Re: [security-onion] Ubuntu 12.04.1 - Credential is not working

[Heine Lysemose]

Hi Baba

It looks like you missed a step...

echo "debconf debconf/frontend select noninteractive" | sudo debconf-set-selections

This step will make sure you doesn't get prompted for MySQL passwords.

Take a look at the guide here, http://code.google.com/p/security-onion/wiki/Beta

/Lysemose

On Thu, Oct 18, 2012 at 9:40 PM, Baba <ogluma...@gmail.com> wrote:

Hello,
Doug – Thanks for all of the hard work!  We greatly appreciated for your time and everyone else who is assisting you on this wonderful project.

1. I recently download and installed Ubuntu 12.04.1 LTS
Further Detail of OS:
Distributor ID: Ubuntu
Description:    Ubuntu 12.04.1 LTS
Release:        12.04
Codename:       precise

2. Followed your 12.04 precedure.
sudo apt-get update && sudo apt-get dist-upgrade && sudo reboot
        sudo apt-get -y install python-software-properties
        sudo add-apt-repository -y ppa:securityonion/test
        sudo apt-get update
        sudo apt-get -y install securityonion-all
                only input was MySQL root password

3. Reboot the system.
4. Run “Security Onion > Setup”
Server Setup
Welcome windows
Selected “yes, continue”
Would you like to use Quick Setup or Advanced Setup?
        Selected “Advanced”
If this is the first machine in a distributed deployment, choose server
        Selected “Server”
Which IDS Engine would you like to user?
        Selected “Snort”
Which IDS ruleset would you like to use?
        Selected “Emerging Threats GPL
Next windows to define: username, email address and password
Would you like to enable ELSA?
        Selected “yes”
Summary Page
        Selected “Yes, proceed with the changes”
Confirmation – Security Onion Setup is now completed
        Selected “ok”

5. Accessing Security Onion pages:
https://localhost
Started Squert, Snorby, ELSA

Credential is not accepting for Squert, Snorby or ELSA.

6. Viewed the sosetup.log
# Please wait while configuring Squert web interface to connect to Sguil database...
ERROR 1045 (28000): Access denied for user 'root'@'localhost' (using password: NO)
ERROR 1045 (28000): Access denied for user 'root'@'localhost' (using password: NO)

# Please wait while adjusting Sguil rule locations...
# Please wait while setting IDS Engine to Snort...
# Please wait while configuring IDS Ruleset...
Already configured for Emerging Threats GPL ruleset.
# Please wait while executing PulledPork to download rules...
# Please wait while initializing Snorby database...
Jammit Warning: Asset compression disabled -- Java unavailable.
3b3cf3e0f07424c1bc839642fe45cso………. Some harsh
ERROR 1045 (28000): Access denied for user 'root'@'localhost' (using password: NO)
rake aborted!
Access denied for user 'root'@'localhost' (using password: NO)

Tasks: TOP => db:autoupgrade
(See full trace by running task with --trace)
# Please wait while starting all Security Onion services...
securityonion start/running, process 18201
# Please wait while configuring ELSA...
Beginning installation for ELSA WEB node.
* Placing syslog-ng config
* Building elsa directories
* Placing ELSA log node config file
* Beginning node configuration.
* Placing Sphinx Config file.
* Adding Sphinx to startup
 System start/stop links for /etc/init.d/sphinxsearch already exist.
* Adding Syslog-ng to startup
 System start/stop links for /etc/init.d/syslog-ng already exist.
^Gmysqladmin: connect to server at 'localhost' failed
error: 'Access denied for user 'root'@'localhost' (using password: NO)'
^Gmysqladmin: connect to server at 'localhost' failed
error: 'Access denied for user 'root'@'localhost' (using password: NO)'
ERROR 1045 (28000): Access denied for user 'root'@'localhost' (using password: NO)
ERROR 1045 (28000): Access denied for user 'root'@'localhost' (using password: NO)
….
Use of qw(...) as parentheses is deprecated at /opt/elsa/node/Indexer.pm line 434.
SQL_ERROR: DBI connect('database=syslog','elsa',...) failed: Access denied for user 'elsa'@'localhost' (using password: YES), query$
* Configuring logrotate for ELSA
FATAL: config file '/etc/sphinxsearch/sphinx.conf' does not exist or is not readable
* Altering sphinx port to 3307
sed: can't read /etc/sphinxsearch/sphinx.conf: No such file or directory
* Restarting Sphinx
Restarting sphinxsearch: [Thu Oct 18 19:59:00.249 2012] [18275] FATAL: no readable config file (looked in /etc/sphinxsearch/sphinx.$
Sphinx 2.0.4-release (r3135)
Copyright (c) 2001-2012, Andrew Aksyonoff
Copyright (c) 2008-2012, Sphinx Technologies Inc (http://sphinxsearch.com)

