Re: [ossec-list] Port 1514 Not Listening

[James Le Cuirot]

On Wednesday, 16 September 2015 21:15:14 UTC+1, Kat wrote:
>
> Just a  silly question I don't see in this thread -- do you have ANY 
> clients defined on the server itself??
>
> What is currently in /var/ossec/etc/clients.keys? 
>

That's not a silly question at all, especially if authd is being used. 
See https://github.com/ossec/ossec-hids/pull/662.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Port 1514 Not Listening

[Kat]

Just a  silly question I don't see in this thread -- do you have ANY 
clients defined on the server itself??

What is currently in /var/ossec/etc/clients.keys?

-Kat

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Port 1514 Not Listening

[doke]

James Oliver Pormento  said:
>
>Hi,
>
>-A INPUT -s [OSSEC Agent's IP]/32 -p tcp -m tcp --dport 1514 -j ACCEPT
>-A INPUT -s [OSSEC Agent's IP]/32 -p tcp -m tcp --dport 1514 -j ACCEPT
>   > The agent's IPs are different. Another question, should we remove the
>tcp port 1514? Will having both ports tcp 1514 and udp 1514 at the same
>time might cause the port number 1514 being unable to bind?

You don't need any of the tcp lines.  ossec doesn't use tcp.  

My best guess for the "unable to bind" messages is that you already
have ossec running, and using the port, and you're tring to start a second
daemon.

>
>Also, by restoring the iptables with only the rules that OSSEC needs, will
>that solve this issue "ossec-remoted(1206): ERROR: Unable to Bind port
>'1514'" that we've found in the ossec.log?
>
>
>Regards,
>
>
>*James Oliver "J.O." Pormento*
>*Software Engineer*
>Email: james.porme...@pointwest.com.ph
>Website: www.pointwest.com.ph
>*Pointwest Innovations Corporation*
>
>On Thu, Sep 10, 2015 at 12:23 PM,  wrote:
>
>> James Oliver Pormento  said:
>> >
>> >We tried to execute this "-A INPUT -m udp -p udp -s 10.20.30.40 --sport
>> >1514 -j ACCEPT" and saved it on the OSSEC Server.
>>
>> The --sport 1514 line goes on the agent, so it can receive the
>> responses from the server.  UDP is connectionless, so there's no inherent
>> state tracking.  The kernel knows how to do udp state for a few things, bu
>t
>> ossec isn't really one of them.
>>
>> >Below is what our OSSEC server's iptables looks like:
>> >
>> >*filter
>> >:INPUT ACCEPT [0:0]
>> >:FORWARD ACCEPT [0:0]
>> >:OUTPUT ACCEPT [0:0]
>> >-A INPUT -s xxx.xxx.xx.xx/32 -p tcp -m tcp --dport 1514 -j ACCEPT
>> >
>> >*-A INPUT -s [OSSEC Agent's IP]/32 -p tcp -m tcp --dport 1514 -j ACCEPT-A
>> >INPUT -s [OSSEC Agent's IP]/32 -p tcp -m tcp --dport 1514 -j ACCEPT*
>>
>> This looks like two lines run together?  It's also using tcp instead o
>f
>> udp.  You should have one line here:
>>
>> -A INPUT -s [OSSEC Agent's IP]/32 -p udp -m udp --dport 1514 -j ACCEPT
>>
>> >-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
>> >-A INPUT -p icmp -j ACCEPT
>> >-A INPUT -i lo -j ACCEPT
>> >-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
>> >-A INPUT -j REJECT --reject-with icmp-host-prohibited
>> >
>> >*-A INPUT -s [OSSEC Agent's IP]/32 -p udp -m udp --dport 1514 -j ACCEPT-A
>> >INPUT -s [OSSEC Agent's IP]/32 -p udp -m udp --dport 1514 -j ACCEPT*
>>
>> This is after the REJECT line, so it has no effect.
>>
>> >-A INPUT -j DROP
>> >-A INPUT -p udp -m udp --dport 1514 -j ACCEPT
>>
>> This is after both the REJECT line and the DROP line, so it has no
>> effect.
>>
>> >*-A INPUT -s [OSSEC Agent's IP]/32 -p udp -m udp --sport 1514 -j ACCEPT-A
>> >INPUT -s [OSSEC Agent's IP]/32 -p udp -m udp --sport 1514 -j ACCEPT*
>>
>> This is after both the REJECT line and the DROP line, so it has no
>> effect.
>>
>> >-A FORWARD -j REJECT --reject-with icmp-host-prohibited
>> >-A OUTPUT -j ACCEPT
>> >-A OUTPUT -j ACCEPT
>> >COMMIT
>>
>> I normally deal with this by editing a file with the rules I want, the
>n
>> using "/sbin/iptables-restore < filename" to load it into the kernel.
>>
>> >
>> >
>> >Regards,
>> >
>> >
>> >*James Oliver "J.O." Pormento*
>> >*Software Engineer*
>> >Email: james.porme...@pointwest.com.ph
>> >Website: www.pointwest.com.ph
>> >*Pointwest Innovations Corporation*
>> >
>> >On Thu, Sep 10, 2015 at 8:54 AM,  wrote:
>> >
>> >> James Oliver Pormento  said:
>> >> >
>> >> >HI,
>> >> >
>> >> >Thank you for the info.
>> >> >This is what we've got upon trying "netstat -ulnp":
>> >> >
>> >> >Active Internet connections (only servers)
>> >> >Proto  Recv-Q  Send-Q   Local Address   Foreign
>> >> >Address State   PID/Program name
>> >> >udp0   0xxx.xx.xxx.xxx:1514   0.0.0.0:*
>> >> >8125/ossec-remoted
>> >> >udp0   00.0.0.0:514
>> >> >0.0.0.0:*
>> >> >8126/ossec-remoted
>> >> >
>> >> >Does this mean that port 1514 is open but not binding? Or does this
>> mean
>> >> >something else? Please advise. Thank you.
>> >>
>> >> That looks like the output from my server.
>> >>
>> >> Are you sure you're allowing 1514/udp in iptables on both machines?
>> >> Your /etc/sysconfig/iptables file should contain something like this on
>> th
>> >e
>> >> agent.  Where 10.20.30.40 is your ossec server.  Note, it's using
>> --sport
>> >> for source port.  That's because the agents send udp packets from a
>> random
>> >> port to the server's port 1514.  Then the server responds from port
>> 1514 t
>> >o
>> >> the agent's random port.
>> >>
>> >> -A INPUT -m udp -p udp -s 10.20.30.40 --sport 1514 -j ACCEPT
>> >>
>> >> And something like this on the server:
>> >>
>> >> :OSSEC - [0:0]
>> >> -A OSSEC -s 1.2.3.4 -j ACCEPT -m comment 

Re: [ossec-list] Port 1514 Not Listening

[doke]

James Oliver Pormento  said:
>
>We tried to execute this "-A INPUT -m udp -p udp -s 10.20.30.40 --sport
>1514 -j ACCEPT" and saved it on the OSSEC Server.

The --sport 1514 line goes on the agent, so it can receive the
responses from the server.  UDP is connectionless, so there's no inherent
state tracking.  The kernel knows how to do udp state for a few things, but
ossec isn't really one of them.

>Below is what our OSSEC server's iptables looks like:
>
>*filter
>:INPUT ACCEPT [0:0]
>:FORWARD ACCEPT [0:0]
>:OUTPUT ACCEPT [0:0]
>-A INPUT -s xxx.xxx.xx.xx/32 -p tcp -m tcp --dport 1514 -j ACCEPT
>
>*-A INPUT -s [OSSEC Agent's IP]/32 -p tcp -m tcp --dport 1514 -j ACCEPT-A
>INPUT -s [OSSEC Agent's IP]/32 -p tcp -m tcp --dport 1514 -j ACCEPT*

This looks like two lines run together?  It's also using tcp instead of
udp.  You should have one line here: 

-A INPUT -s [OSSEC Agent's IP]/32 -p udp -m udp --dport 1514 -j ACCEPT

>-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
>-A INPUT -p icmp -j ACCEPT
>-A INPUT -i lo -j ACCEPT
>-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
>-A INPUT -j REJECT --reject-with icmp-host-prohibited
>
>*-A INPUT -s [OSSEC Agent's IP]/32 -p udp -m udp --dport 1514 -j ACCEPT-A
>INPUT -s [OSSEC Agent's IP]/32 -p udp -m udp --dport 1514 -j ACCEPT*

This is after the REJECT line, so it has no effect.

>-A INPUT -j DROP
>-A INPUT -p udp -m udp --dport 1514 -j ACCEPT

This is after both the REJECT line and the DROP line, so it has no
effect.

>*-A INPUT -s [OSSEC Agent's IP]/32 -p udp -m udp --sport 1514 -j ACCEPT-A
>INPUT -s [OSSEC Agent's IP]/32 -p udp -m udp --sport 1514 -j ACCEPT*

This is after both the REJECT line and the DROP line, so it has no
effect.

>-A FORWARD -j REJECT --reject-with icmp-host-prohibited
>-A OUTPUT -j ACCEPT
>-A OUTPUT -j ACCEPT
>COMMIT

I normally deal with this by editing a file with the rules I want, then 
using "/sbin/iptables-restore < filename" to load it into the kernel.

