Agentless ssh monitoring fails to connect every time
342 views
Skip to first unread message
Marcin Gołębiowski
Mar 17, 2017, 11:20:58 PM3/17/17
to ossec-list
I can't seem to make the agentless monitoring to work. I added two remote boxes with /var/ossec/agentless/register_host.sh and configured paswordless connection generating ssh keys for user ossec. However after restarting ossec the connection to remote server fails every time. Ossec.log shows: ossec-agentlessd: ERROR: ssh_integrity_check_linux: us...@remote.server.pl: Public key authentication failed to host: us...@remote.server.pl. I tried to connect wit a password but this time I got timeout: ERROR: ssh_integrity_check_linux: us...@remote.server.pl: Timeout while connecting to host: us...@remote.server.pl. I checked .passlist file and passwords are correct. What is more - I am able to ssh to remote server using id_rsa generated for ossec user so theoretically ossec should connect with NOPASS option. But it doesn't. I am in the dark. Server is Ubuntu Server 16.04, OSSEC verson 2.8.3, expect installed, firewall disabled. Any ideas?
Kat
Mar 21, 2017, 8:59:57 AM3/21/17
to ossec-list
Hi,
Could you post the log entries? Also, an ssh -vvv output would help to see what is going on. It is clearly a connection problem, but hard to diagnose based on what you have posted.
Kat
On Friday, March 17, 2017 at 10:20:58 PM UTC-5, Marcin Gołębiowski wrote:
On Friday, March 17, 2017 at 10:20:58 PM UTC-5, Marcin Gołębiowski wrote:
I can't seem to make the agentless monitoring to work. I added two remote boxes with /var/ossec/agentless/register_host.sh and configured paswordless connection generating ssh keys for user ossec. However after restarting ossec the connection to remote server fails every time. Ossec.log shows: ossec-agentlessd: ERROR: ssh_integrity_check_linux: us...@remote.server.pl: Public key authentication failed to host: us...@remote.server.pl. I tried to connect wit a password but this time I got timeout: ERROR: ssh_integrity_check_linux: user...@remote.server.pl: Timeout while connecting to host: us...@remote.server.pl. I checked .passlist file and passwords are correct. What is more - I am able to ssh to remote server using id_rsa generated for ossec user so theoretically ossec should connect with NOPASS option. But it doesn't. I am in the dark. Server is Ubuntu Server 16.04, OSSEC verson 2.8.3, expect installed, firewall disabled. Any ideas?
Eduardo Reichert Figueiredo
Mar 21, 2017, 10:48:23 AM3/21/17
to ossec-list
Valid your permissions to keys "id_rsa id_rsa.pub".
Marcin Gołębiowski
Mar 21, 2017, 7:11:23 PM3/21/17
to ossec-list
Trying to debug with expect I got:
expect -d agentless/ssh_integrity_check_linux us...@server.com /directory/to/check
expect version 5.45
argv[0] = expect argv[1] = -d argv[2] = agentless/ssh_integrity_check_linux argv[3] = us...@server.com argv[4] = /directory/to/check
set argc 2
set argv0 "agentless/ssh_integrity_check_linux"
set argv "us...@server.com /directory/to/check"
executing commands from command file agentless/ssh_integrity_check_linux
spawn ssh us...@server.com
parent: waiting for sync byte
parent: telling child to go ahead
parent: now unsynchronized from child
spawn: returns {456}
expect: does "" (spawn_id exp4) match glob pattern "WARNING: REMOTE HOST"? no
"*sure you want to continue connecting*"? no
"ssh: connect to host*"? no
"no address associated with name"? no
"*Connection refused*"? no
"*Connection closed by remote host*"? no
"* password:*"? no
user@server ~ $
expect: does "\u001b[01;31malk2\u001b[01;33m@\u001b[01;36malk2 \u001b[01;33m~ \u001b[01;35m$ \u001b[00m" (spawn_id exp4) match glob pattern "WARNING: REMOTE HOST"? no
"*sure you want to continue connecting*"? no
"ssh: connect to host*"? no
"no address associated with name"? no
"*Connection refused*"? no
"*Connection closed by remote host*"? no
"* password:*"? no
expect: timed out
I don't have access to auth.log on remote server, it's shared hosting which is why I am trying to implement agentless monitoring there. I am able to manually log in with user ossec and keyfile to that server without problems.
Regards
dan (ddp)
Mar 22, 2017, 7:59:23 PM3/22/17
to ossec...@googlegroups.com
My version of the linux integrity thing continues checking every line
of response for a bit until I get:
"*Connection closed by remote host*"? no
"* password:*"? no
"*\$"? yes
"* password:*"? no
My prompt looks like:
test@ossec-test:~$
But anything ending in a "$" should be valid.
>>> to host: us...@remote.server.pl. I checked .passlist file and passwords are
>>> correct. What is more - I am able to ssh to remote server using id_rsa
>>> generated for ossec user so theoretically ossec should connect with NOPASS
>>> option. But it doesn't. I am in the dark. Server is Ubuntu Server 16.04,
>>> OSSEC verson 2.8.3, expect installed, firewall disabled. Any ideas?
>
> --
>>> correct. What is more - I am able to ssh to remote server using id_rsa
>>> generated for ossec user so theoretically ossec should connect with NOPASS
>>> option. But it doesn't. I am in the dark. Server is Ubuntu Server 16.04,
>>> OSSEC verson 2.8.3, expect installed, firewall disabled. Any ideas?
>
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
Reply all
Reply to author
Forward
0 new messages