ossec-remoted not listening IPv4

[samysberg]

-- OS: Ubuntu Server 18.04.01 (Linux 4.15.0-43-generic).
-- OSSEC version: 3.1.0-5732bionic (from atomic's ubuntu repo).
-- System context: this was tested and replicated on a plain semi-vanilla install on a VirtualBox VM. After OS installation I added a mate-desktop and the VirtualBox Guest Additions. Anyways, the results were the same I had on the remote VPS server (same distro/kernel, no desktop/GUI, no VirtualBox stuff, no kernel tainting of any kind).
-- Simplest path to replicate the problem:

1. install ossec server;
2. create some agent;
3. restart ossec server (and it wont listen on IPv4 even with ossec.conf properly set up).

-- Some tests I did after those three steps:

1. netstat:

root@vmtester:/root #   netstat -tulpan
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN      507/systemd-resolve 
tcp        0      0 127.0.0.1:631           0.0.0.0:*               LISTEN      592/cupsd           
tcp6       0      0 ::1:631                 :::*                    LISTEN      592/cupsd           
udp        0      0 127.0.0.53:53           0.0.0.0:*                           507/systemd-resolve 
udp        0      0 192.168.0.136:68        0.0.0.0:*                           497/systemd-network 
udp        0      0 0.0.0.0:631             0.0.0.0:*                           876/cups-browsed    
udp        0      0 0.0.0.0:33891           0.0.0.0:*                           591/avahi-daemon: r 
udp        0      0 0.0.0.0:5353            0.0.0.0:*                           591/avahi-daemon: r 
udp6       0      0 :::5353                 :::*                                591/avahi-daemon: r 
udp6       0      0 :::1514                 :::*                                8387/ossec-remoted  
udp6       0      0 :::59057                :::*                                591/avahi-daemon: r 

1.1) netstat after specifying an IPv4 address:
Sorry that I'm not pasting it (nor the next test results) here, but it was very odd: ossec-remoted was listening on udp 1514 , BUT, at a local IPv6 address number ending with the IPv4 address that I specified on ossec.conf. And nothing was listening on IPv4.
2) netcat on IPv4 UDP 1514 :
Result is that the agent stream was indeed being delivered at the IPv4 UDP 1514 on server machine. And ossec server couldn't get any info from the agent.
3) ossec server logs on debug level 2:
Not a thing about IPv4. But mentions IPv6 binding (not sure now, but I think it said it couldn't bind to IPv6).
-- Sorry for the missing ctrl+v's on the tests but I really had to post this issue today (better than tomnever). And thanks to the developer team for everything! 😃

[ddpbsd]

Mine says the same thing:

[ddp@rossak ~]$ sudo netstat -tulpan
udp6       0      0 192.168.18.204:1514     :::*                                1781/ossec-remoted

But it works on ipv4. I think your problem is elsewhere.

Try running the server in debug mode (/var/ossec/bin/ossec-control enable debug && /var/ossec/bin/ossec-control restart) and check the ossec.log for errors.

Check the agent's ossec.log to see if it's reporting any issues.
Use tcpdump on the server to make sure the packets from the agent are seen as arriving from the configured IP address (no NAT devices or anything in between).

[aquerubin]

Concur. I’d look at the actual IP address the agent stream is sourced from and compare to what the server is expecting. I suspect a mismatch but the log should be indicating this too. Tony

…

On Dec 24, 2018, at 01:09, Dan Parriott ***@***.***> wrote: Mine says the same thing: ***@***.*** ~]$ sudo netstat -tulpan udp6 0 0 192.168.18.204:1514 :::* 1781/ossec-remoted But it works on ipv4. I think your problem is elsewhere. Try running the server in debug mode (/var/ossec/bin/ossec-control enable debug && /var/ossec/bin/ossec-control restart) and check the ossec.log for errors. Check the agent's ossec.log to see if it's reporting any issues. Use tcpdump on the server to make sure the packets from the agent are seen as arriving from the configured IP address (no NAT devices or anything in between). — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub, or mute the thread.