0
* Restarting syslog-ng
 * Stopping system logging syslog-ng
   ...done.
 * Starting system logging syslog-ng
WARNING: Configuration file format is too old, please update it to use the 3.3 format as some constructs might operate inefficientl$
WARNING: global: the default value of log_fifo_size() has changed to 10000 in version 3.3 to reflect log_iw_size() changes for tcp($
WARNING: The default behaviour for injecting messages in db-parser() has changed in version 3.3 from internal to pass-through, use $
   ...done.
18274
18292
18293
* Placing ELSA Web Config file
* Beginning Web Install:
* Configuring mysql schema
^Gmysqladmin: connect to server at 'localhost' failed
error: 'Access denied for user 'root'@'localhost' (using password: NO)'
ERROR 1045 (28000): Access denied for user 'root'@'localhost' (using password: NO)
ERROR 1045 (28000): Access denied for user 'root'@'localhost' (using password: NO)
ERROR 1045 (28000): Access denied for user 'elsa'@'localhost' (using password: YES)
* Configuring ELSA with Apache
Site elsa already enabled
Module rewrite already enabled
[Thu Oct 18 19:59:00 2012] [warn] NameVirtualHost localhost:3154 has no VirtualHosts
* Adding cron entry for alerts...
cron stop/waiting
cron start/running, process 18340
* Opening 3154/tcp..
Skipping adding existing rule
Skipping adding existing rule (v6)
* Retrieving GeoIP City databases...
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
^M  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0^M100   199  100   199    0     0   2388      0 --:$
* Unpacking GeoIP gzip file

gzip: /tmp/GeoLiteCity.dat.gz: not in gzip format
* Retrieving GeoIP Country databases...
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
^M  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0^M100   199  100   199    0     0   6441      0 --:$
* Unpacking GeoIP gzip file

gzip: /tmp/GeoIP.dat.gz: not in gzip format
...done.


7. Removed MySQL root password and Re-run “Security Onion > Setup”
8. Checked the MySQL; now I have elsa_web, snorby…etc.
9.  back to step 5.  Accessing Security Onion pages:
https://localhost
Started Squert, Snorby, ELSA
Credential is not working for Squert, Snorby and ELSA.


Thanks for the suggestions.

Baba.

--

[Heine Lysemose]

And BTW... The easiest way around your trouble would be to start over.

/Lysemose

[Heine Lysemose]

HI

Could you run an 'sudo sostat' and redact any sensitive information before posting the output here.

Thanks,

Lysemose

On Mon, Jan 7, 2013 at 5:48 PM, <darksh...@gmail.com> wrote:

On Thursday, October 18, 2012 5:11:10 PM UTC-4, Baba wrote:
> Hello Lysemose,
>
>
>
> Thanks for the quick response!  I will try your suggestion.
>
>
>
> -baba.

Did you find a resolution? I'm having a similar issue. I downloaded and installed the new Security onion ISO (securityonion-12.04-20121224.iso) Configured the Network interface
Rebooted
Ran the advance setup to configured it as a server
After it was completed I'm unable to connect to Squert, Snorby, or ELSA
Squert says "connection failed"
Sguil say "Unable to connect to localhost on port 7734"
Snorby says "invalid credentials"

I ran the setup multiple times...tried various usernames and passwords, I even reinstalled twice and same issue...Any suggestions, frustration setting in now...

--
You received this message because you are subscribed to the Google Groups "security-onion" group.
To post to this group, send email to securit...@googlegroups.com.
To unsubscribe from this group, send email to security-onio...@googlegroups.com.
Visit this group at http://groups.google.com/group/security-onion?hl=en-US.

[Scott Runnels]

Can you check the following?

Is mysql up?

mysql -u root -e "show databases";

Is sguil up?

sudo service nsm status 

v/r

Scott

On Mon, Jan 7, 2013 at 11:48 AM, <darksh...@gmail.com> wrote:

On Thursday, October 18, 2012 5:11:10 PM UTC-4, Baba wrote:
> Hello Lysemose,
>
>
>
> Thanks for the quick response!  I will try your suggestion.
>
>
>
> -baba.
>
>
>
> On Thursday, October 18, 2012 1:14:43 PM UTC-7, Heine Lysemose wrote:
>

Did you find a resolution? I'm having a similar issue. I downloaded and installed the new Security onion ISO (securityonion-12.04-20121224.iso) Configured the Network interface
Rebooted
Ran the advance setup to configured it as a server
After it was completed I'm unable to connect to Squert, Snorby, or ELSA
Squert says "connection failed"
Sguil say "Unable to connect to localhost on port 7734"
Snorby says "invalid credentials"

I ran the setup multiple times...tried various usernames and passwords, I even reinstalled twice and same issue...Any suggestions, frustration setting in now...

