If remoted is failing, it is likely you have another program running on that port that remoted is trying to bind to. For example, syslog is a common application on UNIX/BSD/Linux systems, and uses port 514. If you also attempt to use port 514 for remoted, you will get a conflict and remoted will exit. OSSEC uses 1514 for its default event data, so if you want to collect syslog data for analysis, port 1515 would be a good logical choice.
Another issue exists with remoted when you attempt to bind to port numbers less than 1024 -- anything less than 1024 is privileged (root only). Because OSSEC runs as user ossec, you cannot bind to ports lower than 1024 on most *NIX systems unless the attachment occurs prior to the change to user ossec. This privileged port restriction is by design (for example, it prevents a non-root user from running a rogue SSH server to collect userids and passwords on port 22, or a user from running their own email server on port 25). Unless you write a lot of UNIX socket code or you have extensive UNIX admin experience, most people are unaware of the privileged port restriction issue. It would probably be useful to note this information in the documentation to alleviate confusion. Best, Dave Stoddard Network Alarm Corporation https://networkalarmcorp.com 301-850-0668 x101 -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
