Re: [ossec-list] Port 1514 Not Listening
On Wednesday, 16 September 2015 21:15:14 UTC+1, Kat wrote: > > Just a silly question I don't see in this thread -- do you have ANY > clients defined on the server itself?? > > What is currently in /var/ossec/etc/clients.keys? > That's not a silly question at all, especially if authd is being used. See https://github.com/ossec/ossec-hids/pull/662. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Port 1514 Not Listening
Just a silly question I don't see in this thread -- do you have ANY clients defined on the server itself?? What is currently in /var/ossec/etc/clients.keys? -Kat -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Port 1514 Not Listening
James Oliver Pormentosaid: > >Hi, > >-A INPUT -s [OSSEC Agent's IP]/32 -p tcp -m tcp --dport 1514 -j ACCEPT >-A INPUT -s [OSSEC Agent's IP]/32 -p tcp -m tcp --dport 1514 -j ACCEPT > > The agent's IPs are different. Another question, should we remove the >tcp port 1514? Will having both ports tcp 1514 and udp 1514 at the same >time might cause the port number 1514 being unable to bind? You don't need any of the tcp lines. ossec doesn't use tcp. My best guess for the "unable to bind" messages is that you already have ossec running, and using the port, and you're tring to start a second daemon. > >Also, by restoring the iptables with only the rules that OSSEC needs, will >that solve this issue "ossec-remoted(1206): ERROR: Unable to Bind port >'1514'" that we've found in the ossec.log? > > >Regards, > > >*James Oliver "J.O." Pormento* >*Software Engineer* >Email: james.porme...@pointwest.com.ph >Website: www.pointwest.com.ph >*Pointwest Innovations Corporation* > >On Thu, Sep 10, 2015 at 12:23 PM, wrote: > >> James Oliver Pormento said: >> > >> >We tried to execute this "-A INPUT -m udp -p udp -s 10.20.30.40 --sport >> >1514 -j ACCEPT" and saved it on the OSSEC Server. >> >> The --sport 1514 line goes on the agent, so it can receive the >> responses from the server. UDP is connectionless, so there's no inherent >> state tracking. The kernel knows how to do udp state for a few things, bu >t >> ossec isn't really one of them. >> >> >Below is what our OSSEC server's iptables looks like: >> > >> >*filter >> >:INPUT ACCEPT [0:0] >> >:FORWARD ACCEPT [0:0] >> >:OUTPUT ACCEPT [0:0] >> >-A INPUT -s xxx.xxx.xx.xx/32 -p tcp -m tcp --dport 1514 -j ACCEPT >> > >> >*-A INPUT -s [OSSEC Agent's IP]/32 -p tcp -m tcp --dport 1514 -j ACCEPT-A >> >INPUT -s [OSSEC Agent's IP]/32 -p tcp -m tcp --dport 1514 -j ACCEPT* >> >> This looks like two lines run together? It's also using tcp instead o >f >> udp. You should have one line here: >> >> -A INPUT -s [OSSEC Agent's IP]/32 -p udp -m udp --dport 1514 -j ACCEPT >> >> >-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT >> >-A INPUT -p icmp -j ACCEPT >> >-A INPUT -i lo -j ACCEPT >> >-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT >> >-A INPUT -j REJECT --reject-with icmp-host-prohibited >> > >> >*-A INPUT -s [OSSEC Agent's IP]/32 -p udp -m udp --dport 1514 -j ACCEPT-A >> >INPUT -s [OSSEC Agent's IP]/32 -p udp -m udp --dport 1514 -j ACCEPT* >> >> This is after the REJECT line, so it has no effect. >> >> >-A INPUT -j DROP >> >-A INPUT -p udp -m udp --dport 1514 -j ACCEPT >> >> This is after both the REJECT line and the DROP line, so it has no >> effect. >> >> >*-A INPUT -s [OSSEC Agent's IP]/32 -p udp -m udp --sport 1514 -j ACCEPT-A >> >INPUT -s [OSSEC Agent's IP]/32 -p udp -m udp --sport 1514 -j ACCEPT* >> >> This is after both the REJECT line and the DROP line, so it has no >> effect. >> >> >-A FORWARD -j REJECT --reject-with icmp-host-prohibited >> >-A OUTPUT -j ACCEPT >> >-A OUTPUT -j ACCEPT >> >COMMIT >> >> I normally deal with this by editing a file with the rules I want, the >n >> using "/sbin/iptables-restore < filename" to load it into the kernel. >> >> > >> > >> >Regards, >> > >> > >> >*James Oliver "J.O." Pormento* >> >*Software Engineer* >> >Email: james.porme...@pointwest.com.ph >> >Website: www.pointwest.com.ph >> >*Pointwest Innovations Corporation* >> > >> >On Thu, Sep 10, 2015 at 8:54 AM, wrote: >> > >> >> James Oliver Pormento said: >> >> > >> >> >HI, >> >> > >> >> >Thank you for the info. >> >> >This is what we've got upon trying "netstat -ulnp": >> >> > >> >> >Active Internet connections (only servers) >> >> >Proto Recv-Q Send-Q Local Address Foreign >> >> >Address State PID/Program name >> >> >udp0 0xxx.xx.xxx.xxx:1514 0.0.0.0:* >> >> >8125/ossec-remoted >> >> >udp0 00.0.0.0:514 >> >> >0.0.0.0:* >> >> >8126/ossec-remoted >> >> > >> >> >Does this mean that port 1514 is open but not binding? Or does this >> mean >> >> >something else? Please advise. Thank you. >> >> >> >> That looks like the output from my server. >> >> >> >> Are you sure you're allowing 1514/udp in iptables on both machines? >> >> Your /etc/sysconfig/iptables file should contain something like this on >> th >> >e >> >> agent. Where 10.20.30.40 is your ossec server. Note, it's using >> --sport >> >> for source port. That's because the agents send udp packets from a >> random >> >> port to the server's port 1514. Then the server responds from port >> 1514 t >> >o >> >> the agent's random port. >> >> >> >> -A INPUT -m udp -p udp -s 10.20.30.40 --sport 1514 -j ACCEPT >> >> >> >> And something like this on the server: >> >> >> >> :OSSEC - [0:0] >> >> -A OSSEC -s 1.2.3.4 -j ACCEPT -m comment