--
You received this message because you are subscribed to the Google Groups "security-onion" group.
To post to this group, send email to securit...@googlegroups.com.
To unsubscribe from this group, send email to security-onio...@googlegroups.com.
Visit this group at http://groups.google.com/group/security-onion?hl=en-US.

--
Scott Runnels

[Scott Runnels]

Hi Kelvin,

Your MySQL output should include the databases "securityonion_db" and "snorby". If you've run setup they would have been installed during this process. You did the install from the liveISO then once you booted you ran the setup correct?

Vr
Scott

On Jan 8, 2013, at 6:08 PM, kel...@moneydesktop.com wrote:

> I am having a similar problem. Going on 6 reinstalls at this point trying different things.
> Downloaded the latest ISO with md5 of 4aa04e113bd1456bc9362481de31dfac
> Attached the mysql command mentioned by Scott Runnels, and the sostat mentioned by Heine Lysemose.
>
> The sostat output is after I found the nsm service was not running and initiated it by `sudo service nsm start`
> I also tried to update definitions `sudo rule-update`, that output is attached as well.
>
> Kelvin

> <sostat.txt>
> <mysqlstatus.txt>
> <ruleupdate.txt>

[Heine Lysemose]

Hi Kelvin

It looks like the sosetup had some issues and didn't complete successfully.

What the spec of the computer/server you're trying to install on? Is it virtual or physical?

Can you post the /var/log/nsm/sosetup.log?

/Lysemsoe

On Wed, Jan 9, 2013 at 1:21 AM, <kel...@moneydesktop.com> wrote:

In the most recent attempt, I took these steps-
I booted from the liveISO, installed to the HDD then rebooted into the installed system.
Ran the setup, configured the networking with a static address, the rebooted again, per the setup instructions.
Ran the setup again, used the quick/easy mode (which supposedly all ran successfully), rebooted one more time.
Things were not working after the final reboot, so I pulled those outputs and posted them here.

The only thing in /var/log/nsm/sosetup.log is:

Skipping adding existing rule
Skipping adding existing rule (v6)
Skipping adding existing rule
Skipping adding existing rule (v6)
Skipping adding existing rule
Skipping adding existing rule (v6)

Firewall is active and enabled on system startup

The /var/log/nsm/ossec_agent.log contains:
Executing: /etc/nsm/ossec/ossec_agent.tcl -o -f /var/ossec/logs/alerts/alerts.log -i 127.0.0.1 -p 5 -c /etc/nsm/ossec/ossec_agent.log
Error: can't read "sguildSocketID": no such variable
^^ above line repeated 16 times

The strange thing is that I set up another VM on a different physical host from the same ISO following the same steps on Friday the 4th with no problems at all.

Kelvin

On Tuesday, January 8, 2013 4:36:32 PM UTC-7, Scott Runnels wrote:
> Hi Kelvin,
>
>
>
> Your MySQL output should include the databases "securityonion_db" and "snorby".  If you've run setup they would have been installed during this process. You did the install from the liveISO then once you booted you ran the setup correct?
>
>
>
> Vr
>
> Scott
>
>

[Heine Lysemose]

Sorry, I didn't notice that you wrote that it was the entire sosetup.log.

What happens if if you choose Advanced Setup, and run through the different steps?

I have installed two systems with the ISO without any problems.

What is specs of the virtual server?

/Lysemose

On Jan 9, 2013 7:18 PM, "Kelvin Jasperson" <kel...@moneydesktop.com> wrote:

In the body of my last message I posted the /var/log/nsm/sosetup.log along with /var/log/nsm/ossec_agent.log

It is a VM in a testing environment which uses ESXi v5.0 on a Dell PowerEdge 1950. The host has been freshly wiped, so this is the only VM on the machine.

I just tried the same process in the same testing environment with ESXi v5.0 on an Dell R420 with the same results.

Are there any more logs that I could look at that could point to the problem?

Kelvin

[Heine Lysemose]

Okay, one last thing before I let Doug take over when he is back from FloCon2013.

