[ossec-list] Re: ossec-authd or agent-auth is not creating valid keys
On Oct 4, 11:22 am, Joe S wrote: > After numerous days of testing, I can confirm that invalid keys are > getting created when I use the process described here: > > http://dcid.me/2011/01/automatically-creating-and-setting-up-the-agen... > > I rolled out the Atomic ossec-client RPM to 10 clients. The clients > keys get populated in the OSSEC server. After restarting the server, > my logs are filled with ERROR 1213 (host x.x.x.x not allowed). When I > delete the key and recreate it, it works. > > Note: When I run base64 -d and paste the base64 key, I get the same > string in the client.keys file, but at the end is says: > > "base64: invalid input" > > That ^^ appears to be a problem. I don't know what to do. I can't undertand why I'm getting: 2011/10/04 11:40:44 ossec-remoted(1213): WARN: Message from x.x.x.x not allowed. I've used keys with or via: * the authd/agent-auth registration * short hostname * short id number (001 instead of 1024) Each time I import the key and restart the client and server, I still get these messages. Then I create the key, with long hostname, key id of 1040, BUT I SET THE IP ADDRESS, and it WORKS. IP of ANY is still not working of me on the following setup: * Clients (multiple RHEL 6.1 AMD64) using Atomic ossec-hids-client * Server (RHEL 5.7 AMD64) using OSSEC tar.gz with patches from mercurial. I know this is an open source project and I intend to make no demands of anyone's time. I don't know if this is a bug or an undocumented feature. It seems like a bug, but the last email thread I had with Daniel indicated that this couldn't be a bug and that significant code would have had to have been changed for this to be true. So I don't know what to do. :-\
[ossec-list] Re: ossec-authd or agent-auth is not creating valid keys
> IP of ANY is still not working of me on the following setup: > > * Clients (multiple RHEL 6.1 AMD64) using Atomic ossec-hids-client > * Server (RHEL 5.7 AMD64) using OSSEC tar.gz with patches from > mercurial. > > I know this is an open source project and I intend to make no demands > of anyone's time. I don't know if this is a bug or an undocumented > feature. It seems like a bug, but the last email thread I had with > Daniel indicated that this couldn't be a bug and that significant code > would have had to have been changed for this to be true. > > So I don't know what to do. Here's what works. Manually edit the client.keys file. Replace "ANY" with the IP Address of the host. Save file. Extract key and restart server. Import key on client, restart client. It works. What is the string after the IP/any field in client.keys? What is it used for? Is it some kind of hash used for authentication?
[ossec-list] Re: ossec-authd or agent-auth is not creating valid keys
On Oct 4, 12:42 pm, "dan (ddp)" wrote: > On Tue, Oct 4, 2011 at 3:17 PM, Joe S wrote: > > >> IP of ANY is still not working of me on the following setup: > > >> * Clients (multiple RHEL 6.1 AMD64) using Atomic ossec-hids-client > >> * Server (RHEL 5.7 AMD64) using OSSEC tar.gz with patches from > >> mercurial. > > >> I know this is an open source project and I intend to make no demands > >> of anyone's time. I don't know if this is a bug or an undocumented > >> feature. It seems like a bug, but the last email thread I had with > >> Daniel indicated that this couldn't be a bug and that significant code > >> would have had to have been changed for this to be true. > > >> So I don't know what to do. > > > Here's what works. > > > Manually edit the client.keys file. Replace "ANY" with the IP Address > > of the host. Save file. Extract key and restart server. > > Import key on client, restart client. > > It works. > > > What is the string after the IP/any field in client.keys? What is it > > used for? Is it some kind of hash used for authentication? > > Yes, that is the key. > So when I looked at the server code, it appears that it checks the key first, then if that fails it checks the IP, and if the IP doesn't match, it gives the 1213 error. It can't match the IP because we are using "any". Could this be a problem with how the key is created in the first place? Does the key creation rely on some library? Perhaps it's failing because my systems are not the exact same systems the RPMs where created on? These are just theories. Let me know if you want me to try anything.
