[ossec-list] Server bind address

[Jonathan Scheidell]

I’m very new to the OSSEC environment (installed yesterday) so I apologize if this has been previously addressed.   I noticed that OSSEC will bind to any local IP address, this makes for a much simpler install but not so great from a security point of view as it might be desired to run the server app on a dual homed system.   Here is a fix for this.   to listen on inside interface for dual homes systems. this is better than 'denyip' and 'allowip'.  Id hate for someone to scan the world looking for vulnerable ossec agents or servers (not that there would ever be any ;-)   I noticed someone STARTED this, but never finished it.   /os_net/os_net.c:int OS_Bindportudp(unsigned int _port, char *_ip) ./remoted/remoted.c:        if((logr.sock = OS_Bindportudp(logr.port[position],NULL)) < 0)     you would need to patch /remoted/remoted.c (at least) to include logr.lip (localip) and add it to config. files.     it does look like it is built in to os_net.c:                                     if((_ip == NULL)||(_ip[0] == '\0'))         server.sin_addr.s_addr = htonl(INADDR_ANY);     else         server.sin_addr.s_addr = inet_addr(_ip);     this small patch:   diff -bBru remoted.c.orig remoted.c --- remoted/remoted.c.orig      Thu Jun  1 19:01:43 2006 +++ remoted/remoted.c   Wed Aug  2 16:55:53 2006 @@ -39,7 +39,7 @@      /* Bind TCP */      if(logr.proto[position] == TCP_PROTO)      { -        if((logr.sock = OS_Bindporttcp(logr.port[position],NULL)) < 0) +        if((logr.sock = OS_Bindporttcp(logr.port[position],logr.lip)) < 0)          {              ErrorExit(BIND_ERROR, ARGV0, logr.port[position]);          } @@ -47,7 +47,7 @@      else      {          /* Using UDP. Fast, unreliable.. perfect */ -        if((logr.sock = OS_Bindportudp(logr.port[position],NULL)) < 0) +        if((logr.sock = OS_Bindportudp(logr.port[position],logr.lip)) < 0)          {              ErrorExit(BIND_ERROR, ARGV0, logr.port[position]);          }   patch to add array function  diff -bBru remote-config.h.orig remote-config.h --- config/remote-config.h.orig        Thu Jun  1 19:01:43 2006 +++ config/remote-config.h     Wed Aug  2 17:37:42 2006 @@ -27,6 +27,7 @@      int *proto;      int *port;      int *conn; +    char *lip;           char **allowips;         char **denyips;   patch to add parsing (please check my hack!) diff -bBru config/remote-config.c.orig remote-config.c --- config/remote-config.c.orig        Thu Jun  1 19:01:43 2006 +++ config/remote-config.c     Wed Aug  2 17:48:46 2006 @@ -35,6 +35,7 @@      char *xml_remote_port = "port";      char *xml_remote_proto = "protocol";      char *xml_remote_connection = "connection"; +    char *xml_remote_lip = "lip";        logr = (remoted *)d1;   @@ -69,6 +70,11 @@          os_calloc(1, sizeof(int), logr->proto);          logr->proto[0] = 0;      } +    if(!logr->lip) +    { +        os_calloc(1, sizeof(int), logr->lip); +        logr->lip[0] = 0; +    }              /* Cleaning */ @@ -79,12 +85,13 @@      logr->port[pl] = 0;      logr->conn[pl] = 0;      logr->proto[pl] = 0; -   +    logr->lip[pl] = 0;        /* Adding space for the last null connection/port */      logr->port = realloc(logr->port, sizeof(int)*(pl +2));      logr->conn = realloc(logr->conn, sizeof(int)*(pl +2));      logr->proto = realloc(logr->proto, sizeof(int)*(pl +2)); +    logr->lip = realloc(logr->lip, sizeof(int)*(pl +2));      if(!logr->port || !logr->conn || !logr->proto)      {          merror(MEM_ERROR, ARGV0); @@ -93,6 +100,7 @@      logr->port[pl +1] = 0;      logr->conn[pl +1] = 0;      logr->proto[pl +1] = 0; +    logr->lip[pl +1] = 0;          while(node[i])      { @@ -189,6 +197,21 @@                  return(OS_INVALID);              }          } +        else if(strcmp(node[i]->element, xml_remote_lip) == 0) +        { +            if(!OS_IsValidIP(node[i]->content)) +            { +                merror(INVALID_IP, ARGV0, node[i]->content); +                return(OS_INVALID); +            } +            logr->lip = realloc(logr->lip,sizeof(char*)*1); +            if(!logr->lip) +            { +              merror(MEM_ERROR,ARGV0); +              return(OS_INVALID); +            } +            os_strdup(node[i]->content,logr->lip); +        }          else          {              merror(XML_INVELEM, ARGV0, node[i]->element);     and, now edit: ossec.conf, 'remote' section, add internal ip to listen on:     <remote>     <connection>secure</connection>     <lip>192.168.0.1</lip>   </remote>    BINGO: (as long as I didn't introduce anything 'strange' into it: before: sockstat | grep 1514 ossecr   ossec-re 73225    6 udp4   *:1514        *:*    after:   sockstat | grep 1514 ossecr   ossec-re 75906    6 udp4   192.168.0.1:1514        *:*    I would also suggest adding this as an option when running install.sh   -- Jon Scheidell Security Engineer Secnap Network Security (561) 999-5000 x:4110 www.secnap.com