[samysberg]

Hello folks...
So, this time I'll be able to properly paste some diagnostics as suggested.

--> First a description of this machine, as of before installing ossec-server: Ubuntu Server 18.04.01, kernel 4.15.0-43-generic, running in a local x86_64 VM (VirtualBox) on my laptop. Previously installed packages are: make, gcc, libtool, autoconf, automake, needrestart, whois, nmap, virtualbox guest agent, mate desktop.

Please note that as I'm using the atomic's repo for ubuntu, this is not about ossec most current version, but the version "3.1.0-5732bionic", as I stated on the first post.

--> Steps taken & diagnostics:

1 ) Netstat before installing ossec.

root@ossec-srv:~  #   netstat -tulpan # this is before installing ossec.
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN      512/systemd-resolve 
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      1263/sshd           
tcp        0      0 127.0.0.1:631           0.0.0.0:*               LISTEN      585/cupsd           
tcp        0    196 192.168.56.16:22        192.168.56.1:58936      ESTABLISHED 1372/sshd: elrondic 
tcp6       0      0 :::22                   :::*                    LISTEN      1263/sshd           
tcp6       0      0 ::1:631                 :::*                    LISTEN      585/cupsd           
udp        0      0 127.0.0.53:53           0.0.0.0:*                           512/systemd-resolve 
udp        0      0 192.168.0.134:68        0.0.0.0:*                           498/systemd-network 
udp        0      0 0.0.0.0:53677           0.0.0.0:*                           591/avahi-daemon: r 
udp        0      0 0.0.0.0:631             0.0.0.0:*                           828/cups-browsed    
udp        0      0 0.0.0.0:5353            0.0.0.0:*                           591/avahi-daemon: r 
udp6       0      0 :::5353                 :::*                                591/avahi-daemon: r 
udp6       0      0 :::60741                :::*                                591/avahi-daemon: r 

2 ) Install ossec server.

root@ossec-srv:~  # wget -q -O - https://www.atomicorp.com/RPM-GPG-KEY.atomicorp.txt  | sudo apt-key add -
root@ossec-srv:~  # source /etc/lsb-release
root@ossec-srv:~  # echo "deb https://updates.atomicorp.com/channels/atomic/ubuntu $DISTRIB_CODENAME main" >>  /etc/apt/sources.list.d/atomic.list
root@ossec-srv:~  # apt update
root@ossec-srv:~  # apt install ossec-hids-server

3 ) Create an agent key with manage_agents .

root@ossec-srv:~  #   /var/ossec/bin/manage_agents


****************************************
* OSSEC HIDS v3.1.0 Agent manager.     *
* The following options are available: *
****************************************
   (A)dd an agent (A).
   (E)xtract key for an agent (E).
   (L)ist already added agents (L).
   (R)emove an agent (R).
   (Q)uit.
Choose your action: A,E,L,R or Q: a

- Adding a new agent (use '\q' to return to the main menu).
  Please provide the following:
   * A name for the new agent: agent1
   * The IP Address of the new agent: 192.168.56.1
   * An ID for the new agent[001]: 
Agent information:
   ID:001
   Name:agent1
   IP Address:192.168.56.1

Confirm adding it?(y/n): y
Agent added.


****************************************
* OSSEC HIDS v3.1.0 Agent manager.     *
* The following options are available: *
****************************************
   (A)dd an agent (A).
   (E)xtract key for an agent (E).
   (L)ist already added agents (L).
   (R)emove an agent (R).
   (Q)uit.
Choose your action: A,E,L,R or Q: q

** You must restart OSSEC for your changes to take effect.

manage_agents: Exiting.