Re: [ossec-list] Port 1514 Not Listening
James Oliver Pormentosaid: > >We tried to execute this "-A INPUT -m udp -p udp -s 10.20.30.40 --sport >1514 -j ACCEPT" and saved it on the OSSEC Server. The --sport 1514 line goes on the agent, so it can receive the responses from the server. UDP is connectionless, so there's no inherent state tracking. The kernel knows how to do udp state for a few things, but ossec isn't really one of them. >Below is what our OSSEC server's iptables looks like: > >*filter >:INPUT ACCEPT [0:0] >:FORWARD ACCEPT [0:0] >:OUTPUT ACCEPT [0:0] >-A INPUT -s xxx.xxx.xx.xx/32 -p tcp -m tcp --dport 1514 -j ACCEPT > >*-A INPUT -s [OSSEC Agent's IP]/32 -p tcp -m tcp --dport 1514 -j ACCEPT-A >INPUT -s [OSSEC Agent's IP]/32 -p tcp -m tcp --dport 1514 -j ACCEPT* This looks like two lines run together? It's also using tcp instead of udp. You should have one line here: -A INPUT -s [OSSEC Agent's IP]/32 -p udp -m udp --dport 1514 -j ACCEPT >-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT >-A INPUT -p icmp -j ACCEPT >-A INPUT -i lo -j ACCEPT >-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT >-A INPUT -j REJECT --reject-with icmp-host-prohibited > >*-A INPUT -s [OSSEC Agent's IP]/32 -p udp -m udp --dport 1514 -j ACCEPT-A >INPUT -s [OSSEC Agent's IP]/32 -p udp -m udp --dport 1514 -j ACCEPT* This is after the REJECT line, so it has no effect. >-A INPUT -j DROP >-A INPUT -p udp -m udp --dport 1514 -j ACCEPT This is after both the REJECT line and the DROP line, so it has no effect. >*-A INPUT -s [OSSEC Agent's IP]/32 -p udp -m udp --sport 1514 -j ACCEPT-A >INPUT -s [OSSEC Agent's IP]/32 -p udp -m udp --sport 1514 -j ACCEPT* This is after both the REJECT line and the DROP line, so it has no effect. >-A FORWARD -j REJECT --reject-with icmp-host-prohibited >-A OUTPUT -j ACCEPT >-A OUTPUT -j ACCEPT >COMMIT I normally deal with this by editing a file with the rules I want, then using "/sbin/iptables-restore < filename" to load it into the kernel. > > >Regards, > > >*James Oliver "J.O." Pormento* >*Software Engineer* >Email: james.porme...@pointwest.com.ph >Website: www.pointwest.com.ph >*Pointwest Innovations Corporation* > >On Thu, Sep 10, 2015 at 8:54 AM, wrote: > >> James Oliver Pormento said: >> > >> >HI, >> > >> >Thank you for the info. >> >This is what we've got upon trying "netstat -ulnp": >> > >> >Active Internet connections (only servers) >> >Proto Recv-Q Send-Q Local Address Foreign >> >Address State PID/Program name >> >udp0 0xxx.xx.xxx.xxx:1514 0.0.0.0:* >> >8125/ossec-remoted >> >udp0 00.0.0.0:514 >> >0.0.0.0:* >> >8126/ossec-remoted >> > >> >Does this mean that port 1514 is open but not binding? Or does this mean >> >something else? Please advise. Thank you. >> >> That looks like the output from my server. >> >> Are you sure you're allowing 1514/udp in iptables on both machines? >> Your /etc/sysconfig/iptables file should contain something like this on th >e >> agent. Where 10.20.30.40 is your ossec server. Note, it's using --sport >> for source port. That's because the agents send udp packets from a random >> port to the server's port 1514. Then the server responds from port 1514 t >o >> the agent's random port. >> >> -A INPUT -m udp -p udp -s 10.20.30.40 --sport 1514 -j ACCEPT >> >> And something like this on the server: >> >> :OSSEC - [0:0] >> -A OSSEC -s 1.2.3.4 -j ACCEPT -m comment --comment "my first spiffy agent >> machine" >> -A OSSEC -s 1.2.3.5 -j ACCEPT -m comment --comment "my second spiffy agent >> machine" >> -A INPUT -m udp -p udp --dport 1514 -j OSSEC >> >> You can use tcpdump on both machines to see if the packets are flowing >. >> >> tcpdump port 1514 >> >> On the server, you can use agent_control -l to see the connected >> agents. >> >> > >> > >> >Regards, >> > >> > >> >*James Oliver "J.O." Pormento* >> >*Software Engineer* >> >Email: james.porme...@pointwest.com.ph >> >Website: www.pointwest.com.ph >> >*Pointwest Innovations Corporation* >> > >> >On Wed, Sep 9, 2015 at 11:37 PM, wrote: >> > >> >> James Oliver Pormento said: >> >> > >> >> >We have installed OSSEC server v2.8.2 in CentOs. After installation, i >t >> >> >seems that port 1514 is not listening. We used the default port(1514) >> >> >during installation. We've tried to check using this command in >> >> >CentOs: *netstat >> >> >-tlnp |grep 1514* and did not got anything. May we ask the following >> >> >questions: >> >> >> >> The port is UDP, not TCP. Try "netstat -ulnp". >> >> >> >> > >> >> >1. May we ask if there's another way to make sure that the port is >> >> >listening? >> >> >2. Do we need to add something in the configuration file or something? >> >> > >> >> >Please advise. Thank you. >> >> > >> >> > >> >> >Regards, >> >> >James
