Agentless: Timout while running on host
339 views
Skip to first unread message
meganie
May 20, 2022, 8:33:21 AM5/20/22
to Wazuh mailing list
I try to integrate some switches into Wazuh using the wazuh-agentlessd module.
But I get this message in the log:
2022/05/20 14:14:17 wazuh-agentlessd: ERROR: ssh_generic_diff: admini...@172.xxx.xxx.xxx: Timeout while running on host: admini...@172.xxx.xxx.xxx
The part in my ossec.conf looks like this:
<agentless>
<type>ssh_generic_diff</type>
<frequency>3600</frequency>
<host>admini...@172.xxx.xxx.xxx</host>
<state>periodic_diff</state>
<arguments>show interfaces status</arguments>
</agentless>
I guess it's not working because the switch requieres a random input after login but I also tried to include that into the <arguments> senction and it doesn't change anything.
<type>ssh_generic_diff</type>
<frequency>3600</frequency>
<host>admini...@172.xxx.xxx.xxx</host>
<state>periodic_diff</state>
<arguments>show interfaces status</arguments>
</agentless>
I guess it's not working because the switch requieres a random input after login but I also tried to include that into the <arguments> senction and it doesn't change anything.
If I try to run ./agentless/ssh_generic_diff admini...@172.xxx.xxx.xxx show interfaces status the login works but I'm not able to press a key to continue.
Pablo Ariel Gonzalez
May 22, 2022, 10:16:50 PM5/22/22
to Wazuh mailing list
Hi Meganie, it's a pleasure to be able to discuss this case with you.
I have been analyzing the information you have shared. Regarding the agentless configuration in the ossec.conf file, from what I see it is correct. Although you don't include it here, I understand that before this step you have made the connection to the wazuh manager as described in the documentation.
Looking at the screenshot, I understand that you are trying to connect an HP 540zl switch using the "Generic Diff" option and that this doesn't work.
From what it says after logging in you have to enter a random key to be able to continue and right at this point you get the prompt where you can run a command. Have I understood correctly how this switch works?
If so, I ask you, have you tried to include an "echo", "echo '\n'" or similar before "show interfaces status"? The line in the ossec.conf file should be similar to the following:
<arguments> echo; show interface status</arguments>
If you tried this and it didn't work, we could investigate how to send an extra character at login or if the ssh switch service has any parameters for non-interactive execution to help us with this setup.
I have been analyzing the information you have shared. Regarding the agentless configuration in the ossec.conf file, from what I see it is correct. Although you don't include it here, I understand that before this step you have made the connection to the wazuh manager as described in the documentation.
Looking at the screenshot, I understand that you are trying to connect an HP 540zl switch using the "Generic Diff" option and that this doesn't work.
From what it says after logging in you have to enter a random key to be able to continue and right at this point you get the prompt where you can run a command. Have I understood correctly how this switch works?
If so, I ask you, have you tried to include an "echo", "echo '\n'" or similar before "show interfaces status"? The line in the ossec.conf file should be similar to the following:
<arguments> echo; show interface status</arguments>
If you tried this and it didn't work, we could investigate how to send an extra character at login or if the ssh switch service has any parameters for non-interactive execution to help us with this setup.
Thanks,
meganie
May 23, 2022, 6:26:05 AM5/23/22
to Wazuh mailing list
Thank you for your answer!
I use multiple different HP switches but they all have the same type of interface with the same problem:
- 2530-8G-PoEP
- 2530-24G-PoE+
- 2530-48G-PoE+
- 2915-8G-PoE
- 2920-24G-PoE+
- 2920-48G-PoE+
- 5406zl
- 5412zl
If I run ./agentless/ssh_generic_diff adminin...@172.xxx.xxx.xxx show interfaces status the login using .passlist works fine. But the terminal doesn't react correctly to inputs after that and times out.
Here I have typed "test input" and pressed enter. After pressing enter the cursor just jumps to the start of the line.
During a normal SSH login a text input wouldn't even be possible at this point because already pressing "t" would be enough to continue.
I've also tried using "echo" or "echo '\n'" in the ossec.conf and running ./agentless/ssh_generic_diff adminin...@172.xxx.xxx.xxx echo without a difference.
Pablo Ariel Gonzalez
May 24, 2022, 9:16:28 AM5/24/22
to Wazuh mailing list
Hi Meganie.
ssh administrator@device_ip 'show interface status'
Yes, that's what I assumed. Many network devices include these mechanisms so that access must be human and not automatic. We are investigating how we could solve this problem.
As we discuss it, I ask him if he could run an additional test. If you try to make that connection manually, i.e. using a common ssh client, do you get the same result? . To do this from a Linux computer or a Windows emulator you can open a console and run the following:
As we discuss it, I ask him if he could run an additional test. If you try to make that connection manually, i.e. using a common ssh client, do you get the same result? . To do this from a Linux computer or a Windows emulator you can open a console and run the following:
ssh administrator@device_ip 'show interface status'
Thanks,
meganie
Jun 7, 2022, 4:05:20 AM6/7/22
to Wazuh mailing list
Sorry for the late response. I was able to test it today with the following result:
SSH command execution is not supported.
Connection to xxx.xxx.xx.xx closed by remote host.
Connection to xxx.xxx.xx.xx closed by remote host.
I have also tried:
ssh myuser@myhost show interface status < /dev/null
ssh myhost -l myuser $(echo -e 'show interface status\nexit')
with the same result.
Pablo Ariel Gonzalez
Jun 12, 2022, 4:54:52 PM6/12/22
to Wazuh mailing list
Hi Meganie,
In case it's not possible we find a solution using SSH, I think I could still get the data via SNMP with a script and save it to a local file on the Wazuh server. And then import that information by reading the file with log data collector .
I have continued to investigate and it seems that on some HP switch models it is possible to disable the screen that is displayed when starting an SSH connection. Could you check if this option is available and if it could be a solution for you?
In case it's not possible we find a solution using SSH, I think I could still get the data via SNMP with a script and save it to a local file on the Wazuh server. And then import that information by reading the file with log data collector .
I hope you can perform the tests and share the results with us later.
Thanks,
meganie
Jun 24, 2022, 7:49:55 AM6/24/22
to Wazuh mailing list
Unfortunately It's not possible to disable this prompt. Others already had this problem 10+ years ago:
Reply all
Reply to author
Forward
0 new messages