4 ) Restart ossec server and new netstat.

root@ossec-srv:~  #   /etc/init.d/ossec restart
ossec-monitord not running ..
ossec-logcollector not running ..
ossec-remoted not running ..
ossec-syscheckd not running ..
ossec-analysisd not running ..
ossec-maild not running ..
ossec-execd not running ..
OSSEC HIDS v3.1.0 Stopped
Starting OSSEC HIDS v3.1.0 (by Trend Micro Inc.)...
Started ossec-execd...
Started ossec-analysisd...
Started ossec-logcollector...
Started ossec-remoted...
Started ossec-syscheckd...
Started ossec-monitord...
Completed.
root@ossec-srv:~  #   netstat -tulpan
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN      512/systemd-resolve 
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      1263/sshd           
tcp        0      0 127.0.0.1:631           0.0.0.0:*               LISTEN      585/cupsd           
tcp        0      0 192.168.56.16:22        192.168.56.1:58936      ESTABLISHED 1372/sshd: elrondic 
tcp6       0      0 :::22                   :::*                    LISTEN      1263/sshd           
tcp6       0      0 ::1:631                 :::*                    LISTEN      585/cupsd           
udp        0      0 127.0.0.53:53           0.0.0.0:*                           512/systemd-resolve 
udp        0      0 192.168.0.134:68        0.0.0.0:*                           498/systemd-network 
udp        0      0 0.0.0.0:53677           0.0.0.0:*                           591/avahi-daemon: r 
udp        0      0 0.0.0.0:631             0.0.0.0:*                           828/cups-browsed    
udp        0      0 0.0.0.0:5353            0.0.0.0:*                           591/avahi-daemon: r 
udp6       0      0 :::5353                 :::*                                591/avahi-daemon: r 
udp6       0      0 :::60741                :::*                                591/avahi-daemon: r 
udp6       0      0 :::1514                 :::*                                3664/ossec-remoted 

5 ) Enable debug and restart ossec service.

root@ossec-srv:~ # /var/ossec/bin/ossec-control enable debug && /var/ossec/bin/ossec-control restart

6 ) I'm not showing the ossec.log as of this step, since I'm gonna show how it was after step 7.

7 ) Change ossec.conf (just added my local ipv4 address on remoted section).

  <remote>
    <connection>secure</connection>
    <local_ip>192.168.56.16</local_ip>
  </remote>

8 ) Restart service on debug mode again.

root@ossec-srv:~/ossec-debug-feedback # /var/ossec/bin/ossec-control enable debug && /var/ossec/bin/ossec-control restart

9 ) Netstat again.

root@ossec-srv:~/ossec-debug-feedback  #   netstat -tulpan
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN      512/systemd-resolve 
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      1263/sshd           
tcp        0      0 127.0.0.1:631           0.0.0.0:*               LISTEN      585/cupsd           
tcp        0    196 192.168.56.16:22        192.168.56.1:60958      ESTABLISHED 5367/sshd: elrondic 
tcp6       0      0 :::22                   :::*                    LISTEN      1263/sshd           
tcp6       0      0 ::1:631                 :::*                    LISTEN      585/cupsd           
udp        0      0 127.0.0.53:53           0.0.0.0:*                           512/systemd-resolve 
udp        0      0 192.168.0.134:68        0.0.0.0:*                           498/systemd-network 
udp        0      0 0.0.0.0:53677           0.0.0.0:*                           591/avahi-daemon: r 
udp        0      0 0.0.0.0:631             0.0.0.0:*                           828/cups-browsed    
udp        0      0 0.0.0.0:5353            0.0.0.0:*                           591/avahi-daemon: r 
udp6       0      0 :::5353                 :::*                                591/avahi-daemon: r 
udp6       0      0 :::60741                :::*                                591/avahi-daemon: r 
udp6       0      0 192.168.56.16:1514      :::*                                5710/ossec-remoted  

10 ) ossec.log (starting from the shutdown caused by the restart command).

This step 10 is attached as a txt file.
ossec.log_debug-mode_after-ipv4-specified.txt

--> Comments:

I didn't test the stream from the agent this time because on that first test I did it (with netcat in the server, listening on udp ipv4 port 1415) and it was OK; also, the problem seems to be with the ossec server (remoted) ipv4 listening. But if you tell me that this netstat output I got is the expected behavior I could try some other tests with ossec agent.