Could you try enabling debug in the sosetup script located here /usr/bin/sosetup and see if that gives you anything.

Just set the debug to Debug="1" under variables.

Thanks,

Lysemose

On Wed, Jan 9, 2013 at 10:23 PM, Kelvin Jasperson <kel...@moneydesktop.com> wrote:

If I select Advanced setup here are the options I choose:
Standalone server
Snort engine
eth1 interface (eth0 is mgmt)
2 IDS engine processes
1 bro process
Emerging threats GPL
usernames: username / user...@example.com
password: password
No ELSA
It results in the same output, no new mysql databases created and no /etc/nsm/securityonion.conf created.
I even stood up a new install of Ubuntu 12.04.1 Desktop, and followed the instructions in the Installation entry of the Wiki (linked below), adding the PPA and everything. Same results. :sadface:
http://code.google.com/p/security-onion/wiki/Installation#If_you_want_to_quickly_evaluate_Security_Onion_on_your_preferred

This time I ran the setup from the Terminal by running `sudo sosetup` attached are the results (this is from the liveISO, not the Ubuntu Desktop attempt).

The VM specs:
1 socket, 2 cores, 2GB RAM, 2 E1000 NIC's attached to two different networks, Virtual Machine (VMWare's) version 8, 200GB thin allocated HDD on a 1TB 7200RPM

Kelvin

[Heine Lysemose]

It could be related. I actually expireced that during the test of new version of SecurityOnion. But I had also enabled ELSA.

Kelvin, also try with just one Snort instance and one Bro instance. (Just like Quick/Easy setup)

/Lysemose

On Wed, Jan 9, 2013 at 11:02 PM, Matt <mgg...@gmail.com> wrote:

Hi Kelvin,

This is slightly off-topic and probably not related to any installation issues, but you will probably need to increase your RAM when in production.

Matt

On Wednesday, January 9, 2013 4:23:35 PM UTC-5, Kelvin Jasperson wrote:
> If I select Advanced setup here are the options I choose:
>
> Standalone server
>
> Snort engine
>
> eth1 interface (eth0 is mgmt)
>
> 2 IDS engine processes
>
> 1 bro process
>
> Emerging threats GPL
>
> usernames: username / user...@example.com
>
> password: password
>
> No ELSA
>
> It results in the same output, no new mysql databases created and no /etc/nsm/securityonion.conf created.
>
> I even stood up a new install of Ubuntu 12.04.1 Desktop, and followed the instructions in the Installation entry of the Wiki (linked below), adding the PPA and everything. Same results. :sadface:
>
> http://code.google.com/p/security-onion/wiki/Installation#If_you_want_to_quickly_evaluate_Security_Onion_on_your_preferred
>
>
>
> This time I ran the setup from the Terminal by running `sudo sosetup` attached are the results (this is from the liveISO, not the Ubuntu Desktop attempt).
>
>
>
> The VM specs:
>
> 1 socket, 2 cores, 2GB RAM, 2 E1000 NIC's attached to two different networks, Virtual Machine (VMWare's) version 8, 200GB thin allocated HDD on a 1TB 7200RPM
>
>
>

[Heine Lysemose]

So there you have it. Somehow the sosetup script is broken. That's why it keeps failing...

I can't understand why is keep on failing on both the ISO and a plain Ubuntu Desktop install.

Doug, can you help troubleshoot this one?

/Lysemose

On Thu, Jan 10, 2013 at 1:10 AM, Kelvin Jasperson <kel...@moneydesktop.com> wrote:

I tried a few things.
1) Upped the VM to 8 total cores (2 sockets each with 4 cores) and 8GB of RAM. Everything else was the same as before.. no dice.
2) Same settings as above but only had 1 snort worker and 1 bro worker through the advanced config. No workie.
3) With Debug enabled, performed the same steps as #2 with no success. Attached is the output along with some other things I tried to ensure it was in fact busted.

I will also note that every single time I've tried an install/setup I have wiped the hard drive and re-installed the OS from the liveISO, not just re-trying different things on the same installation.

Thanks for all your help everyone.

Kelvin

[Doug Burks]

Hi Kelvin,

I've done literally hundreds of installations and have never seen this before. The only thing I can think of is something in your username or password. Could you describe your username and password in terms of length and characters?  Alternatively, have you tried a simple username of "username" and a password of "password" to see if you get any different results?

