Hi, -A INPUT -s [OSSEC Agent's IP]/32 -p tcp -m tcp --dport 1514 -j ACCEPT -A INPUT -s [OSSEC Agent's IP]/32 -p tcp -m tcp --dport 1514 -j ACCEPT > The agent's IPs are different. Another question, should we remove the tcp port 1514? Will having both ports tcp 1514 and udp 1514 at the same time might cause the port number 1514 being unable to bind?
Also, by restoring the iptables with only the rules that OSSEC needs, will that solve this issue "ossec-remoted(1206): ERROR: Unable to Bind port '1514'" that we've found in the ossec.log? Regards, *James Oliver "J.O." Pormento* *Software Engineer* Email: james.porme...@pointwest.com.ph Website: www.pointwest.com.ph *Pointwest Innovations Corporation* On Thu, Sep 10, 2015 at 12:23 PM, <d...@udel.edu> wrote: > James Oliver Pormento <james.porme...@pointwest.com.ph> said: > > > >We tried to execute this "-A INPUT -m udp -p udp -s 10.20.30.40 --sport > >1514 -j ACCEPT" and saved it on the OSSEC Server. > > The --sport 1514 line goes on the agent, so it can receive the > responses from the server. UDP is connectionless, so there's no inherent > state tracking. The kernel knows how to do udp state for a few things, but > ossec isn't really one of them. > > >Below is what our OSSEC server's iptables looks like: > > > >*filter > >:INPUT ACCEPT [0:0] > >:FORWARD ACCEPT [0:0] > >:OUTPUT ACCEPT [0:0] > >-A INPUT -s xxx.xxx.xx.xx/32 -p tcp -m tcp --dport 1514 -j ACCEPT > > > >*-A INPUT -s [OSSEC Agent's IP]/32 -p tcp -m tcp --dport 1514 -j ACCEPT-A > >INPUT -s [OSSEC Agent's IP]/32 -p tcp -m tcp --dport 1514 -j ACCEPT* > > This looks like two lines run together? It's also using tcp instead of > udp. You should have one line here: > > -A INPUT -s [OSSEC Agent's IP]/32 -p udp -m udp --dport 1514 -j ACCEPT > > >-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT > >-A INPUT -p icmp -j ACCEPT > >-A INPUT -i lo -j ACCEPT > >-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT > >-A INPUT -j REJECT --reject-with icmp-host-prohibited > > > >*-A INPUT -s [OSSEC Agent's IP]/32 -p udp -m udp --dport 1514 -j ACCEPT-A > >INPUT -s [OSSEC Agent's IP]/32 -p udp -m udp --dport 1514 -j ACCEPT* > > This is after the REJECT line, so it has no effect. > > >-A INPUT -j DROP > >-A INPUT -p udp -m udp --dport 1514 -j ACCEPT > > This is after both the REJECT line and the DROP line, so it has no > effect. > > >*-A INPUT -s [OSSEC Agent's IP]/32 -p udp -m udp --sport 1514 -j ACCEPT-A > >INPUT -s [OSSEC Agent's IP]/32 -p udp -m udp --sport 1514 -j ACCEPT* > > This is after both the REJECT line and the DROP line, so it has no > effect. > > >-A FORWARD -j REJECT --reject-with icmp-host-prohibited > >-A OUTPUT -j ACCEPT > >-A OUTPUT -j ACCEPT > >COMMIT > > I normally deal with this by editing a file with the rules I want, then > using "/sbin/iptables-restore < filename" to load it into the kernel. > > > > > > >Regards, > > > > > >*James Oliver "J.O." Pormento* > >*Software Engineer* > >Email: james.porme...@pointwest.com.ph > >Website: www.pointwest.com.ph > >*Pointwest Innovations Corporation* > > > >On Thu, Sep 10, 2015 at 8:54 AM, <d...@udel.edu> wrote: > > > >> James Oliver Pormento <james.porme...