Re: [ossec-list] Redundancy manager (backup)
Hi Martin, I'm glad to know that everything is OK. Your firewall configuration for the manager is good, filtering by source IP is fine. However the configuration for the agent should filter by source port, because we do not know which port the agent communicates from. I mean, the agent does not actually listen to port 1514, it communicates with manager's port 1514 (it really creates an ephemeral port to establish the communication). For example: Agent (10.0.1.100:49152) → Manager (10.0.0.1:1514) The communication protocol is UDP, it is not connection-oriented (like TCP), but network routers often create a NAT mapping that makes possible to send a message in reverse direction: Manager (10.0.0.1:1514) → Agent (10.0.1.100:49152) This is why the agent's firewall configuration should filter packets by source port (1514) and not destination port (e.g. 49152) since this is an ephemeral port. So I propose this configuration: - sudo iptables -D INPUT -j DROP - iptables -A INPUT -p UDP --sport 1514 -s 10.0.0.1 -j ACCEPT - iptables -A INPUT -p UDP --sport 1514 -s 10.0.0.2 -j ACCEPT - iptables -A OUTPUT -j ACCEPT - sudo iptables -A INPUT -j DROP Best regards. On Tue, Apr 11, 2017 at 5:11 PM, Martin wrote: > Hello, > > Thank you for your answers ! > > This is finaly working, what I had to do was to allow the traffic through > 1514 with the following ; > > *On the agent :* > > >- sudo iptables -D INPUT -j DROP >- iptables -A INPUT -p UDP --dport 1514 -s 10.0.0.1 -j ACCEPT >- iptables -A INPUT -p UDP --dport 1514 -s 10.0.0.2 -j ACCEPT >- iptables -A OUTPUT -j ACCEPT >- sudo iptables -A INPUT -j DROP > > *On the manager :* > > >- sudo iptables -D INPUT -j DROP >- iptables -A INPUT -p UDP --dport 1514 -s IP_agent_1 -j ACCEPT >- iptables -A INPUT -p UDP --dport 1514 -s IP_agent_2 -j ACCEPT >- iptables -A INPUT -p UDP --dport 1514 -s IP_agent_3 -j ACCEPT >- iptables -A OUTPUT -j ACCEPT >- sudo iptables -A INPUT -j DROP > > I don't think that this is the right way to do it, but it works now.. > > Best regards. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. > -- Victor M. Fernandez-Castro IT Security Engineer Wazuh Inc. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Redundancy manager (backup)
Hello, Thank you for your answers ! This is finaly working, what I had to do was to allow the traffic through 1514 with the following ; *On the agent :* - sudo iptables -D INPUT -j DROP - iptables -A INPUT -p UDP --dport 1514 -s 10.0.0.1 -j ACCEPT - iptables -A INPUT -p UDP --dport 1514 -s 10.0.0.2 -j ACCEPT - iptables -A OUTPUT -j ACCEPT - sudo iptables -A INPUT -j DROP *On the manager :* - sudo iptables -D INPUT -j DROP - iptables -A INPUT -p UDP --dport 1514 -s IP_agent_1 -j ACCEPT - iptables -A INPUT -p UDP --dport 1514 -s IP_agent_2 -j ACCEPT - iptables -A INPUT -p UDP --dport 1514 -s IP_agent_3 -j ACCEPT - iptables -A OUTPUT -j ACCEPT - sudo iptables -A INPUT -j DROP I don't think that this is the right way to do it, but it works now.. Best regards. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Redundancy manager (backup)
Hi Martin, please give us a clue: do you see any issue at the logs? For example, when the agent switches to other server you should see logs such: ossec-agentd: INFO: Closing connection to server (10.0.0.1:1514). ossec-agentd: INFO: Trying to connect to server (10.0.0.2:1514). If the agent gives up: ossec-agentd: ERROR: Unable to connect to any server. If there is an issue with the agent key, the manager log may print: ossec-remoted(1403): ERROR: Incorrectly formated message from '10.0.0.X'. (or) ossec-remoted(1408): ERROR: Invalid ID %s for the source ip: '10.0.0.X'. (or) ossec-remoted(1213): WARN: Message from '10.0.0.X' not allowed. On the other hand, if any of the peers (agent or manager) rejects a remote ID (Rid): ossec-remoted(1407): ERROR: Duplicated counter for '10.0.0.1'. Only for testing purposes, you may use this configuration at agent, it will speed up the connection switching: 10.0.0.1 10.0.0.2 5 < time-reconnect>15 And you may also disable Rid verification by adding this line to file /var/ossec/etc/local_internal_options.conf (manager and agent): remoted.verify_msg_id=0 Please look for any suspicious log, try to use these configurations and write back to us. Best regards. On Mon, Apr 10, 2017 at 4:57 PM, Martin wrote: > Even after 1 hour my agents won't connect to the second manager. > > Here are the step that i've done so far; > >- Having my two managers with the same ossec.conf, local_decoder, >local_rules, client, client.keys >- Opening the port 1514 on all the agents and the manager. >- Specify the manager's ip on the agents > > > 10.0.0.1 10.0.0.2 > > Maybe it has to do with what Viktor said about Rids counter, i'm not sure. > > Best regards. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. > -- Victor M. Fernandez-Castro IT Security Engineer Wazuh Inc. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Redundancy manager (backup)
Even after 1 hour my agents won't connect to the second manager. Here are the step that i've done so far; - Having my two managers with the same ossec.conf, local_decoder, local_rules, client, client.keys - Opening the port 1514 on all the agents and the manager. - Specify the manager's ip on the agents 10.0.0.1 10.0.0.2 Maybe it has to do with what Viktor said about Rids counter, i'm not sure. Best regards. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Redundancy manager (backup)
On Wed, Apr 5, 2017 at 11:32 AM, Martin wrote: > Hello Victor, > > I tried to run a second manager and I've the same file > /var/ossec/etc/client.keys on it and on the first manager. I've copied the > local_rules, ossec.conf, local_decoder as well. > > And I've specified on the agents to listen on him as you told me ; > > 10.0.0.1 10.0.0.2 > > > My first manager (10.0.0.1 here) is shutdown and none the agents are > listening on 10.0.0.2. > > What sould I look into ? > It takes a while (30min?) for the agents to switch over. > Best regards. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Redundancy manager (backup)