[ossec-list] Re: ossec-authd or agent-auth is not creating valid keys
> > > So the problem seems to either be your systems, or the atomic RPMs. > > It doesn't seem to work for me with atomic RPMs either, but I don't > get any errors. Just no connection. The atomic RPMs remoted logging seems broken. Install the server from source and you'll get the 1213 errors
[ossec-list] Re: ossec-authd or agent-auth is not creating valid keys
Anyone every come up with a solution to this? I built rpms from the Atomic SPEC (modified) and same issue - if I replace "any" with the IP, it works, and I don't have to extract or reset the client end, it just magically starts working with I replace "any" with the IP. Trying to figure out what, in the SPEC file/build, might be causing this. Going to start looking through the build process and the SPEC file and see if I can figure it out, unless someone already has. thanks On Oct 11, 4:35 pm, "dan (ddp)" wrote: > On Tue, Oct 11, 2011 at 5:19 PM, Joe S wrote: > > So, would you agree that OSSEC 2.6 is just fine and the problem is > > with the Atomic RPMs? > > Yes. I've notified them (via IRC) that there is an issue. >
[ossec-list] Re: ossec-authd or agent-auth is not creating valid keys
I am taking this up on my own to resolve this... Pretty good at RPMs - working on a solution and a new SPEC file.. More to follow -K
Re: [ossec-list] Re: ossec-authd or agent-auth is not creating valid keys
On Tue, Oct 4, 2011 at 3:17 PM, Joe S wrote: > > > >> IP of ANY is still not working of me on the following setup: >> >> * Clients (multiple RHEL 6.1 AMD64) using Atomic ossec-hids-client >> * Server (RHEL 5.7 AMD64) using OSSEC tar.gz with patches from >> mercurial. >> >> I know this is an open source project and I intend to make no demands >> of anyone's time. I don't know if this is a bug or an undocumented >> feature. It seems like a bug, but the last email thread I had with >> Daniel indicated that this couldn't be a bug and that significant code >> would have had to have been changed for this to be true. >> >> So I don't know what to do. > > Here's what works. > > Manually edit the client.keys file. Replace "ANY" with the IP Address > of the host. Save file. Extract key and restart server. > Import key on client, restart client. > It works. > > What is the string after the IP/any field in client.keys? What is it > used for? Is it some kind of hash used for authentication? Yes, that is the key. I just setup to CentOS 6.0 x86_64 systems. I installed OSSEC on each (post 2.6 source, but I don't think anything has really changed in the auth stuff). One system became an OSSEC server. The other an agent. I setup ossec-authd, and then ran agent-auth (copy & pasted most of it from dcid's blog post). No errors so far. So the problem seems to either be your systems, or the atomic RPMs.
Re: [ossec-list] Re: ossec-authd or agent-auth is not creating valid keys
On Tue, Oct 4, 2011 at 3:42 PM, dan (ddp) wrote: > On Tue, Oct 4, 2011 at 3:17 PM, Joe S wrote: >> >> >> >>> IP of ANY is still not working of me on the following setup: >>> >>> * Clients (multiple RHEL 6.1 AMD64) using Atomic ossec-hids-client >>> * Server (RHEL 5.7 AMD64) using OSSEC tar.gz with patches from >>> mercurial. >>> >>> I know this is an open source project and I intend to make no demands >>> of anyone's time. I don't know if this is a bug or an undocumented >>> feature. It seems like a bug, but the last email thread I had with >>> Daniel indicated that this couldn't be a bug and that significant code >>> would have had to have been changed for this to be true. >>> >>> So I don't know what to do. >> >> Here's what works. >> >> Manually edit the client.keys file. Replace "ANY" with the IP Address >> of the host. Save file. Extract key and restart server. >> Import key on client, restart client. >> It works. >> >> What is the string after the IP/any field in client.keys? What is it >> used for? Is it some kind of hash used for authentication? > > Yes, that is the key. > > I just setup to CentOS 6.0 x86_64 systems. > I installed OSSEC on each (post 2.6 source, but I don't think anything > has really changed in the auth stuff). > One system became an OSSEC server. > The other an agent. > I setup ossec-authd, and then ran agent-auth (copy & pasted most of it > from dcid's blog post). > No errors so far. > > So the problem seems to either be your systems, or the atomic RPMs. > It doesn't seem to work for me with atomic RPMs either, but I don't get any errors. Just no connection.