Re: [ossec-list] Port 1514 Not Listening
Hi, -A INPUT -s [OSSEC Agent's IP]/32 -p tcp -m tcp --dport 1514 -j ACCEPT -A INPUT -s [OSSEC Agent's IP]/32 -p tcp -m tcp --dport 1514 -j ACCEPT > The agent's IPs are different. Another question, should we remove the tcp port 1514? Will having both ports tcp 1514 and udp 1514 at the same time might cause the port number 1514 being unable to bind? Also, by restoring the iptables with only the rules that OSSEC needs, will that solve this issue "ossec-remoted(1206): ERROR: Unable to Bind port '1514'" that we've found in the ossec.log? Regards, *James Oliver "J.O." Pormento* *Software Engineer* Email: james.porme...@pointwest.com.ph Website: www.pointwest.com.ph *Pointwest Innovations Corporation* On Thu, Sep 10, 2015 at 12:23 PM,wrote: > James Oliver Pormento said: > > > >We tried to execute this "-A INPUT -m udp -p udp -s 10.20.30.40 --sport > >1514 -j ACCEPT" and saved it on the OSSEC Server. > > The --sport 1514 line goes on the agent, so it can receive the > responses from the server. UDP is connectionless, so there's no inherent > state tracking. The kernel knows how to do udp state for a few things, but > ossec isn't really one of them. > > >Below is what our OSSEC server's iptables looks like: > > > >*filter > >:INPUT ACCEPT [0:0] > >:FORWARD ACCEPT [0:0] > >:OUTPUT ACCEPT [0:0] > >-A INPUT -s xxx.xxx.xx.xx/32 -p tcp -m tcp --dport 1514 -j ACCEPT > > > >*-A INPUT -s [OSSEC Agent's IP]/32 -p tcp -m tcp --dport 1514 -j ACCEPT-A > >INPUT -s [OSSEC Agent's IP]/32 -p tcp -m tcp --dport 1514 -j ACCEPT* > > This looks like two lines run together? It's also using tcp instead of > udp. You should have one line here: > > -A INPUT -s [OSSEC Agent's IP]/32 -p udp -m udp --dport 1514 -j ACCEPT > > >-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT > >-A INPUT -p icmp -j ACCEPT > >-A INPUT -i lo -j ACCEPT > >-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT > >-A INPUT -j REJECT --reject-with icmp-host-prohibited > > > >*-A INPUT -s [OSSEC Agent's IP]/32 -p udp -m udp --dport 1514 -j ACCEPT-A > >INPUT -s [OSSEC Agent's IP]/32 -p udp -m udp --dport 1514 -j ACCEPT* > > This is after the REJECT line, so it has no effect. > > >-A INPUT -j DROP > >-A INPUT -p udp -m udp --dport 1514 -j ACCEPT > > This is after both the REJECT line and the DROP line, so it has no > effect. > > >*-A INPUT -s [OSSEC Agent's IP]/32 -p udp -m udp --sport 1514 -j ACCEPT-A > >INPUT -s [OSSEC Agent's IP]/32 -p udp -m udp --sport 1514 -j ACCEPT* > > This is after both the REJECT line and the DROP line, so it has no > effect. > > >-A FORWARD -j REJECT --reject-with icmp-host-prohibited > >-A OUTPUT -j ACCEPT > >-A OUTPUT -j ACCEPT > >COMMIT > > I normally deal with this by editing a file with the rules I want, then > using "/sbin/iptables-restore < filename" to load it into the kernel. > > > > > > >Regards, > > > > > >*James Oliver "J.O." Pormento* > >*Software Engineer* > >Email: james.porme...@pointwest.com.ph > >Website: www.pointwest.com.ph > >*Pointwest Innovations Corporation* > > > >On Thu, Sep 10, 2015 at 8:54 AM, wrote: > > > >> James Oliver Pormento said: > >> > > >> >HI, > >> > > >> >Thank you for the info. > >> >This is what we've got upon trying "netstat -ulnp": > >> > > >> >Active Internet connections (only servers) > >> >Proto Recv-Q Send-Q Local Address Foreign > >> >Address State PID/Program name > >> >udp0 0xxx.xx.xxx.xxx:1514 0.0.0.0:* > >> >8125/ossec-remoted > >> >udp0 00.0.0.0:514 > >> >0.0.0.0:* > >> >8126/ossec-remoted > >> > > >> >Does this mean that port 1514 is open but not binding? Or does this > mean > >> >something else? Please advise. Thank you. > >> > >> That looks like the output from my server. > >> > >> Are you sure you're allowing 1514/udp in iptables on both machines? > >> Your /etc/sysconfig/iptables file should contain something like this on > th > >e > >> agent. Where 10.20.30.40 is your ossec server. Note, it's using > --sport > >> for source port. That's because the agents send udp packets from a > random > >> port to the server's port 1514. Then the server responds from port > 1514 t > >o > >> the agent's random port. > >> > >> -A INPUT -m udp -p udp -s 10.20.30.40 --sport 1514 -j ACCEPT > >> > >> And something like this on the server: > >> > >> :OSSEC - [0:0] > >> -A OSSEC -s 1.2.3.4 -j ACCEPT -m comment --comment "my first spiffy > agent > >> machine" > >> -A OSSEC -s 1.2.3.5 -j ACCEPT -m comment --comment "my second spiffy > agent > >> machine" > >> -A INPUT -m udp -p udp --dport 1514 -j OSSEC > >> > >> You can use tcpdump on both machines to see if the packets are > flowing > >. > >> > >> tcpdump port 1514 > >> > >> On the server, you can use agent_control -l to see the connected > >> agents. > >> > >> > > >> > > >>
[ossec-list] Port 1514 Not Listening
Hi, We have installed OSSEC server v2.8.2 in CentOs. After installation, it seems that port 1514 is not listening. We used the default port(1514) during installation. We've tried to check using this command in CentOs: *netstat -tlnp |grep 1514* and did not got anything. May we ask the following questions: 1. May we ask if there's another way to make sure that the port is listening? 2. Do we need to add something in the configuration file or something? Please advise. Thank you. Regards, James Oliver B. Pormento -- CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. There is no warranty that this email is error, virus or defect free. If this is a private communication it does not represent the views of Pointwest Technologies Corporation or their related entities. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Port 1514 Not Listening
Hi, We have installed OSSEC server v2.8.2 in CentOs. After installation, it seems that port 1514 is not listening. We used the default port(1514) during installation. We've tried to check using this command in CentOs: *netstat -tlnp |grep 1514* and did not got anything. May we ask the following questions: 1. May we ask if there's another way to make sure that the port is listening? 2. Do we need to add something in the configuration file or something? Please advise. Thank you. -- CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. There is no warranty that this email is error, virus or defect free. If this is a private communication it does not represent the views of Pointwest Technologies Corporation or their related entities. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Port 1514 Not Listening
Hi, Thank you for that suggestion. We're also getting this error 'ossec-remoted(1206): ERROR: Unable to Bind port '1514'' in the ossec.log. We already double-checked and confirmed that only ossec-remoted is using the port 1514. Any ideas/suggestions about the error? Thanks. Regards, *James Oliver "J.O." Pormento* *Software Engineer* Email: james.porme...@pointwest.com.ph Website: www.pointwest.com.ph *Pointwest Innovations Corporation* On Wed, Sep 9, 2015 at 5:38 PM, José Luis Ruizwrote: > > Try to open the firewall > > > firewall-cmd --zone=public --add-port=1514/udp --permanent > > Enviado desde mi iPhone > > El 9 sept 2015, a las 9:04, James Oliver Pormento < > james.porme...@pointwest.com.ph> escribió: > > Hi, > > We have installed OSSEC server v2.8.2 in CentOs. After installation, it > seems that port 1514 is not listening. We used the default port(1514) > during installation. We've tried to check using this command in CentOs: > *netstat > -tlnp |grep 1514* and did not got anything. May we ask the following > questions: > > 1. May we ask if there's another way to make sure that the port is > listening? > 2. Do we need to add something in the configuration file or something? > > Please advise. Thank you. > > CONFIDENTIALITY NOTICE: This email may contain confidential and privileged > material for the sole use of the intended recipient(s). Any review, use, > distribution or disclosure by others is strictly prohibited. If you have > received this communication in error, please notify the sender immediately > by e-mail and delete the message and any file attachments from your > computer. There is no warranty that this email is error, virus or defect > free. If this is a private communication it does not represent the views of > Pointwest Technologies Corporation or their related entities. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. > > -- CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. There is no warranty that this email is error, virus or defect free. If this is a private communication it does not represent the views of Pointwest Technologies Corporation or their related entities. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Port 1514 Not Listening
On Wed, Sep 9, 2015 at 1:17 AM, James Oliver Pormentowrote: > Hi, > > We have installed OSSEC server v2.8.2 in CentOs. After installation, it > seems that port 1514 is not listening. We used the default port(1514) during > installation. We've tried to check using this command in CentOs: netstat > -tlnp |grep 1514 and did not got anything. May we ask the following > questions: > > 1. May we ask if there's another way to make sure that the port is > listening? > 2. Do we need to add something in the configuration file or something? > > Please advise. Thank you. > Is ossec-remoted running? If not, try starting it and checking ossec.log. Also please provide a sanitized copy of the section of your OSSEC server's ossec.conf. > > Regards, > James Oliver B. Pormento > > CONFIDENTIALITY NOTICE: This email may contain confidential and privileged > material for the sole use of the intended recipient(s). Any review, use, > distribution or disclosure by others is strictly prohibited. If you have > received this communication in error, please notify the sender immediately > by e-mail and delete the message and any file attachments from your > computer. There is no warranty that this email is error, virus or defect > free. If this is a private communication it does not represent the views of > Pointwest Technologies Corporation or their related entities. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Port 1514 Not Listening
On Wed, Sep 9, 2015 at 7:51 AM, James Oliver Pormentowrote: > > Hi, > > Thank you for that suggestion. > We're also getting this error 'ossec-remoted(1206): ERROR: Unable to Bind > port '1514'' in the ossec.log. We already double-checked and confirmed that > only ossec-remoted is using the port 1514. Any ideas/suggestions about the > error? Thanks. > Check /var/log/audit to make sure nothing is blocking the binding. Also make sure remoted isn't configured to listen on an IP address that does not exist on that system. > > > Regards, > > James Oliver "J.O." Pormento > Software Engineer > Email: james.porme...@pointwest.com.ph > Website: www.pointwest.com.ph > Pointwest Innovations Corporation > > On Wed, Sep 9, 2015 at 5:38 PM, José Luis Ruiz wrote: >> >> >> Try to open the firewall >> >> >> firewall-cmd --zone=public --add-port=1514/udp --permanent >> >> Enviado desde mi iPhone >> >> El 9 sept 2015, a las 9:04, James Oliver Pormento >> escribió: >> >> Hi, >> >> We have installed OSSEC server v2.8.2 in CentOs. After installation, it >> seems that port 1514 is not listening. We used the default port(1514) during >> installation. We've tried to check using this command in CentOs: netstat >> -tlnp |grep 1514 and did not got anything. May we ask the following >> questions: >> >> 1. May we ask if there's another way to make sure that the port is listening? >> 2. Do we need to add something in the configuration file or something? >> >> Please advise. Thank you. >> >> CONFIDENTIALITY NOTICE: This email may contain confidential and privileged >> material for the sole use of the intended recipient(s). Any review, use, >> distribution or disclosure by others is strictly prohibited. If you have >> received this communication in error, please notify the sender immediately >> by e-mail and delete the message and any file attachments from your >> computer. There is no warranty that this email is error, virus or defect >> free. If this is a private communication it does not represent the views of >> Pointwest Technologies Corporation or their related entities. >> >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to ossec-list+unsubscr...@googlegroups.com. >> For more options, visit https://groups.google.com/d/optout. > > > > CONFIDENTIALITY NOTICE: This email may contain confidential and privileged > material for the sole use of the intended recipient(s). Any review, use, > distribution or disclosure by others is strictly prohibited. If you have > received this communication in error, please notify the sender immediately by > e-mail and delete the message and any file attachments from your computer. > There is no warranty that this email is error, virus or defect free. If this > is a private communication it does not represent the views of Pointwest > Technologies Corporation or their related entities. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Port 1514 Not Listening
James Oliver Pormentosaid: > >We have installed OSSEC server v2.8.2 in CentOs. After installation, it >seems that port 1514 is not listening. We used the default port(1514) >during installation. We've tried to check using this command in >CentOs: *netstat >-tlnp |grep 1514* and did not got anything. May we ask the following >questions: The port is UDP, not TCP. Try "netstat -ulnp". > >1. May we ask if there's another way to make sure that the port is >listening? >2. Do we need to add something in the configuration file or something? > >Please advise. Thank you. > > >Regards, >James Oliver B. Pormento > >-- >CONFIDENTIALITY NOTICE: This email may contain confidential and privileged >material for the sole use of the intended recipient(s). Any review, use, >distribution or disclosure by others is strictly prohibited. If you have >received this communication in error, please notify the sender immediately >by e-mail and delete the message and any file attachments from your >computer. There is no warranty that this email is error, virus or defect >free. If this is a private communication it does not represent the views of >Pointwest Technologies Corporation or their related entities. > >-- > >--- >You received this message because you are subscribed to the Google Groups "o >ssec-list" group. >To unsubscribe from this group and stop receiving emails from it, send an em >ail to ossec-list+unsubscr...@googlegroups.com. >For more options, visit https://groups.google.com/d/optout. > >--047d7bf198ea8adf71051f4999a3 >Content-Type: text/html; charset=UTF-8 >Content-Transfer-Encoding: quoted-printable > >Hi,We have installed OSSEC server v2.8.= >2 in CentOs. After installation, it seems that port 1514 is not listening. = >We used the default port(1514) during installation. Weve tried to chec= >k using this command in CentOs: netstat -tlnp |grep 1514 and did not= > got anything. May we ask the following questions:1. May we ask if = >theres another way to make sure that the port is
Re: [ossec-list] Port 1514 Not Listening
HI, Thank you for the info. This is what we've got upon trying "netstat -ulnp": Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name udp0 0xxx.xx.xxx.xxx:1514 0.0.0.0:* 8125/ossec-remoted udp0 00.0.0.0:514 0.0.0.0:* 8126/ossec-remoted Does this mean that port 1514 is open but not binding? Or does this mean something else? Please advise. Thank you. Regards, *James Oliver "J.O." Pormento* *Software Engineer* Email: james.porme...@pointwest.com.ph Website: www.pointwest.com.ph *Pointwest Innovations Corporation* On Wed, Sep 9, 2015 at 11:37 PM,wrote: > James Oliver Pormento said: > > > >We have installed OSSEC server v2.8.2 in CentOs. After installation, it > >seems that port 1514 is not listening. We used the default port(1514) > >during installation. We've tried to check using this command in > >CentOs: *netstat > >-tlnp |grep 1514* and did not got anything. May we ask the following > >questions: > > The port is UDP, not TCP. Try "netstat -ulnp". > > > > >1. May we ask if there's another way to make sure that the port is > >listening? > >2. Do we need to add something in the configuration file or something? > > > >Please advise. Thank you. > > > > > >Regards, > >James Oliver B. Pormento > > > >-- > >CONFIDENTIALITY NOTICE: This email may contain confidential and privileged > >material for the sole use of the intended recipient(s). Any review, use, > >distribution or disclosure by others is strictly prohibited. If you have > >received this communication in error, please notify the sender immediately > >by e-mail and delete the message and any file attachments from your > >computer. There is no warranty that this email is error, virus or defect > >free. If this is a private communication it does not represent the views > of > >Pointwest Technologies Corporation or their related entities. > > > >-- > > > >--- > >You received this message because you are subscribed to the Google Groups > "o > >ssec-list" group. > >To unsubscribe from this group and stop receiving emails from it, send an > em > >ail to ossec-list+unsubscr...@googlegroups.com. > >For more options, visit https://groups.google.com/d/optout. > > > >--047d7bf198ea8adf71051f4999a3 > >Content-Type: text/html; charset=UTF-8 > >Content-Transfer-Encoding: quoted-printable > > > >Hi,We have installed OSSEC server > v2.8.= > >2 in CentOs. After installation, it seems that port 1514 is not > listening. = > >We used the default port(1514) during installation. Weve tried to > chec= > >k using this command in CentOs: netstat -tlnp |grep 1514 and did > not= > > got anything. May we ask the following questions:1. May we ask > if = > >theres another way to make sure that the port is listening? >=3D"all"> dir=3D"ltr= > >">
Re: [ossec-list] Port 1514 Not Listening
On Sep 9, 2015 8:51 PM, "James Oliver Pormento" < james.porme...@pointwest.com.ph> wrote: > > HI, > > Thank you for the info. > This is what we've got upon trying "netstat -ulnp": > > Active Internet connections (only servers) > Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name > udp0 0xxx.xx.xxx.xxx:1514 0.0.0.0:* 8125/ossec-remoted > udp0 00.0.0.0:514 0.0.0.0:* 8126/ossec-remoted > > Does this mean that port 1514 is open but not binding? Or does this mean something else? Please advise. Thank you. > It looks like you misunderstand your problem. What is the problem you are having? > > Regards, > > James Oliver "J.O." Pormento > Software Engineer > Email: james.porme...@pointwest.com.ph > Website: www.pointwest.com.ph > Pointwest Innovations Corporation > > On Wed, Sep 9, 2015 at 11:37 PM,wrote: >> >> James Oliver Pormento said: >> > >> >We have installed OSSEC server v2.8.2 in CentOs. After installation, it >> >seems that port 1514 is not listening. We used the default port(1514) >> >during installation. We've tried to check using this command in >> >CentOs: *netstat >> >-tlnp |grep 1514* and did not got anything. May we ask the following >> >questions: >> >> The port is UDP, not TCP. Try "netstat -ulnp". >> >> > >> >1. May we ask if there's another way to make sure that the port is >> >listening? >> >2. Do we need to add something in the configuration file or something? >> > >> >Please advise. Thank you. >> > >> > >> >Regards, >> >James Oliver B. Pormento >> > >> >-- >> >CONFIDENTIALITY NOTICE: This email may contain confidential and privileged >> >material for the sole use of the intended recipient(s). Any review, use, >> >distribution or disclosure by others is strictly prohibited. If you have >> >received this communication in error, please notify the sender immediately >> >by e-mail and delete the message and any file attachments from your >> >computer. There is no warranty that this email is error, virus or defect >> >free. If this is a private communication it does not represent the views of >> >Pointwest Technologies Corporation or their related entities. >> > >> >-- >> > >> >--- >> >You received this message because you are subscribed to the Google Groups "o >> >ssec-list" group. >> >To unsubscribe from this group and stop receiving emails from it, send an em >> >ail to ossec-list+unsubscr...@googlegroups.com. >> >For more options, visit https://groups.google.com/d/optout. >> > >> >--047d7bf198ea8adf71051f4999a3 >> >Content-Type: text/html; charset=UTF-8 >> >Content-Transfer-Encoding: quoted-printable >> > >> >Hi,We have installed OSSEC server v2.8.= >> >2 in CentOs. After installation, it seems that port 1514 is not listening. = >> >We used the default port(1514) during installation. Weve tried to chec= >> >k using this command in CentOs: netstat -tlnp |grep 1514 and did not= >> > got anything. May we ask the following questions:1. May we ask if = >> >theres another way to make sure that the port is listening?> >=3D"all">>
Re: [ossec-list] Port 1514 Not Listening
Hi, We tried to execute this "-A INPUT -m udp -p udp -s 10.20.30.40 --sport 1514 -j ACCEPT" and saved it on the OSSEC Server. Below is what our OSSEC server's iptables looks like: *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -s xxx.xxx.xx.xx/32 -p tcp -m tcp --dport 1514 -j ACCEPT *-A INPUT -s [OSSEC Agent's IP]/32 -p tcp -m tcp --dport 1514 -j ACCEPT-A INPUT -s [OSSEC Agent's IP]/32 -p tcp -m tcp --dport 1514 -j ACCEPT* -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited *-A INPUT -s [OSSEC Agent's IP]/32 -p udp -m udp --dport 1514 -j ACCEPT-A INPUT -s [OSSEC Agent's IP]/32 -p udp -m udp --dport 1514 -j ACCEPT* -A INPUT -j DROP -A INPUT -p udp -m udp --dport 1514 -j ACCEPT *-A INPUT -s [OSSEC Agent's IP]/32 -p udp -m udp --sport 1514 -j ACCEPT-A INPUT -s [OSSEC Agent's IP]/32 -p udp -m udp --sport 1514 -j ACCEPT* -A FORWARD -j REJECT --reject-with icmp-host-prohibited -A OUTPUT -j ACCEPT -A OUTPUT -j ACCEPT COMMIT Regards, *James Oliver "J.O." Pormento* *Software Engineer* Email: james.porme...@pointwest.com.ph Website: www.pointwest.com.ph *Pointwest Innovations Corporation* On Thu, Sep 10, 2015 at 8:54 AM,wrote: > James Oliver Pormento said: > > > >HI, > > > >Thank you for the info. > >This is what we've got upon trying "netstat -ulnp": > > > >Active Internet connections (only servers) > >Proto Recv-Q Send-Q Local Address Foreign > >Address State PID/Program name > >udp0 0xxx.xx.xxx.xxx:1514 0.0.0.0:* > >8125/ossec-remoted > >udp0 00.0.0.0:514 > >0.0.0.0:* > >8126/ossec-remoted > > > >Does this mean that port 1514 is open but not binding? Or does this mean > >something else? Please advise. Thank you. > > That looks like the output from my server. > > Are you sure you're allowing 1514/udp in iptables on both machines? > Your /etc/sysconfig/iptables file should contain something like this on the > agent. Where 10.20.30.40 is your ossec server. Note, it's using --sport > for source port. That's because the agents send udp packets from a random > port to the server's port 1514. Then the server responds from port 1514 to > the agent's random port. > > -A INPUT -m udp -p udp -s 10.20.30.40 --sport 1514 -j ACCEPT > > And something like this on the server: > > :OSSEC - [0:0] > -A OSSEC -s 1.2.3.4 -j ACCEPT -m comment --comment "my first spiffy agent > machine" > -A OSSEC -s 1.2.3.5 -j ACCEPT -m comment --comment "my second spiffy agent > machine" > -A INPUT -m udp -p udp --dport 1514 -j OSSEC > > You can use tcpdump on both machines to see if the packets are flowing. > > tcpdump port 1514 > > On the server, you can use agent_control -l to see the connected > agents. > > > > > > >Regards, > > > > > >*James Oliver "J.O." Pormento* > >*Software Engineer* > >Email: james.porme...@pointwest.com.ph > >Website: www.pointwest.com.ph > >*Pointwest Innovations Corporation* > > > >On Wed, Sep 9, 2015 at 11:37 PM, wrote: > > > >> James Oliver Pormento said: > >> > > >> >We have installed OSSEC server v2.8.2 in CentOs. After installation, it > >> >seems that port 1514 is not listening. We used the default port(1514) > >> >during installation. We've tried to check using this command in > >> >CentOs: *netstat > >> >-tlnp |grep 1514* and did not got anything. May we ask the following > >> >questions: > >> > >> The port is UDP, not TCP. Try "netstat -ulnp". > >> > >> > > >> >1. May we ask if there's another way to make sure that the port is > >> >listening? > >> >2. Do we need to add something in the configuration file or something? > >> > > >> >Please advise. Thank you. > >> > > >> > > >> >Regards, > >> >James Oliver B. Pormento > >Cheers, >Doke > > -- CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. There is no warranty that this email is error, virus or defect free. If this is a private communication it does not represent the views of Pointwest Technologies Corporation or their related entities. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit
Re: [ossec-list] Port 1514 Not Listening
James Oliver Pormentosaid: > >HI, > >Thank you for the info. >This is what we've got upon trying "netstat -ulnp": > >Active Internet connections (only servers) >Proto Recv-Q Send-Q Local Address Foreign >Address State PID/Program name >udp0 0xxx.xx.xxx.xxx:1514 0.0.0.0:* >8125/ossec-remoted >udp0 00.0.0.0:514 >0.0.0.0:* >8126/ossec-remoted > >Does this mean that port 1514 is open but not binding? Or does this mean >something else? Please advise. Thank you. That looks like the output from my server. Are you sure you're allowing 1514/udp in iptables on both machines? Your /etc/sysconfig/iptables file should contain something like this on the agent. Where 10.20.30.40 is your ossec server. Note, it's using --sport for source port. That's because the agents send udp packets from a random port to the server's port 1514. Then the server responds from port 1514 to the agent's random port. -A INPUT -m udp -p udp -s 10.20.30.40 --sport 1514 -j ACCEPT And something like this on the server: :OSSEC - [0:0] -A OSSEC -s 1.2.3.4 -j ACCEPT -m comment --comment "my first spiffy agent machine" -A OSSEC -s 1.2.3.5 -j ACCEPT -m comment --comment "my second spiffy agent machine" -A INPUT -m udp -p udp --dport 1514 -j OSSEC You can use tcpdump on both machines to see if the packets are flowing. tcpdump port 1514 On the server, you can use agent_control -l to see the connected agents. > > >Regards, > > >*James Oliver "J.O." Pormento* >*Software Engineer* >Email: james.porme...@pointwest.com.ph >Website: www.pointwest.com.ph >*Pointwest Innovations Corporation* > >On Wed, Sep 9, 2015 at 11:37 PM, wrote: > >> James Oliver Pormento said: >> > >> >We have installed OSSEC server v2.8.2 in CentOs. After installation, it >> >seems that port 1514 is not listening. We used the default port(1514) >> >during installation. We've tried to check using this command in >> >CentOs: *netstat >> >-tlnp |grep 1514* and did not got anything. May we ask the following >> >questions: >> >> The port is UDP, not TCP. Try "netstat -ulnp". >> >> > >> >1. May we ask if there's another way to make sure that the port is >> >listening? >> >2. Do we need to add something in the configuration file or something? >> > >> >Please advise. Thank you. >> > >> > >> >Regards, >> >James Oliver B. Pormento Cheers, Doke -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] port 1514 not listening after install
Hi, I installed version 1.4. It never asked me what version of the HIDS I wanted to install server/agent etc. So I just went with the defaults. When it starts up everything seems to be fine but when I do a netstat - tupln | grep 1514 the required port is not listening. Ossec is definitely started as I can see it running in the process list. There are no errors in /var/ log/messages or in ossec.log. In version 1.4 it did have a segfault error for ossec-remoted but upgrading to the snapshot fixed that it seems. As such none of my agents can communicate with the server. Also /etc/ossec-init.conf has my Type set to local, I changed it to 'server' and restarted ossec but still no port 1514/udp listening. I also installed the latest snapshot and have the same issue. Running Redhat EL-4 64-bit. Roch