Hello Victor, I tried to run a second manager and I've the same file /var/ossec/etc/client.keys on it and on the first manager. I've copied the local_rules, ossec.conf, local_decoder as well. And I've specified on the agents to listen on him as you told me ; 10.0.0.1 10.0.0.2 My first manager (10.0.0.1 here) is shutdown and none the agents are listening on 10.0.0.2. What sould I look into ? Best regards. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Redundancy manager (backup)
Sorry I forgot to mention Chef, you can definitely use it to deploy your agents. If you are interested on it, take a look at: https://github.com/sous-chefs/ossec. Best regards. On Tue, Apr 4, 2017 at 2:55 PM, Martin wrote: > Is it possible to deploy them (agents) easily via chef ? > > THank you again for your answers! > > Best regards. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. > -- Victor M. Fernandez-Castro IT Security Engineer Wazuh Inc. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Redundancy manager (backup)
Is it possible to deploy them (agents) easily via chef ? THank you again for your answers! Best regards. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Redundancy manager (backup)
Hi Martin, there are actually some options to deploy agents, you can use Puppet or Ansible to make a large deployment. A very simple unattended installation could be installing the agent with preloaded variables. You can find file etc/preloaded-vars.conf at the source code, fill it (uncomment and set the options) and launch the install.sh. With a proper filled preloaded-vars.conf, it will make an unattended installation. The next step is adding the agent to the manager, you may use the Auth system (ossec-authd server on manager and agent-auth on agents) to register automatically agents. There are some approaches to get a high availability system, the most important task is to ensure that file /var/ossec/etc/client.keys is always synchronized between every manager in your system. If you have Rids counters enabled (OSSEC has them enabled by default) you should make the same with file /var/ossec/queue/rids/sender_counter, that stores the message counter (it does this to numerate each message and avoid some security threats like replay attacks). There is no an unique way to achieve high availability, it depends on your system (how many managers you have, whether they are parallel or there is a main manager and a backup server, whether you will use shared storage, etc). Best regards. On Tue, Apr 4, 2017 at 10:32 AM, Martin wrote: > I know it is possible with "Unattended Source Installation" but i'd still > have to add manually these agents on the manager or is there another way :) > ? > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. > -- Victor M. Fernandez-Castro IT Security Engineer Wazuh Inc. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Redundancy manager (backup)
I know it is possible with "Unattended Source Installation" but i'd still have to add manually these agents on the manager or is there another way :) ? -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Redundancy manager (backup)
Hi Victor, Now that I know it is possible to have a second manager in case the first one stop running. I'm wondering, is there a proper way to copy the first manager to duplicate it ? Like that i won't have to configure the second manager as I did with the first one. And I was looking aswell if there were a way to automaticaly deploy agent on server and add them on the manager without having to use the script .install ? Because, let's say I've 100 agents to deploy, it will take me a while doing it with the script ... Thank you for your answer ! Best regards. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Redundancy manager (backup)
Hi Martin, when agents connect to manager, the latter sends an ACK message to confirm that the connection is established. From that moment on, agents send data with no arrival confirmation. This means that, if the server went down, agents would keep sending data, that will be lost. There is a mechanism to test connections: every 10 minutes agents send keep-alive messages to the manager, and the server responds with an ACK message. If an agent does not send a keep-alive in 30 minutes, the manager marks it as disconnected and produces an alert. On the other hand, if the manager does not answer 3 keep-alive messages in a row, the agent considers that the server is down and tries to reconnect, in the meanwhile it "locks" every component (File Integrity Monitoring, Log collecting, etc.) in order to prevent them from sending data that would be lost. You may use a secondary manager and configure two remote servers, with a configuration such this: 10.0.0.1 10.0.0.2 The agent will always try to connect first to the first defined server. In case that it could not connect to it, it will try do to it with the next one. You can define as many servers as you want. Best regards. On Mon, Apr 3, 2017 at 6:47 PM, Martin wrote: > Hello everyone, > > I was wondering, what happen if the "manager" bug / shutdown ? > > It might sounds stupid but what behavior will the agents have ? Will they > make my server bug, consume too much cpu/ram or trying to send message all > the time etc ? > > Is there a way to have a second manager as a backup or make redundancy ? > > Best regards ! > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. > -- Victor M. Fernandez-Castro IT Security Engineer Wazuh Inc. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Redundancy manager (backup)
Hello everyone, I was wondering, what happen if the "manager" bug / shutdown ? It might sounds stupid but what behavior will the agents have ? Will they make my server bug, consume too much cpu/ram or trying to send message all the time etc ? Is there a way to have a second manager as a backup or make redundancy ? Best regards ! -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Redundancy manager (backup)
Hello everyone, I was wondering, what happen if the "manager" bug / shutdown ? It might sounds stupid but what behavior will the agents have ? Will they make my server bug, consume too much cpu/ram or trying to send message all the time etc ? Is there a way to have a second manager as a backup or make redundancy ? Best regards ! -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.