On Mon, 20 Dec 2010 18:54:42 +0000 Jarred White <[email protected]> wrote:
> Hello. I'm trying to find a way to remotely deploy OSSEC to some of > our remote sites and have it report back to us on server > health/security. There is no direct connection to the remote > network, so any reporting would need to happen over the Internet > since VPN is out of the question. > > Naturally I'm not going to send ossec alerts unencrypted via the > Internet. I've thought about writing some scripts that would keep > an stunnel up and running in order to report back to us, but I'm > wondering if there is a better way Are you mentioning the traffic between OSSEC nodes (the server and the agents), or between the OSSEC master and you (the one who will receive reports)? My 2 cents may help: I set up local mail servers (using exim/dovecot-imap) to receives any alerts. The messages will be stored on servers and won't be sent to any sources. Then I use SSH tunnel from my local server to OSSEC master, to fetch all alerts to local disks. Regards, > > I did see this on the list archives, dated 9/21/06: > > Ossec uses blowfish (192 bits) for the agent/server communication > channel and md5+sha1 combined for the integrity verification. > > I reviewed a presentation put on by Daniel and while it mentions > the use of pre-shared keys, I'm interested in understanding a > little bit more about how the authentication/security mechanism > works. My guess is that the UDP traffic could be sniffed, but I'm > just not sure and with my limited understanding about how it works, > am not anxious to send alerts via the Internet. > > Any thoughts? > > Thanks, > Jarred -- Anh Ky Huynh at UTC+7