Re: [ossec-list] Re: ossec-authd or agent-auth is not creating valid keys
On Tue, Oct 4, 2011 at 6:35 PM, Joe S wrote: > > So when I looked at the server code, it appears that it checks the key > first, then if that fails it checks the IP, and if the IP doesn't > match, it gives the 1213 error. It can't match the IP because we are > using "any". > 'any' is supposed to mean any. So any ip will match. > Could this be a problem with how the key is created in the first > place? Does the key creation rely on some library? Perhaps it's > failing because my systems are not the exact same systems the RPMs > where created on? > > These are just theories. Let me know if you want me to try anything.
Re: [ossec-list] Re: ossec-authd or agent-auth is not creating valid keys
On Tue, Oct 4, 2011 at 6:36 PM, Joe S wrote: > >> >> > So the problem seems to either be your systems, or the atomic RPMs. >> >> It doesn't seem to work for me with atomic RPMs either, but I don't >> get any errors. Just no connection. > > The atomic RPMs remoted logging seems broken. Install the server from > source and you'll get the 1213 errors I do not. See the email I sent earlier. It worked fine for me when I compiled the source.
Re: [ossec-list] Re: ossec-authd or agent-auth is not creating valid keys
So, would you agree that OSSEC 2.6 is just fine and the problem is with the Atomic RPMs? Do you know if the rpm spec files will be updated anytime soon?
Re: [ossec-list] Re: ossec-authd or agent-auth is not creating valid keys
On Tue, Oct 11, 2011 at 5:19 PM, Joe S wrote: > So, would you agree that OSSEC 2.6 is just fine and the problem is > with the Atomic RPMs? > Yes. I've notified them (via IRC) that there is an issue. > Do you know if the rpm spec files will be updated anytime soon? > In the OSSEC source or Atomic's spec files? If you mean the OSSEC ones, probably whenever someone sends in an update. They're not something that's high on the priority list, especially since they're in the "contrib" directory. I am kind of looking at them though. :P
Re: [ossec-list] Re: ossec-authd or agent-auth is not creating valid keys
I wanted to look into this further, but I haven't had a lot of time. Please let us know what you find. I think we're on our own as far as getting working RPMs are concerned. On Tue, Oct 25, 2011 at 4:05 PM, Kat wrote: > Anyone every come up with a solution to this? I built rpms from the > Atomic SPEC (modified) and same issue - if I replace "any" with the > IP, it works, and I don't have to extract or reset the client end, it > just magically starts working with I replace "any" with the IP. > > Trying to figure out what, in the SPEC file/build, might be causing > this. > > Going to start looking through the build process and the SPEC file and > see if I can figure it out, unless someone already has. > > thanks > > On Oct 11, 4:35 pm, "dan (ddp)" wrote: >> On Tue, Oct 11, 2011 at 5:19 PM, Joe S wrote: >> > So, would you agree that OSSEC 2.6 is just fine and the problem is >> > with the Atomic RPMs? >> >> Yes. I've notified them (via IRC) that there is an issue. >> >
Re: [ossec-list] Re: ossec-authd or agent-auth is not creating valid keys
On Thu, Oct 27, 2011 at 12:50 AM, Joe S wrote: > I wanted to look into this further, but I haven't had a lot of time. > Please let us know what you find. I think we're on our own as far as > getting working RPMs are concerned. > What do you mean you're on your own? > On Tue, Oct 25, 2011 at 4:05 PM, Kat wrote: >> Anyone every come up with a solution to this? I built rpms from the >> Atomic SPEC (modified) and same issue - if I replace "any" with the >> IP, it works, and I don't have to extract or reset the client end, it >> just magically starts working with I replace "any" with the IP. >> >> Trying to figure out what, in the SPEC file/build, might be causing >> this. >> >> Going to start looking through the build process and the SPEC file and >> see if I can figure it out, unless someone already has. >> >> thanks >> >> On Oct 11, 4:35 pm, "dan (ddp)" wrote: >>> On Tue, Oct 11, 2011 at 5:19 PM, Joe S wrote: >>> > So, would you agree that OSSEC 2.6 is just fine and the problem is >>> > with the Atomic RPMs? >>> >>> Yes. I've notified them (via IRC) that there is an issue. >>> >> >
Re: [ossec-list] Re: ossec-authd or agent-auth is not creating valid keys
I created some RPMs (based on Atomic's I think, but without the mysql
crap and extras, and based on more current source). Unfortunately I
haven't put enough time into it to figure out how to get decent
ossec.confs in each package. It's kind of annoying.
I created 2 virtual Centos 6 systems to test them.
1 system got the -server, and the other -client. This combination did not work.
The server side does not even seem to recognize the client.
list_agents -a didn't show the agent until I changed the any to an IP.
I was also getting the not allowed error.
Using manage_agents to extract the key and import it into the agent
did not solve the issue.
I then used an lxc installed debian with ossec installed via source.
The agent-auth worked just fine, the agent connected with no errors.
So the issue seems to be in the RPM's agent-auth?
Thoughts? Ideas?
On Tue, Oct 25, 2011 at 7:05 PM, Kat wrote:
> Anyone every come up with a solution to this? I built rpms from the
> Atomic SPEC (modified) and same issue - if I replace "any" with the
> IP, it works, and I don't have to extract or reset the client end, it
> just magically starts working with I replace "any" with the IP.
>
> Trying to figure out what, in the SPEC file/build, might be causing
> this.
>
> Going to start looking through the build process and the SPEC file and
> see if I can figure it out, unless someone already has.
>
> thanks
>
> On Oct 11, 4:35 pm, "dan (ddp)" wrote:
>> On Tue, Oct 11, 2011 at 5:19 PM, Joe S wrote:
>> > So, would you agree that OSSEC 2.6 is just fine and the problem is
>> > with the Atomic RPMs?
>>
>> Yes. I've notified them (via IRC) that there is an issue.
>>
>
# Notes
# agent - read local files (syslog, snort, etc) and forward
# server - above + notifications + remote agents
# local - do everything server does, but not recieve messages
%define experimental 1
%define _default_patch_fuzz 2
%define prg ossec
Summary: An Open Source Host-based Intrusion Detection System
Name:ossec-hids
Version: 2.6.1
Release: 4%{?dist}
License: GPL
Group: Applications/System
#Source0: http://www.ossec.net/files/%{name}-%{version}.tar.gz
Source0: http://www.ossec.net/files/%{name}-2.6.1.tar.gz
URL: http://www.%{prg}.net/
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
Vendor: http://www.ossec.net
Packager:Jason Frisvold
BuildRequires: coreutils glibc-devel openssl-devel inotify-tools-devel
Provides: ossec
Requires: inotify-tools
ExclusiveOS: linux
%description
OSSEC HIDS is an Open Source Host-based Intrusion Detection
System. It performs log analysis, integrity checking, rootkit
detection, time-based alerting and active response.
%package client
Summary: The OSSEC HIDS Client
Group: Applications/System
Provides:ossec-client
Requires:%{name} = %{version}-%{release}
Conflicts: %{name}-server
%package server
Summary: The OSSEC HIDS Server
Group: Applications/System
Provides:ossec-server
Requires:%{name} = %{version}-%{release}
Conflicts: %{name}-client
%description client
The %{name}-client package contains the client part of the
OSSEC HIDS. Install this package on every client to be
monitored.
%description server
The %{name}-server package contains the server part of the
OSSEC HIDS. Install this package on a central machine for
log collection and alerting.
%prep
%setup -q -n ossec-hids-2.6.1
# Prepare for docs
rm -rf contrib/specs
rm -rf contrib/ossec-testing
chmod -x contrib/*
%build
pushd src
# Build the agent version first
echo "CEXTRA=-DCLIENT" >> ./Config.OS
make all
make build
mv addagent/manage_agents ../bin/manage_client
mv logcollector/ossec-logcollector ../bin/client-logcollector
mv syscheckd/ossec-syscheckd ../bin/client-syscheckd
# Rebuild for server
make clean
make all
make build
popd
# Generate the ossec-init.conf template
echo "DIRECTORY=\"%{_localstatedir}/%{prg}\"" > %{prg}-init.conf
echo "VERSION=\"%{version}\"" >> %{prg}-init.conf
echo "DATE=\"`date`\"">> %{prg}-init.conf
# Do not strip, only compress documentation
%define __os_install_post /usr/lib/rpm/brp-compress
# Exclude from requires
%define _use_internal_dependency_generator 0
%define __find_requires %{SOURCE1}
%install
[ -n "${RPM_BUILD_ROOT}" -a "${RPM_BUILD_ROOT}" != "/" ] && rm -rf ${RPM_BUILD_ROOT}
mkdir -p ${RPM_BUILD_ROOT}%{_initrddir}
mkdir -p ${RPM_BUILD_ROOT}%{_localstatedir}/%{prg}/{bin,stats,rules,tmp}
mkdir -p ${RPM_BUILD_ROOT}%{_localstatedir}/%{prg}/rules/translated/pure_ftpd
mkdir -p ${RPM_BUILD_ROOT}%{_localstatedir}/%{prg}/logs/{archives,alerts,firewall}
mkdir -p ${RPM_BUILD_ROOT}%{_localstatedir}/%{prg}/queue/{alerts,%{prg},fts,syscheck,rootcheck,agent-info,rids}
mkdir -p ${RPM_BUILD_ROOT}%{_localstatedir}/%{prg}/var/run
mkdir -p ${RPM_BUILD_ROOT}%{_localstatedir}/%{prg}/etc/shared
mkdir -p ${RPM_BUILD_ROOT}%{_localstatedir}/%{prg}/etc/templates
mkdir -p ${R
Re: [ossec-list] Re: ossec-authd or agent-auth is not creating valid keys
On Thu, Oct 27, 2011 at 5:36 AM, dan (ddp) wrote: > On Thu, Oct 27, 2011 at 12:50 AM, Joe S wrote: >> I wanted to look into this further, but I haven't had a lot of time. >> Please let us know what you find. I think we're on our own as far as >> getting working RPMs are concerned. >> > > What do you mean you're on your own? I mean, it's up to us to figure it out why the RPMs don't work. I said that because no one at Atomic has been able to assist up to this point. The only response I got was to 'look at the the spec file' and "I'm in the dark on this one too". Was I incorrect? Were you able to muster some support from Atomic?
Re: [ossec-list] Re: ossec-authd or agent-auth is not creating valid keys
On Thu, Oct 27, 2011 at 12:45 PM, Joe S wrote: > On Thu, Oct 27, 2011 at 5:36 AM, dan (ddp) wrote: >> On Thu, Oct 27, 2011 at 12:50 AM, Joe S wrote: >>> I wanted to look into this further, but I haven't had a lot of time. >>> Please let us know what you find. I think we're on our own as far as >>> getting working RPMs are concerned. >>> >> >> What do you mean you're on your own? > > I mean, it's up to us to figure it out why the RPMs don't work. I said > that because no one at Atomic has been able to assist up to this > point. The only response I got was to 'look at the the spec file' and > "I'm in the dark on this one too". Was I incorrect? Were you able to > muster some support from Atomic? > Beyond reporting it to them, I haven't really tried.
Re: [ossec-list] Re: ossec-authd or agent-auth is not creating valid keys
I'm happy to help test. On Mon, Oct 31, 2011 at 10:48 AM, Kat wrote: > I am taking this up on my own to resolve this... Pretty good at RPMs - > working on a solution and a new SPEC file.. > > More to follow > -K > >
Re: [ossec-list] Re: ossec-authd or agent-auth is not creating valid keys
I'll delete what I've got then. On Mon, Oct 31, 2011 at 1:48 PM, Kat wrote: > I am taking this up on my own to resolve this... Pretty good at RPMs - > working on a solution and a new SPEC file.. > > More to follow > -K > >