[aquerubin]

You don’t need to do steps 7 and 8. How did you specify the server target when you installed the agent? If you used a host name, try using the IPv4 address of the server instead. That will confine the agent<->server connection to IPv4. Tony

…

On Dec 29, 2018, at 15:25, mr-cortex-dot-io ***@***.***> wrote: Hello folks... So, this time I'll be able to properly paste some diagnostics as suggested. --> First a description of this machine, as of before installing ossec-server: Ubuntu Server 18.04.01, kernel 4.15.0-43-generic, running in a local x86_64 VM (VirtualBox) on my laptop. Previously installed packages are: make, gcc, libtool, autoconf, automake, needrestart, whois, nmap, virtualbox guest agent, mate desktop. --> Steps taken & diagnostics: 1 ) Netstat before installing ossec. ***@***.***:~ # netstat -tulpan # this is before installing ossec. Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN 512/systemd-resolve tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1263/sshd tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 585/cupsd tcp 0 196 192.168.56.16:22 192.168.56.1:58936 ESTABLISHED 1372/sshd: elrondic tcp6 0 0 :::22 :::* LISTEN 1263/sshd tcp6 0 0 ::1:631 :::* LISTEN 585/cupsd udp 0 0 127.0.0.53:53 0.0.0.0:* 512/systemd-resolve udp 0 0 192.168.0.134:68 0.0.0.0:* 498/systemd-network udp 0 0 0.0.0.0:53677 0.0.0.0:* 591/avahi-daemon: r udp 0 0 0.0.0.0:631 0.0.0.0:* 828/cups-browsed udp 0 0 0.0.0.0:5353 0.0.0.0:* 591/avahi-daemon: r udp6 0 0 :::5353 :::* 591/avahi-daemon: r udp6 0 0 :::60741 :::* 591/avahi-daemon: r 2 ) Install ossec server. ***@***.***:~ # wget -q -O - https://www.atomicorp.com/RPM-GPG-KEY.atomicorp.txt | sudo apt-key add - ***@***.***:~ # source /etc/lsb-release ***@***.***:~ # echo "deb https://updates.atomicorp.com/channels/atomic/ubuntu $DISTRIB_CODENAME main" >> /etc/apt/sources.list.d/atomic.list ***@***.***:~ # apt update ***@***.***:~ # apt install ossec-hids-server 3 ) Create an agent key with manage_agents . ***@***.***:~ # /var/ossec/bin/manage_agents **************************************** * OSSEC HIDS v3.1.0 Agent manager. * * The following options are available: * **************************************** (A)dd an agent (A). (E)xtract key for an agent (E). (L)ist already added agents (L). (R)emove an agent (R). (Q)uit. Choose your action: A,E,L,R or Q: a - Adding a new agent (use '\q' to return to the main menu). Please provide the following: * A name for the new agent: agent1 * The IP Address of the new agent: 192.168.56.1 * An ID for the new agent[001]: Agent information: ID:001 Name:agent1 IP Address:192.168.56.1 Confirm adding it?(y/n): y Agent added. **************************************** * OSSEC HIDS v3.1.0 Agent manager. * * The following options are available: * **************************************** (A)dd an agent (A). (E)xtract key for an agent (E). (L)ist already added agents (L). (R)emove an agent (R). (Q)uit. Choose your action: A,E,L,R or Q: q ** You must restart OSSEC for your changes to take effect. manage_agents: Exiting. 4 ) Restart ossec server and new netstat. ***@***.***:~ # /etc/init.d/ossec restart ossec-monitord not running .. ossec-logcollector not running .. ossec-remoted not running .. ossec-syscheckd not running .. ossec-analysisd not running .. ossec-maild not running .. ossec-execd not running .. OSSEC HIDS v3.1.0 Stopped Starting OSSEC HIDS v3.1.0 (by Trend Micro Inc.)... Started ossec-execd... Started ossec-analysisd... Started ossec-logcollector... Started ossec-remoted... Started ossec-syscheckd... Started ossec-monitord... Completed. ***@***.