>
>
>Regards,
>
>
>*James Oliver "J.O." Pormento*
>*Software Engineer*
>Email: james.porme...@pointwest.com.ph
>Website: www.pointwest.com.ph
>*Pointwest Innovations Corporation*
>
>On Thu, Sep 10, 2015 at 8:54 AM,  wrote:
>
>> James Oliver Pormento  said:
>> >
>> >HI,
>> >
>> >Thank you for the info.
>> >This is what we've got upon trying "netstat -ulnp":
>> >
>> >Active Internet connections (only servers)
>> >Proto  Recv-Q  Send-Q   Local Address   Foreign
>> >Address State   PID/Program name
>> >udp0   0xxx.xx.xxx.xxx:1514   0.0.0.0:*
>> >8125/ossec-remoted
>> >udp0   00.0.0.0:514
>> >0.0.0.0:*
>> >8126/ossec-remoted
>> >
>> >Does this mean that port 1514 is open but not binding? Or does this mean
>> >something else? Please advise. Thank you.
>>
>> That looks like the output from my server.
>>
>> Are you sure you're allowing 1514/udp in iptables on both machines?
>> Your /etc/sysconfig/iptables file should contain something like this on th
>e
>> agent.  Where 10.20.30.40 is your ossec server.  Note, it's using --sport
>> for source port.  That's because the agents send udp packets from a random
>> port to the server's port 1514.  Then the server responds from port 1514 t
>o
>> the agent's random port.
>>
>> -A INPUT -m udp -p udp -s 10.20.30.40 --sport 1514 -j ACCEPT
>>
>> And something like this on the server:
>>
>> :OSSEC - [0:0]
>> -A OSSEC -s 1.2.3.4 -j ACCEPT -m comment --comment "my first spiffy agent
>> machine"
>> -A OSSEC -s 1.2.3.5 -j ACCEPT -m comment --comment "my second spiffy agent
>> machine"
>> -A INPUT -m udp -p udp --dport 1514 -j OSSEC
>>
>> You can use tcpdump on both machines to see if the packets are flowing
>.
>>
>> tcpdump port 1514
>>
>> On the server, you can use agent_control -l to see the connected
>> agents.
>>
>> >
>> >
>> >Regards,
>> >
>> >
>> >*James Oliver "J.O." Pormento*
>> >*Software Engineer*
>> >Email: james.porme...@pointwest.com.ph
>> >Website: www.pointwest.com.ph
>> >*Pointwest Innovations Corporation*
>> >
>> >On Wed, Sep 9, 2015 at 11:37 PM,  wrote:
>> >
>> >> James Oliver Pormento  said:
>> >> >
>> >> >We have installed OSSEC server v2.8.2 in CentOs. After installation, i
>t
>> >> >seems that port 1514 is not listening. We used the default port(1514)
>> >> >during installation. We've tried to check using this command in
>> >> >CentOs: *netstat
>> >> >-tlnp |grep 1514* and did not got anything. May we ask the following
>> >> >questions:
>> >>
>> >> The port is UDP, not TCP.  Try "netstat -ulnp".
>> >>
>> >> >
>> >> >1. May we ask if there's another way to make sure that the port is
>> >> >listening?
>> >> >2. Do we need to add something in the configuration file or something?
>> >> >
>> >> >Please advise. Thank you.
>> >> >
>> >> >
>> >> >Regards,
>> >> >James 

Re: [ossec-list] Port 1514 Not Listening

[James Oliver Pormento]

Hi,

-A INPUT -s [OSSEC Agent's IP]/32 -p tcp -m tcp --dport 1514 -j ACCEPT
-A INPUT -s [OSSEC Agent's IP]/32 -p tcp -m tcp --dport 1514 -j ACCEPT
   > The agent's IPs are different. Another question, should we remove the
tcp port 1514? Will having both ports tcp 1514 and udp 1514 at the same
time might cause the port number 1514 being unable to bind?

Also, by restoring the iptables with only the rules that OSSEC needs, will
that solve this issue "ossec-remoted(1206): ERROR: Unable to Bind port
'1514'" that we've found in the ossec.log?


Regards,


*James Oliver "J.O." Pormento*
*Software Engineer*
Email: james.porme...@pointwest.com.ph
Website: www.pointwest.com.ph
*Pointwest Innovations Corporation*

On Thu, Sep 10, 2015 at 12:23 PM,  wrote:

> James Oliver Pormento  said:
> >
> >We tried to execute this "-A INPUT -m udp -p udp -s 10.20.30.40 --sport
> >1514 -j ACCEPT" and saved it on the OSSEC Server.
>
> The --sport 1514 line goes on the agent, so it can receive the
> responses from the server.  UDP is connectionless, so there's no inherent
> state tracking.  The kernel knows how to do udp state for a few things, but
> ossec isn't really one of them.
>
> >Below is what our OSSEC server's iptables looks like:
> >
> >*filter
> >:INPUT ACCEPT [0:0]
> >:FORWARD ACCEPT [0:0]
> >:OUTPUT ACCEPT [0:0]
> >-A INPUT -s xxx.xxx.xx.xx/32 -p tcp -m tcp --dport 1514 -j ACCEPT
> >
> >*-A INPUT -s [OSSEC Agent's IP]/32 -p tcp -m tcp --dport 1514 -j ACCEPT-A
> >INPUT -s [OSSEC Agent's IP]/32 -p tcp -m tcp --dport 1514 -j ACCEPT*
>
> This looks like two lines run together?  It's also using tcp instead of
> udp.  You should have one line here:
>
> -A INPUT -s [OSSEC Agent's IP]/32 -p udp -m udp --dport 1514 -j ACCEPT
>
> >-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
> >-A INPUT -p icmp -j ACCEPT
> >-A INPUT -i lo -j ACCEPT
> >-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
> >-A INPUT -j REJECT --reject-with icmp-host-prohibited
> >
> >*-A INPUT -s [OSSEC Agent's IP]/32 -p udp -m udp --dport 1514 -j ACCEPT-A
> >INPUT -s [OSSEC Agent's IP]/32 -p udp -m udp --dport 1514 -j ACCEPT*
>
> This is after the REJECT line, so it has no effect.
>
> >-A INPUT -j DROP
> >-A INPUT -p udp -m udp --dport 1514 -j ACCEPT
>
> This is after both the REJECT line and the DROP line, so it has no
> effect.
>
> >*-A INPUT -s [OSSEC Agent's IP]/32 -p udp -m udp --sport 1514 -j ACCEPT-A
> >INPUT -s [OSSEC Agent's IP]/32 -p udp -m udp --sport 1514 -j ACCEPT*
>
> This is after both the REJECT line and the DROP line, so it has no
> effect.
>
> >-A FORWARD -j REJECT --reject-with icmp-host-prohibited
> >-A OUTPUT -j ACCEPT
> >-A OUTPUT -j ACCEPT
> >COMMIT
>
> I normally deal with this by editing a file with the rules I want, then
> using "/sbin/iptables-restore < filename" to load it into the kernel.
>
> >
> >
> >Regards,
> >
> >
> >*James Oliver "J.O." Pormento*
> >*Software Engineer*
> >Email: james.porme...@pointwest.com.ph
> >Website: www.pointwest.com.ph
> >*Pointwest Innovations Corporation*
> >
> >On Thu, Sep 10, 2015 at 8:54 AM,  wrote:
> >
> >> James Oliver Pormento  said:
> >> >
> >> >HI,
> >> >
> >> >Thank you for the info.
> >> >This is what we've got upon trying "netstat -ulnp":
> >> >
> >> >Active Internet connections (only servers)
> >> >Proto  Recv-Q  Send-Q   Local Address   Foreign
> >> >Address State   PID/Program name
> >> >udp0   0xxx.xx.xxx.xxx:1514   0.0.0.0:*
> >> >8125/ossec-remoted
> >> >udp0   00.0.0.0:514
> >> >0.0.0.0:*
> >> >8126/ossec-remoted
> >> >
> >> >Does this mean that port 1514 is open but not binding? Or does this
> mean
> >> >something else? Please advise. Thank you.
> >>
> >> That looks like the output from my server.
> >>
> >> Are you sure you're allowing 1514/udp in iptables on both machines?
> >> Your /etc/sysconfig/iptables file should contain something like this on
> th
> >e
> >> agent.  Where 10.20.30.40 is your ossec server.  Note, it's using
> --sport
> >> for source port.  That's because the agents send udp packets from a
> random
> >> port to the server's port 1514.  Then the server responds from port
> 1514 t
> >o
> >> the agent's random port.
> >>
> >> -A INPUT -m udp -p udp -s 10.20.30.40 --sport 1514 -j ACCEPT
> >>
> >> And something like this on the server:
> >>
> >> :OSSEC - [0:0]
> >> -A OSSEC -s 1.2.3.4 -j ACCEPT -m comment --comment "my first spiffy
> agent
> >> machine"
> >> -A OSSEC -s 1.2.3.5 -j ACCEPT -m comment --comment "my second spiffy
> agent
> >> machine"
> >> -A INPUT -m udp -p udp --dport 1514 -j OSSEC
> >>
> >> You can use tcpdump on both machines to see if the packets are
> flowing
> >.
> >>
> >> tcpdump port 1514
> >>
> >> On the server, you can use agent_control -l to see the connected
> >> agents.
> >>
> >> >
> >> >
> >> 

[ossec-list] Port 1514 Not Listening

[James Oliver Pormento]

Hi,

We have installed OSSEC server v2.8.2 in CentOs. After installation, it
seems that port 1514 is not listening. We used the default port(1514)
during installation. We've tried to check using this command in
CentOs: *netstat
-tlnp |grep 1514* and did not got anything. May we ask the following
questions:

1. May we ask if there's another way to make sure that the port is
listening?
2. Do we need to add something in the configuration file or something?

Please advise. Thank you.


Regards,
James Oliver B. Pormento

-- 
CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited. If you have 
received this communication in error, please notify the sender immediately 
by e-mail and delete the message and any file attachments from your 
computer. There is no warranty that this email is error, virus or defect 
free. If this is a private communication it does not represent the views of 
Pointwest Technologies Corporation or their related entities.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Port 1514 Not Listening

[James Oliver Pormento]

Hi,

We have installed OSSEC server v2.8.2 in CentOs. After installation, it 
seems that port 1514 is not listening. We used the default port(1514) 
during installation. We've tried to check using this command in CentOs: 
*netstat 
-tlnp |grep 1514* and did not got anything. May we ask the following 
questions:

1. May we ask if there's another way to make sure that the port is 
listening?
2. Do we need to add something in the configuration file or something?

Please advise. Thank you.

-- 
CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited. If you have 
received this communication in error, please notify the sender immediately 
by e-mail and delete the message and any file attachments from your 
computer. There is no warranty that this email is error, virus or defect 
free. If this is a private communication it does not represent the views of 
Pointwest Technologies Corporation or their related entities.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Port 1514 Not Listening

[James Oliver Pormento]

Hi,

Thank you for that suggestion.
We're also getting this error 'ossec-remoted(1206): ERROR: Unable to Bind
port '1514'' in the ossec.log. We already double-checked and confirmed that
only ossec-remoted is using the port 1514. Any ideas/suggestions about the
error? Thanks.


Regards,


*James Oliver "J.O." Pormento*
*Software Engineer*
Email: james.porme...@pointwest.com.ph
Website: www.pointwest.com.ph
*Pointwest Innovations Corporation*

On Wed, Sep 9, 2015 at 5:38 PM, José Luis Ruiz  wrote:

>
> Try to open the firewall
>
>
> firewall-cmd --zone=public --add-port=1514/udp --permanent
>
> Enviado desde mi iPhone
>
> El 9 sept 2015, a las 9:04, James Oliver Pormento <
> james.porme...@pointwest.com.ph> escribió:
>
> Hi,
>
> We have installed OSSEC server v2.8.2 in CentOs. After installation, it
> seems that port 1514 is not listening. We used the default port(1514)
> during installation. We've tried to check using this command in CentOs: 
> *netstat
> -tlnp |grep 1514* and did not got anything. May we ask the following
> questions:
>
> 1. May we ask if there's another way to make sure that the port is
> listening?
> 2. Do we need to add something in the configuration file or something?
>
> Please advise. Thank you.
>
> CONFIDENTIALITY NOTICE: This email may contain confidential and privileged
> material for the sole use of the intended recipient(s). Any review, use,
> distribution or disclosure by others is strictly prohibited. If you have
> received this communication in error, please notify the sender immediately
> by e-mail and delete the message and any file attachments from your
> computer. There is no warranty that this email is error, virus or defect
> free. If this is a private communication it does not represent the views of
> Pointwest Technologies Corporation or their related entities.
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>
>

-- 
CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited. If you have 
received this communication in error, please notify the sender immediately 
by e-mail and delete the message and any file attachments from your 
computer. There is no warranty that this email is error, virus or defect 
free. If this is a private communication it does not represent the views of 
Pointwest Technologies Corporation or their related entities.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Port 1514 Not Listening

[dan (ddp)]

On Wed, Sep 9, 2015 at 1:17 AM, James Oliver Pormento
 wrote:
> Hi,
>
> We have installed OSSEC server v2.8.2 in CentOs. After installation, it
> seems that port 1514 is not listening. We used the default port(1514) during
> installation. We've tried to check using this command in CentOs: netstat
> -tlnp |grep 1514 and did not got anything. May we ask the following
> questions:
>
> 1. May we ask if there's another way to make sure that the port is
> listening?
> 2. Do we need to add something in the configuration file or something?
>
> Please advise. Thank you.
>

Is ossec-remoted running? If not, try starting it and checking
ossec.log. Also please provide a sanitized copy of the 
section of your OSSEC server's ossec.conf.

>
> Regards,
> James Oliver B. Pormento
>
> CONFIDENTIALITY NOTICE: This email may contain confidential and privileged
> material for the sole use of the intended recipient(s). Any review, use,
> distribution or disclosure by others is strictly prohibited. If you have
> received this communication in error, please notify the sender immediately
> by e-mail and delete the message and any file attachments from your
> computer. There is no warranty that this email is error, virus or defect
> free. If this is a private communication it does not represent the views of
> Pointwest Technologies Corporation or their related entities.
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Port 1514 Not Listening

[dan (ddp)]

On Wed, Sep 9, 2015 at 7:51 AM, James Oliver Pormento
 wrote:
>
> Hi,
>
> Thank you for that suggestion.
> We're also getting this error 'ossec-remoted(1206): ERROR: Unable to Bind 
> port '1514'' in the ossec.log. We already double-checked and confirmed that 
> only ossec-remoted is using the port 1514. Any ideas/suggestions about the 
> error? Thanks.
>

Check /var/log/audit to make sure nothing is blocking the binding.
Also make sure remoted isn't configured to listen on an IP address
that does not exist on that system.


>
>
> Regards,
>
> James Oliver "J.O." Pormento
> Software Engineer
> Email: james.porme...@pointwest.com.ph
> Website: www.pointwest.com.ph
> Pointwest Innovations Corporation
>
> On Wed, Sep 9, 2015 at 5:38 PM, José Luis Ruiz  wrote:
>>
>>
>> Try to open the firewall
>>
>>
>> firewall-cmd --zone=public --add-port=1514/udp --permanent
>>
>> Enviado desde mi iPhone
>>
>> El 9 sept 2015, a las 9:04, James Oliver Pormento 
>>  escribió:
>>
>> Hi,
>>
>> We have installed OSSEC server v2.8.2 in CentOs. After installation, it 
>> seems that port 1514 is not listening. We used the default port(1514) during 
>> installation. We've tried to check using this command in CentOs: netstat 
>> -tlnp |grep 1514 and did not got anything. May we ask the following 
>> questions:
>>
>> 1. May we ask if there's another way to make sure that the port is listening?
>> 2. Do we need to add something in the configuration file or something?
>>
>> Please advise. Thank you.
>>
>> CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
>> material for the sole use of the intended recipient(s). Any review, use, 
>> distribution or disclosure by others is strictly prohibited. If you have 
>> received this communication in error, please notify the sender immediately 
>> by e-mail and delete the message and any file attachments from your 
>> computer. There is no warranty that this email is error, virus or defect 
>> free. If this is a private communication it does not represent the views of 
>> Pointwest Technologies Corporation or their related entities.
>>
>> --
>>
>> ---
>> You received this message because you are subscribed to the Google Groups 
>> "ossec-list" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to ossec-list+unsubscr...@googlegroups.com.
>> For more options, visit https://groups.google.com/d/optout.
>
>
>
> CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
> material for the sole use of the intended recipient(s). Any review, use, 
> distribution or disclosure by others is strictly prohibited. If you have 
> received this communication in error, please notify the sender immediately by 
> e-mail and delete the message and any file attachments from your computer. 
> There is no warranty that this email is error, virus or defect free. If this 
> is a private communication it does not represent the views of Pointwest 
> Technologies Corporation or their related entities.
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups 
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Port 1514 Not Listening

[doke]

James Oliver Pormento  said:
>
>We have installed OSSEC server v2.8.2 in CentOs. After installation, it
>seems that port 1514 is not listening. We used the default port(1514)
>during installation. We've tried to check using this command in
>CentOs: *netstat
>-tlnp |grep 1514* and did not got anything. May we ask the following
>questions:

The port is UDP, not TCP.  Try "netstat -ulnp".  

>
>1. May we ask if there's another way to make sure that the port is
>listening?
>2. Do we need to add something in the configuration file or something?
>
>Please advise. Thank you.
>
>
>Regards,
>James Oliver B. Pormento
>
>-- 
>CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
>material for the sole use of the intended recipient(s). Any review, use, 
>distribution or disclosure by others is strictly prohibited. If you have 
>received this communication in error, please notify the sender immediately 
>by e-mail and delete the message and any file attachments from your 
>computer. There is no warranty that this email is error, virus or defect 
>free. If this is a private communication it does not represent the views of 
>Pointwest Technologies Corporation or their related entities.
>
>-- 
>
>--- 
>You received this message because you are subscribed to the Google Groups "o
>ssec-list" group.
>To unsubscribe from this group and stop receiving emails from it, send an em
>ail to ossec-list+unsubscr...@googlegroups.com.
>For more options, visit https://groups.google.com/d/optout.
>
>--047d7bf198ea8adf71051f4999a3
>Content-Type: text/html; charset=UTF-8
>Content-Transfer-Encoding: quoted-printable
>
>Hi,We have installed OSSEC server v2.8.=
>2 in CentOs. After installation, it seems that port 1514 is not listening. =
>We used the default port(1514) during installation. Weve tried to chec=
>k using this command in CentOs: netstat -tlnp |grep 1514 and did not=
> got anything. May we ask the following questions:1. May we ask if =
>theres another way to make sure that the port is 

Re: [ossec-list] Port 1514 Not Listening

[James Oliver Pormento]

HI,

Thank you for the info.
This is what we've got upon trying "netstat -ulnp":

Active Internet connections (only servers)
Proto  Recv-Q  Send-Q   Local Address   Foreign
Address State   PID/Program name
udp0   0xxx.xx.xxx.xxx:1514   0.0.0.0:*
8125/ossec-remoted
udp0   00.0.0.0:514
0.0.0.0:*
8126/ossec-remoted

Does this mean that port 1514 is open but not binding? Or does this mean
something else? Please advise. Thank you.


Regards,


*James Oliver "J.O." Pormento*
*Software Engineer*
Email: james.porme...@pointwest.com.ph
Website: www.pointwest.com.ph
*Pointwest Innovations Corporation*

On Wed, Sep 9, 2015 at 11:37 PM,  wrote:

> James Oliver Pormento  said:
> >
> >We have installed OSSEC server v2.8.2 in CentOs. After installation, it
> >seems that port 1514 is not listening. We used the default port(1514)
> >during installation. We've tried to check using this command in
> >CentOs: *netstat
> >-tlnp |grep 1514* and did not got anything. May we ask the following
> >questions:
>
> The port is UDP, not TCP.  Try "netstat -ulnp".
>
> >
> >1. May we ask if there's another way to make sure that the port is
> >listening?
> >2. Do we need to add something in the configuration file or something?
> >
> >Please advise. Thank you.
> >
> >
> >Regards,
> >James Oliver B. Pormento
> >
> >--
> >CONFIDENTIALITY NOTICE: This email may contain confidential and privileged
> >material for the sole use of the intended recipient(s). Any review, use,
> >distribution or disclosure by others is strictly prohibited. If you have
> >received this communication in error, please notify the sender immediately
> >by e-mail and delete the message and any file attachments from your
> >computer. There is no warranty that this email is error, virus or defect
> >free. If this is a private communication it does not represent the views
> of
> >Pointwest Technologies Corporation or their related entities.
> >
> >--
> >
> >---
> >You received this message because you are subscribed to the Google Groups
> "o
> >ssec-list" group.
> >To unsubscribe from this group and stop receiving emails from it, send an
> em
> >ail to ossec-list+unsubscr...@googlegroups.com.
> >For more options, visit https://groups.google.com/d/optout.
> >
> >--047d7bf198ea8adf71051f4999a3
> >Content-Type: text/html; charset=UTF-8
> >Content-Transfer-Encoding: quoted-printable
> >
> >Hi,We have installed OSSEC server
> v2.8.=
> >2 in CentOs. After installation, it seems that port 1514 is not
> listening. =
> >We used the default port(1514) during installation. Weve tried to
> chec=
> >k using this command in CentOs: netstat -tlnp |grep 1514 and did
> not=
> > got anything. May we ask the following questions:1. May we ask
> if =
> >theres another way to make sure that the port is listening? >=3D"all"> dir=3D"ltr=
> >"> 

Re: [ossec-list] Port 1514 Not Listening

[dan (ddp)]

On Sep 9, 2015 8:51 PM, "James Oliver Pormento" <
james.porme...@pointwest.com.ph> wrote:
>
> HI,
>
> Thank you for the info.
> This is what we've got upon trying "netstat -ulnp":
>
> Active Internet connections (only servers)
> Proto  Recv-Q  Send-Q   Local Address   Foreign
Address State   PID/Program name
> udp0   0xxx.xx.xxx.xxx:1514   0.0.0.0:*
8125/ossec-remoted
> udp0   00.0.0.0:514 0.0.0.0:*
8126/ossec-remoted
>
> Does this mean that port 1514 is open but not binding? Or does this mean
something else? Please advise. Thank you.
>

It looks like you misunderstand your problem. What is the problem you are
having?

>
> Regards,
>
> James Oliver "J.O." Pormento
> Software Engineer
> Email: james.porme...@pointwest.com.ph
> Website: www.pointwest.com.ph
> Pointwest Innovations Corporation
>
> On Wed, Sep 9, 2015 at 11:37 PM,  wrote:
>>
>> James Oliver Pormento  said:
>> >
>> >We have installed OSSEC server v2.8.2 in CentOs. After installation, it
>> >seems that port 1514 is not listening. We used the default port(1514)
>> >during installation. We've tried to check using this command in
>> >CentOs: *netstat
>> >-tlnp |grep 1514* and did not got anything. May we ask the following
>> >questions:
>>
>> The port is UDP, not TCP.  Try "netstat -ulnp".
>>
>> >
>> >1. May we ask if there's another way to make sure that the port is
>> >listening?
>> >2. Do we need to add something in the configuration file or something?
>> >
>> >Please advise. Thank you.
>> >
>> >
>> >Regards,
>> >James Oliver B. Pormento
>> >
>> >--
>> >CONFIDENTIALITY NOTICE: This email may contain confidential and
privileged
>> >material for the sole use of the intended recipient(s). Any review, use,
>> >distribution or disclosure by others is strictly prohibited. If you have
>> >received this communication in error, please notify the sender
immediately
>> >by e-mail and delete the message and any file attachments from your
>> >computer. There is no warranty that this email is error, virus or defect
>> >free. If this is a private communication it does not represent the
views of
>> >Pointwest Technologies Corporation or their related entities.
>> >
>> >--
>> >
>> >---
>> >You received this message because you are subscribed to the Google
Groups "o
>> >ssec-list" group.
>> >To unsubscribe from this group and stop receiving emails from it, send
an em
>> >ail to ossec-list+unsubscr...@googlegroups.com.
>> >For more options, visit https://groups.google.com/d/optout.
>> >
>> >--047d7bf198ea8adf71051f4999a3
>> >Content-Type: text/html; charset=UTF-8
>> >Content-Transfer-Encoding: quoted-printable
>> >
>> >Hi,We have installed OSSEC server
v2.8.=
>> >2 in CentOs. After installation, it seems that port 1514 is not
listening. =
>> >We used the default port(1514) during installation. Weve tried to
chec=
>> >k using this command in CentOs: netstat -tlnp |grep 1514 and did
not=
>> > got anything. May we ask the following questions:1. May we ask
if =
>> >theres another way to make sure that the port is listening?> >=3D"all">> 

Re: [ossec-list] Port 1514 Not Listening

[James Oliver Pormento]

Hi,

We tried to execute this "-A INPUT -m udp -p udp -s 10.20.30.40 --sport
1514 -j ACCEPT" and saved it on the OSSEC Server.
Below is what our OSSEC server's iptables looks like:

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -s xxx.xxx.xx.xx/32 -p tcp -m tcp --dport 1514 -j ACCEPT

*-A INPUT -s [OSSEC Agent's IP]/32 -p tcp -m tcp --dport 1514 -j ACCEPT-A
INPUT -s [OSSEC Agent's IP]/32 -p tcp -m tcp --dport 1514 -j ACCEPT*
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited

*-A INPUT -s [OSSEC Agent's IP]/32 -p udp -m udp --dport 1514 -j ACCEPT-A
INPUT -s [OSSEC Agent's IP]/32 -p udp -m udp --dport 1514 -j ACCEPT*
-A INPUT -j DROP
-A INPUT -p udp -m udp --dport 1514 -j ACCEPT

*-A INPUT -s [OSSEC Agent's IP]/32 -p udp -m udp --sport 1514 -j ACCEPT-A
INPUT -s [OSSEC Agent's IP]/32 -p udp -m udp --sport 1514 -j ACCEPT*
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
-A OUTPUT -j ACCEPT
-A OUTPUT -j ACCEPT
COMMIT


Regards,


*James Oliver "J.O." Pormento*
*Software Engineer*
Email: james.porme...@pointwest.com.ph
Website: www.pointwest.com.ph
*Pointwest Innovations Corporation*

On Thu, Sep 10, 2015 at 8:54 AM,  wrote:

> James Oliver Pormento  said:
> >
> >HI,
> >
> >Thank you for the info.
> >This is what we've got upon trying "netstat -ulnp":
> >
> >Active Internet connections (only servers)
> >Proto  Recv-Q  Send-Q   Local Address   Foreign
> >Address State   PID/Program name
> >udp0   0xxx.xx.xxx.xxx:1514   0.0.0.0:*
> >8125/ossec-remoted
> >udp0   00.0.0.0:514
> >0.0.0.0:*
> >8126/ossec-remoted
> >
> >Does this mean that port 1514 is open but not binding? Or does this mean
> >something else? Please advise. Thank you.
>
> That looks like the output from my server.
>
> Are you sure you're allowing 1514/udp in iptables on both machines?
> Your /etc/sysconfig/iptables file should contain something like this on the
> agent.  Where 10.20.30.40 is your ossec server.  Note, it's using --sport
> for source port.  That's because the agents send udp packets from a random
> port to the server's port 1514.  Then the server responds from port 1514 to
> the agent's random port.
>
> -A INPUT -m udp -p udp -s 10.20.30.40 --sport 1514 -j ACCEPT
>
> And something like this on the server:
>
> :OSSEC - [0:0]
> -A OSSEC -s 1.2.3.4 -j ACCEPT -m comment --comment "my first spiffy agent
> machine"
> -A OSSEC -s 1.2.3.5 -j ACCEPT -m comment --comment "my second spiffy agent
> machine"
> -A INPUT -m udp -p udp --dport 1514 -j OSSEC
>
> You can use tcpdump on both machines to see if the packets are flowing.
>
> tcpdump port 1514
>
> On the server, you can use agent_control -l to see the connected
> agents.
>
> >
> >
> >Regards,
> >
> >
> >*James Oliver "J.O." Pormento*
> >*Software Engineer*
> >Email: james.porme...@pointwest.com.ph
> >Website: www.pointwest.com.ph
> >*Pointwest Innovations Corporation*
> >
> >On Wed, Sep 9, 2015 at 11:37 PM,  wrote:
> >
> >> James Oliver Pormento  said:
> >> >
> >> >We have installed OSSEC server v2.8.2 in CentOs. After installation, it
> >> >seems that port 1514 is not listening. We used the default port(1514)
> >> >during installation. We've tried to check using this command in
> >> >CentOs: *netstat
> >> >-tlnp |grep 1514* and did not got anything. May we ask the following
> >> >questions:
> >>
> >> The port is UDP, not TCP.  Try "netstat -ulnp".
> >>
> >> >
> >> >1. May we ask if there's another way to make sure that the port is
> >> >listening?
> >> >2. Do we need to add something in the configuration file or something?
> >> >
> >> >Please advise. Thank you.
> >> >
> >> >
> >> >Regards,
> >> >James Oliver B. Pormento
>
>Cheers,
>Doke
>
>

-- 
CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited. If you have 
received this communication in error, please notify the sender immediately 
by e-mail and delete the message and any file attachments from your 
computer. There is no warranty that this email is error, virus or defect 
free. If this is a private communication it does not represent the views of 
Pointwest Technologies Corporation or their related entities.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit 

Re: [ossec-list] Port 1514 Not Listening

[doke]

James Oliver Pormento  said:
>
>HI,
>
>Thank you for the info.
>This is what we've got upon trying "netstat -ulnp":
>
>Active Internet connections (only servers)
>Proto  Recv-Q  Send-Q   Local Address   Foreign
>Address State   PID/Program name
>udp0   0xxx.xx.xxx.xxx:1514   0.0.0.0:*
>8125/ossec-remoted
>udp0   00.0.0.0:514
>0.0.0.0:*
>8126/ossec-remoted
>
>Does this mean that port 1514 is open but not binding? Or does this mean
>something else? Please advise. Thank you.

That looks like the output from my server.  

Are you sure you're allowing 1514/udp in iptables on both machines? 
Your /etc/sysconfig/iptables file should contain something like this on the
agent.  Where 10.20.30.40 is your ossec server.  Note, it's using --sport
for source port.  That's because the agents send udp packets from a random
port to the server's port 1514.  Then the server responds from port 1514 to
the agent's random port.

-A INPUT -m udp -p udp -s 10.20.30.40 --sport 1514 -j ACCEPT

And something like this on the server:

:OSSEC - [0:0]
-A OSSEC -s 1.2.3.4 -j ACCEPT -m comment --comment "my first spiffy agent 
machine"
-A OSSEC -s 1.2.3.5 -j ACCEPT -m comment --comment "my second spiffy agent 
machine"
-A INPUT -m udp -p udp --dport 1514 -j OSSEC

You can use tcpdump on both machines to see if the packets are flowing.

tcpdump port 1514

On the server, you can use agent_control -l to see the connected
agents.

>
>
>Regards,
>
>
>*James Oliver "J.O." Pormento*
>*Software Engineer*
>Email: james.porme...@pointwest.com.ph
>Website: www.pointwest.com.ph
>*Pointwest Innovations Corporation*
>
>On Wed, Sep 9, 2015 at 11:37 PM,  wrote:
>
>> James Oliver Pormento  said:
>> >
>> >We have installed OSSEC server v2.8.2 in CentOs. After installation, it
>> >seems that port 1514 is not listening. We used the default port(1514)
>> >during installation. We've tried to check using this command in
>> >CentOs: *netstat
>> >-tlnp |grep 1514* and did not got anything. May we ask the following
>> >questions:
>>
>> The port is UDP, not TCP.  Try "netstat -ulnp".
>>
>> >
>> >1. May we ask if there's another way to make sure that the port is
>> >listening?
>> >2. Do we need to add something in the configuration file or something?
>> >
>> >Please advise. Thank you.
>> >
>> >
>> >Regards,
>> >James Oliver B. Pormento

   Cheers,
   Doke

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] port 1514 not listening after install

[Roch]

Hi,

I installed version 1.4. It never asked me what version of the HIDS I
wanted to install server/agent etc. So I just went with the defaults.

When it starts up everything seems to be fine but when I do a netstat -
tupln | grep 1514
 the required port is not listening. Ossec is definitely started as I
can see it running in the process list. There are no errors in /var/
log/messages or in ossec.log. In version 1.4 it did have a segfault
error for ossec-remoted but upgrading to the snapshot fixed that it
seems.

As such none of my agents can communicate with the server.

Also /etc/ossec-init.conf has my Type set to local, I changed it to
'server' and restarted ossec but still no port 1514/udp listening.

I also installed the latest snapshot and have the same issue.

Running Redhat EL-4 64-bit.

Roch