All,
I seem to be having the same agent-server communication problem as
Martin Gottlieb and David Vasil. Right now I have one agent associated
with a server. I have verified:
1) There are no firewall rules blocking access to UDP port 1514 on the
server
2) The client.keys files are exactly the same on both client and server
3) There is no traffic at all going to or from either the server or the
agent on UDP port 1514 according to tcpdump.
4) /data/ossec/queue/agent-info/ is empty on the server (my OSSEC is in
/data/ossec instead of /var/ossec)
Both systems are CentOS 4.3 running x86_64 SMP kernel. Both have two
NICs, each on a different network (but the same ones as the other
system). Both were installed using the install.sh script.
In addition, one of the servers in the same network copies (via scp) a
number of files to the OSSEC server on a regular basis. When that
happens, it opens and closes ssh sessions and logs that. OSSEC
interprets that as an attack and triggers the active response, dropping
all connections from that server.
Finally, I'm having some difficulty using the white_list option to
prevent the above from occurring. I have the following in my ossec.conf
file:
<white_list>192.168.42.0/24</white_list>
<white_list>192.168.45.0/24</white_list>
<white_list>192.168.47.0/24</white_list>
However, the server doing the scp copying still gets blocked. Adding the
specific IP address seemed to have done the trick, but as you can
imagine, that's hardly a suitable solution.
Any ideas on these would be greatly appreciated.
Hugh