@pointwest.com.ph> said: > >> > > >> >HI, > >> > > >> >Thank you for the info. > >> >This is what we've got upon trying "netstat -ulnp": > >> > > >> >Active Internet connections (only servers) > >> >Proto Recv-Q Send-Q Local Address Foreign > >> >Address State PID/Program name > >> >udp 0 0 xxx.xx.xxx.xxx:1514 0.0.0.0:* > >> >8125/ossec-remoted > >> >udp 0 0 0.0.0.0:514 > >> >0.0.0.0:* > >> >8126/ossec-remoted > >> > > >> >Does this mean that port 1514 is open but not binding? Or does this > mean > >> >something else? Please advise. Thank you. > >> > >> That looks like the output from my server. > >> > >> Are you sure you're allowing 1514/udp in iptables on both machines? > >> Your /etc/sysconfig/iptables file should contain something like this on > th > >e > >> agent. Where 10.20.30.40 is your ossec server. Note, it's using > --sport > >> for source port. That's because the agents send udp packets from a > random > >> port to the server's port 1514. Then the server responds from port > 1514 t > >o > >> the agent's random port. > >> > >> -A INPUT -m udp -p udp -s 10.20.30.40 --sport 1514 -j ACCEPT > >> > >> And something like this on the server: > >> > >> :OSSEC - [0:0] > >> -A OSSEC -s 1.2.3.4 -j ACCEPT -m comment --comment "my first spiffy > agent > >> machine" > >> -A OSSEC -s 1.2.3.5 -j ACCEPT -m comment --comment "my second spiffy > agent > >> machine" > >> -A INPUT -m udp -p udp --dport 1514 -j OSSEC > >> > >> You can use tcpdump on both machines to see if the packets are > flowing > >. > >> > >> tcpdump port 1514 > >> > >> On the server, you can use agent_control -l to see the connected > >> agents. > >> > >> > > >> > > >> >Regards, > >> > > >> > > >> >*James Oliver "J.O." Pormento* > >> >*Software Engineer* > >> >Email: james.porme...@pointwest.com.ph > >> >Website: www.pointwest.com.ph > >> >*Pointwest Innovations Corporation* > >> > > >> >On Wed, Sep 9, 2015 at 11:37 PM, <d...@udel.edu> wrote: > >> > > >> >> James Oliver Pormento <james.porme...@pointwest.com.ph> said: > >> >> > > >> >> >We have installed OSSEC server v2.8.2 in CentOs. After > installation, i > >t > >> >> >seems that port 1514 is not listening. We used the default > port(1514) > >> >> >during installation. We've tried to check using this command in > >> >> >CentOs: *netstat > >> >> >-tlnp |grep 1514* and did not got anything. May we ask the following > >> >> >questions: > >> >> > >> >> The port is UDP, not TCP. Try "netstat -ulnp". > >> >> > >> >> > > >> >> >1. May we ask if there's another way to make sure that the port is > >> >> >listening? > >> >> >2. Do we need to add something in the configuration file or > something? > >> >> > > >> >> >Please advise. Thank you. > >> >> > > >> >> > > >> >> >Regards, > >> >> >James Oliver B. Pormento > >> > >> Cheers, > >> Doke > >> > >> > > > >-- > >CONFIDENTIALITY NOTICE: This email may contain confidential and privileged > >material for the sole use of the intended recipient(s). Any review, use, > >distribution or disclosure by others is strictly prohibited. If you have > >received this communication in error, please notify the sender immediately > >by e-mail and delete the message and any file attachments from your > >computer. There is no warranty that this email is error, virus or defect > >free. If this is a private communication it does not represent the views > of > >Pointwest Technologies Corporation or their related entities. > > > >--001a113438705a5c3f051f5abb2f > >Content-Type: text/html; charset=UTF-8 > >Content-Transfer-Encoding: quoted-printable > > > ><div dir=3D"ltr"><div><div>Hi,<br><br></div>We tried to execute this > "= > >-A INPUT -m udp -p udp -s 10.20.30.40 --sport 1514 -j ACCEPT" and > save= > >d it on the OSSEC Server.