Hi Jonathan,
Very good idea and patch. I will commit that to the cvs repository (with just a
small change to make the config option "local_ip" instead of "lip").
Thanks for the contribution...
--
Daniel B. Cid
dcid ( at ) ossec.net
On 8/3/06, Jonathan Scheidell <[EMAIL PROTECTED]> wrote:
I'm very new to the OSSEC environment (installed yesterday) so I apologize
if this has been previously addressed.
I noticed that OSSEC will bind to any local IP address, this makes for a
much simpler install but not so great from a security point of view as it
might be desired to run the server app on a dual homed system.
Here is a fix for this.
to listen on inside interface for dual homes systems.
this is better than 'denyip' and 'allowip'. Id hate for someone to scan the
world looking for vulnerable ossec agents or servers (not that there would
ever be any ;-)
I noticed someone STARTED this, but never finished it.
/os_net/os_net.c:int OS_Bindportudp(unsigned int _port, char *_ip)
./remoted/remoted.c: if((logr.sock =
OS_Bindportudp(logr.port[position],NULL)) < 0)
you would need to patch /remoted/remoted.c (at least) to include logr.lip
(localip) and add it to config. files.
it does look like it is built in to os_net.c:
if((_ip == NULL)||(_ip[0] == '\0'))
server.sin_addr.s_addr = htonl(INADDR_ANY);
else
server.sin_addr.s_addr = inet_addr(_ip);
this small patch:
diff -bBru remoted.c.orig remoted.c
--- remoted/remoted.c.orig Thu Jun 1 19:01:43 2006
+++ remoted/remoted.c Wed Aug 2 16:55:53 2006
@@ -39,7 +39,7 @@
/* Bind TCP */
if(logr.proto[position] == TCP_PROTO)
{
- if((logr.sock = OS_Bindporttcp(logr.port[position],NULL)) < 0)
+ if((logr.sock = OS_Bindporttcp(logr.port[position],logr.lip)) < 0)
{
ErrorExit(BIND_ERROR, ARGV0, logr.port[position]);
}
@@ -47,7 +47,7 @@
else
{
/* Using UDP. Fast, unreliable.. perfect */
- if((logr.sock = OS_Bindportudp(logr.port[position],NULL)) < 0)
+ if((logr.sock = OS_Bindportudp(logr.port[position],logr.lip)) < 0)
{
ErrorExit(BIND_ERROR, ARGV0, logr.port[position]);
}
patch to add array function
diff -bBru remote-config.h.orig remote-config.h
--- config/remote-config.h.orig Thu Jun 1 19:01:43 2006
+++ config/remote-config.h Wed Aug 2 17:37:42 2006
@@ -27,6 +27,7 @@
int *proto;
int *port;
int *conn;
+ char *lip;
char **allowips;
char **denyips;
patch to add parsing (please check my hack!)
diff -bBru config/remote-config.c.orig remote-config.c
--- config/remote-config.c.orig Thu Jun 1 19:01:43 2006
+++ config/remote-config.c Wed Aug 2 17:48:46 2006
@@ -35,6 +35,7 @@
char *xml_remote_port = "port";
char *xml_remote_proto = "protocol";
char *xml_remote_connection = "connection";
+ char *xml_remote_lip = "lip";
logr = (remoted *)d1;
@@ -69,6 +70,11 @@
os_calloc(1, sizeof(int), logr->proto);
logr->proto[0] = 0;
}
+ if(!logr->lip)
+ {
+ os_calloc(1, sizeof(int), logr->lip);
+ logr->lip[0] = 0;
+ }
/* Cleaning */
@@ -79,12 +85,13 @@
logr->port[pl] = 0;
logr->conn[pl] = 0;
logr->proto[pl] = 0;
-
+ logr->lip[pl] = 0;
/* Adding space for the last null connection/port */
logr->port = realloc(logr->port, sizeof(int)*(pl +2));
logr->conn = realloc(logr->conn, sizeof(int)*(pl +2));
logr->proto = realloc(logr->proto, sizeof(int)*(pl +2));
+ logr->lip = realloc(logr->lip, sizeof(int)*(pl +2));
if(!logr->port || !logr->conn || !logr->proto)
{
merror(MEM_ERROR, ARGV0);
@@ -93,6 +100,7 @@
logr->port[pl +1] = 0;
logr->conn[pl +1] = 0;
logr->proto[pl +1] = 0;
+ logr->lip[pl +1] = 0;
while(node[i])
{
@@ -189,6 +197,21 @@
return(OS_INVALID);
}
}
+ else if(strcmp(node[i]->element, xml_remote_lip) == 0)
+ {
+ if(!OS_IsValidIP(node[i]->content))
+ {
+ merror(INVALID_IP, ARGV0, node[i]->content);
+ return(OS_INVALID);
+ }
+ logr->lip =
realloc(logr->lip,sizeof(char*)*1);
+ if(!logr->lip)
+ {
+ merror(MEM_ERROR,ARGV0);
+ return(OS_INVALID);
+ }
+ os_strdup(node[i]->content,logr->lip);
+ }
else
{
merror(XML_INVELEM, ARGV0, node[i]->element);
and, now edit: ossec.conf, 'remote' section, add internal ip to listen on:
<remote>
<connection>secure</connection>
<lip>192.168.0.1</lip>
</remote>
BINGO: (as long as I didn't introduce anything 'strange' into it:
before:
sockstat | grep 1514
ossecr ossec-re 73225 6 udp4 *:1514 *:*
after:
sockstat | grep 1514
ossecr ossec-re 75906 6 udp4 192.168.0.1:1514 *:*
I would also suggest adding this as an option when running install.sh
--
Jon Scheidell
Security Engineer
Secnap Network Security
(561) 999-5000 x:4110
www.secnap.com