***:~ # netstat -tulpan Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN 512/systemd-resolve tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1263/sshd tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 585/cupsd tcp 0 0 192.168.56.16:22 192.168.56.1:58936 ESTABLISHED 1372/sshd: elrondic tcp6 0 0 :::22 :::* LISTEN 1263/sshd tcp6 0 0 ::1:631 :::* LISTEN 585/cupsd udp 0 0 127.0.0.53:53 0.0.0.0:* 512/systemd-resolve udp 0 0 192.168.0.134:68 0.0.0.0:* 498/systemd-network udp 0 0 0.0.0.0:53677 0.0.0.0:* 591/avahi-daemon: r udp 0 0 0.0.0.0:631 0.0.0.0:* 828/cups-browsed udp 0 0 0.0.0.0:5353 0.0.0.0:* 591/avahi-daemon: r udp6 0 0 :::5353 :::* 591/avahi-daemon: r udp6 0 0 :::60741 :::* 591/avahi-daemon: r udp6 0 0 :::1514 :::* 3664/ossec-remoted 5 ) Enable debug and restart ossec service. ***@***.***:~ # /var/ossec/bin/ossec-control enable debug && /var/ossec/bin/ossec-control restart 6 ) I'm not showing the ossec.log as of this step, since I'm gonna show how it was after step 7. 7 ) Change ossec.conf (just added my local ipv4 address on remoted section). <remote> <connection>secure</connection> <local_ip>192.168.56.16</local_ip> </remote> 8 ) Restart service on debug mode again. ***@***.***:~/ossec-debug-feedback # /var/ossec/bin/ossec-control enable debug && /var/ossec/bin/ossec-control restart 9 ) Netstat again. ***@***.***:~/ossec-debug-feedback # netstat -tulpan Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN 512/systemd-resolve tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1263/sshd tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 585/cupsd tcp 0 196 192.168.56.16:22 192.168.56.1:60958 ESTABLISHED 5367/sshd: elrondic tcp6 0 0 :::22 :::* LISTEN 1263/sshd tcp6 0 0 ::1:631 :::* LISTEN 585/cupsd udp 0 0 127.0.0.53:53 0.0.0.0:* 512/systemd-resolve udp 0 0 192.168.0.134:68 0.0.0.0:* 498/systemd-network udp 0 0 0.0.0.0:53677 0.0.0.0:* 591/avahi-daemon: r udp 0 0 0.0.0.0:631 0.0.0.0:* 828/cups-browsed udp 0 0 0.0.0.0:5353 0.0.0.0:* 591/avahi-daemon: r udp6 0 0 :::5353 :::* 591/avahi-daemon: r udp6 0 0 :::60741 :::* 591/avahi-daemon: r udp6 0 0 192.168.56.16:1514 :::* 5710/ossec-remoted 10 ) ossec.log (starting from the shutdown caused by the restart command). This step 10 is attached as a txt file. ossec.log_debug-mode_after-ipv4-specified.txt --> Comments: I didn't test the stream from the agent this time because on that first test I did it (with netcat in the server, listening on udp ipv4 port 1415) and it was OK; also, the problem seems to be with the ossec server (remoted) ipv4 listening. But if you tell me that this netstat output I got is the expected behavior I could try some other tests with ossec agent. — You are receiving this because you commented. Reply to this email directly, view it on GitHub, or mute the thread.

[samysberg]

Sorry, but I'm not sure of what you asked exactly... So I'm answering two things.

1. On that first test, the agent was configured to stream to the ipv4 of the server. And it was streaming correctly, or at least it was streaming something (which I detected with netcat on the server, receiving packets on ipv4, udp:1514).
2. Regarding the second test, the output AND my chosen options with the manage_agents are shown on step 3.

[m-terlinde]

I have exactly the same issue.

Is there any chance, that #1880 would fix it?

[jsmucr]

Disable IPv6 if you don't need it.

sysctl -a -N | grep -P 'net\.ipv6\.conf\..*\.disable_ipv6' | xargs -I{} sysctl -w '{}=1'
systemctl restart ossec-hids