Ubuntu 14.04 Master+Sensor Setup issue

[elguap...@gmail.com]

Hello list,

First of all kudos on a fantastic linux nsm distribution! Your contribution to the community sets the standard.

I decided to try out 14.04 in a dedicated server and one sensor setup. I installed vanilla Ubuntu 14.04 for both and ran through the installation instructions on both to include creating a user on the server for my sensor and giving that user sudo. Sosetup completes without issue on the master however, once sosetup completes on the sensor I receive:

"X11 connection rejected because of wrong authentication"

I have verified that I can manually ssh from the sensor to the server with the credentials I created for the user. I have also disabled the firewall and apparmor just to remove those as variables with no joy.

Has anyone run into this issue on the new release?

[Wes]

elguapotaco,

This may be more of of an X11/Ubuntu issue than a setup issue. I have not experienced this error in running setup for a 14.04 sensor.

You could try taking a look here:

http://www.cyberciti.biz/faq/x11-connection-rejected-because-of-wrong-authentication/

Thanks,
Wes

[elguap...@gmail.com]

Thanks Wes. When you say you have not experienced this issue do you mean when utilizing the SO iso or installing on top of a vanilla Ubuntu 14.04.3 release? I ask because I have blown away both server and sensor multiple times now and run into the same issue - so at this point I'm doubting that following the instructions on the wiki for a prod install will get anyone to a working server/sensor deploy.

I did check out the link you provided however it unfortunately did not help. The below got me a bit closer but still no working setup.

http://unix.stackexchange.com/questions/110558/su-with-error-x11-connection-rejected-because-of-wrong-authentication

[Doug Burks]

I just tested using vanilla Xubuntu 14.04.3 and everything worked fine for me.

Where exactly are you seeing this error message? When does it occur?

> --
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at https://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/d/optout.



--
Doug Burks
Need Security Onion Training or Commercial Support?
http://securityonionsolutions.com

[elguap...@gmail.com]

Hi Doug,

I'm running fresh installs of Ubuntu 14.04.3 server x64 for both server and sensor.

DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=14.04
DISTRIB_CODENAME=trusty
DISTRIB_DESCRIPTION="Ubuntu 14.04.3 LTS"
NAME="Ubuntu"
VERSION="14.04.3 LTS, Trusty Tahr"

This occurs on the sensor for me right after choosing options and telling sosetup to make changes. I get the gui status bar that stops on "Please wait while creating Sguil sensor(s) and in the terminal it asks for the password for the sensor user I setup (after displaying the X11 error, see below). Again, I can ssh to the server using the sensor user that is setup so the creds are correct. I think Wes is correct in that this has something to do with xauth but I haven't been able to figure it out yet obviously. Was hoping someone else might be able to replicate or has seen this before with the new release.

X11 connection rejected because of wrong authentication.
X11 connection rejected because of wrong authentication.

(xfce4-terminal:3512): Gtk-WARNING **: cannot open display: localhost:10.0
The authenticity of host '10.200.2.252 (10.200.2.252)' can't be established.
ECDSA key fingerprint is e5:f4:78:9b:b3:3c:50:c1:3f:4a:11:f7:83:fa:9c:12.
Are you sure you want to continue connecting (yes/no)? yes
dirty...@10.200.2.252's password:
dirty...@10.200.2.252's password:

[Wes]

I just tried twice using fresh installs of Ubuntu 14.04.3 and installing via PPA and am running across the same error (it seems it only applies to sensor configuration, where it prompts to accept the key and enter the password for the sensor account). I think I might have come across it in the past with 12.04 once or twice. It seems as though it can't handle/populate the additional display, in addition to the already present sosetup display window. If you hit 'Ctrl+C' a few times after the above error, the display will pop up and prompt for the password, then disappear and nothing else happens, as sosetup appears to be cancelled by that point.

I've currently and in the past have been using Xming with localhost:0.0 configured in Putty to forward the SSH.

I also tried messing around with the $DISPLAY variables, but was not able to get it working properly.

Thanks,
Wes

[Doug Burks]

I'll try to take a look at this tomorrow. In the meantime, you should
be able to run cli-only Setup (no X at all) using sosetup.conf. For
more information, please see /usr/share/securityonion/sosetup.conf.

[Doug Burks]

I've created Issue 846 for this:
https://github.com/Security-Onion-Solutions/security-onion/issues/846

It's most likely related to this commit:
https://github.com/Security-Onion-Solutions/securityonion-setup/commit/7e779e1f68ea8d495d71ae9ad7006001a9ec943d

In the meantime, I went ahead and updated the Production Deployment to
recommend the use of cli-only sosetup.conf when running Setup
remotely:
https://github.com/Security-Onion-Solutions/security-onion/wiki/ProductionDeployment

[Doug Burks]

Updated package submitted for testing:
https://groups.google.com/d/topic/security-onion-testing/Pxx_-wY5Ba4/discussion