Thanks,

Doug

On Friday, January 11, 2013, Kelvin Jasperson wrote:

Thanks Lysemose. I tried one more thing before finally giving up (for now, at least)
In a totally different location and environment I re-downloaded the latest version from sourceforge, instead of the torrent I used before. In the new environment I used the "home" virtualization solution from VMWare for Windows instead of ESXi, different usernames, different passwords, different IP (even a completely different private IP class) with the same result as before.

In the time I've spent I could have just set all this stuff up by hand, but I figured I was just doing something wrong. Now I think I agree with you, there appears to be something wrong with the sosetup installer script. I grazed through it and didn't see anything blatantly wrong, and it obviously passed the `bash -n /usr/bin/sosetup` syntax check, so I'm spent as far as my diagnosis goes without spending an inordinate amount of time digging. Hope all the info I have posted and attached has helped in finding an eventual solution!
Thanks again for all the assistance everyone.

Kelvin

--
Doug Burks
http://securityonion.blogspot.com

[Doug Burks]

Good morning Kelvin,

I'm happy to report that I was finally able to duplicate this issue
and determine the root cause! The issue is that sosetup does "pkill
-f snort" to ensure that no old snort-related processes are running
but the "-f" is too aggressive if the hostname is "snort".

Please try the following:
- perform a fresh installation using the same username/password as
before and "snort" as the hostname
- reboot into your new installation
- before running Setup, run the following command to change all
occurrences of "pkill -f" to "pkill":
sudo sed -i 's|pkill -f|pkill|g' /usr/bin/sosetup
- run Setup

Please let us know whether or not that works for you!

Thanks,
Doug


On Fri, Jan 11, 2013 at 5:20 PM, Kelvin Jasperson
<kel...@moneydesktop.com> wrote:
> Hi Doug,
> At first I tried the username and password that I wanted. The username was all lowercase and 8 characters long, the password was more complex at 10+ characters that included upper and lower case, special characters, and numbers. The hostname was a concatenation of two or more strings of lower-case characters held together by hyphens and concluded with a node number, e.g. xxx-xxx-xxx3
>
> After 5-6 attempts at running the setup I got so tired of typing in complex hostnames and passwords and just resorted to "snort" as a hostname, "username" and "user...@example.com" as the usernames, and "password" as the password. So the last several installs and setup tries were all with this relatively simple hostname/username/password combination.
>
> Kelvin

> --
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To post to this group, send email to securit...@googlegroups.com.
> To unsubscribe from this group, send email to security-onio...@googlegroups.com.
> Visit this group at http://groups.google.com/group/security-onion?hl=en-US.
>
>

[Heine Lysemose]

Good to hear Kelvin.

Really nice catch Doug!!

/Lysemose

On Wed, Jan 16, 2013 at 1:45 AM, Kelvin Jasperson <kel...@moneydesktop.com> wrote:

I learned today that you can use a pipe instead of a forward slash in sed. Neato.
This never crossed my mind until just now, but the more complex hostname that I was using before also included the word 'snort', so that could have been aggressively killed by pkill as well, since it potentially could be found via grep if searching for snort.

It appears as if that worked! It installs without throwing a dozen errors, hooray! I am now able to log in, and within a few minutes I already got this in my testing environment http://cl.ly/image/2X0L1u1M1H34

Now I can finally retire my old snort setup and go with something a little classier :)

Thanks a bunch Doug, Lysemose, and everyone else. I hope other people had this same problem and that this fix will benefit them as well.

Kelvin

[Doug Burks]

On Tue, Jan 15, 2013 at 7:45 PM, Kelvin Jasperson
<kel...@moneydesktop.com> wrote:
> I learned today that you can use a pipe instead of a forward slash in sed. Neato.

Yep, I tend to use sed quite often to modify file paths and the
forward slash obviously creates issues. sed will allow you to use
just about anything as the delimiter and so I default to the pipe.

> This never crossed my mind until just now, but the more complex hostname that I was using before also included the word 'snort', so that could have been aggressively killed by pkill as well, since it potentially could be found via grep if searching for snort.
>
> It appears as if that worked! It installs without throwing a dozen errors, hooray! I am now able to log in, and within a few minutes I already got this in my testing environment http://cl.ly/image/2X0L1u1M1H34
>
> Now I can finally retire my old snort setup and go with something a little classier :)
>
> Thanks a bunch Doug, Lysemose, and everyone else. I hope other people had this same problem and that this fix will benefit them as well.

Glad to hear it! I'll work on an official fix for this.

Thanks,
Doug

>
> Kelvin
>
>
> On Tuesday, January 15, 2013 6:09:29 AM UTC-7, Doug Burks wrote: