>
>>
>> --
>>
>> ---
>> You received this message because you are subscribed to the Google Groups "ossec-list" group.

>> To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com.

[Dodain Dodo]

HI Pedro ,

I have already done all these things .Your and mine netstat results are same. 1515 is in listening state and 1514 is also there. Sorry since its(1514)  a udp port so how can it be in listening mode. My bad. 

udp        0      0 0.0.0.0:1514            0.0.0.0:*                           27560/ossec-remoted

tcp        0      0 0.0.0.0:1515            0.0.0.0:*               LISTEN      5504/ossec-authd

So we are back at where we started. Server end is fine and ossec agent is sending logs on 1514 but 1515 although in listening state is not able to make connection with ossec server. Is your agent-auth working fine ?    /var/ossec/bin/agent-auth -m x.x.x.x -p 1515

Moreover I was interested in reading source code for agent-auth , to see if i can find a workaround .  :) . 

To unsubscribe from this group and all its topics, send an email to ossec-list+unsubscribe@googlegroups.com.

[Pedro Sanchez]

Hi,

I just run some test on Wazuh 1.1.1 version and agent-auth is running properly.

If you want to take a deeper look into it going into C code, you can review this file: os auth main client

The error you are getting is strictly related to TCP connection.

To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscribe@googlegroups.com.