<br></div>Below is what our OSSEC server's > ipt= > >ables looks like:<br><span > style=3D"color:rgb(255,0,0)"><br>*filter<br>:INP= > >UT ACCEPT [0:0]<br>:FORWARD ACCEPT [0:0]<br>:OUTPUT ACCEPT [0:0]<br>-A > INPU= > >T -s xxx.xxx.xx.xx/32 -p tcp -m tcp --dport 1514 -j ACCEPT<br><span style= > >=3D"color:rgb(0,0,255)"><b>-A INPUT -s [OSSEC Agent's IP]/32 -p tcp > -m = > >tcp --dport 1514 -j ACCEPT<br>-A INPUT -s [OSSEC Agent's IP]/32 -p > tcp = > >-m tcp --dport 1514 -j ACCEPT</b></span><br>-A INPUT -m state --state > RELAT= > >ED,ESTABLISHED -j ACCEPT<br>-A INPUT -p icmp -j ACCEPT<br>-A INPUT -i lo > -j= > > ACCEPT<br>-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j > ACCEPT= > ><br>-A INPUT -j REJECT --reject-with icmp-host-prohibited<br><span > style=3D= > >"color:rgb(0,0,255)"><b>-A INPUT -s [OSSEC Agent's IP]/32 -p udp -m > udp= > > --dport 1514 -j ACCEPT<br>-A INPUT -s [OSSEC Agent's IP]/32 -p udp > -m = > >udp --dport 1514 -j ACCEPT</b></span><br>-A INPUT -j DROP<br>-A INPUT -p > ud= > >p -m udp --dport 1514 -j ACCEPT<br><span > style=3D"color:rgb(0,0,255)"><b>-A= > > INPUT -s [OSSEC Agent's IP]/32 -p udp -m udp --sport 1514 -j > ACCEPT<br= > >>-A INPUT -s [OSSEC Agent's IP]/32 -p udp -m udp --sport 1514 -j > ACCEPT= > ></b></span><br>-A FORWARD -j REJECT --reject-with > icmp-host-prohibited<br>-= > >A OUTPUT -j ACCEPT<br>-A OUTPUT -j ACCEPT<br>COMMIT</span><br > clear=3D"all"= > >><div class=3D"gmail_extra"><div><div class=3D"gmail_signature"><div > dir=3D= > >"ltr"><div><div dir=3D"ltr"><div><div dir=3D"ltr"><div><div > dir=3D"ltr"><di= > >v><div><div><div><div><font > face=3D"arial,helvetica,sans-serif"><br><br>Reg= > >ards,<br><br></font></div><b><font > face=3D"arial,helvetica,sans-serif"><spa= > >n style=3D"color:rgb(0,0,255)">James Oliver "J.O." > Pormento</span= > >><br></font></b></div></div><font > face=3D"arial,helvetica,sans-serif"><b><s= > >pan style=3D"color:rgb(255,153,0)">Software > Engineer</span></b><br></font><= > >/div><font face=3D"arial,helvetica,sans-serif">Email: <a href=3D"mailto: > jam= > >es.porme...@pointwest.com.ph" target=3D"_blank"> > james.porme...@pointwest.co= > >m.ph</a></font><span style=3D"color:rgb(0,0,255)"><font > face=3D"arial,helve= > >tica,sans-serif"><u><br></u></font></span></div><div><span > style=3D"color:r= > >gb(0,0,255)"><font face=3D"arial,helvetica,sans-serif"><font > color=3D"#0000= > >00">Website: <a href=3D"http://www.pointwest.com.ph"; > target=3D"_blank">www.= > >pointwest.com.ph</a></font><br></font></span></div><div><span > style=3D"colo= > >r:rgb(0,0,255)"><font face=3D"arial,helvetica,sans-serif"><b><span > style=3D= > >"color:rgb(255,153,0)">Pointwest Innovations > Corporation</span></b><br><img= > > src=3D" > http://www.pointwest.com.ph/images/standard/pointwestlogo_agilitywh= > >itebg_sig.png"></font></span><font size=3D"2"><span > style=3D"color:rgb(102,= > >102,102)"><span > style=3D"font-family:arial,sans-serif;font-style:normal;fon= > > >t-variant:normal;font-weight:normal;letter-spacing:normal;line-height:norma= > > >l;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;d= > > >isplay:inline!important;float:none;background-color:rgb(255,255,255)"></spa= > >n></span></font></div><span style=3D"color:rgb(0,0,255)"><font > face=3D"aria= > > >l,helvetica,sans-serif"><u></u></font></span></div></div></div></div></div>= > ></div></div></div></div> > ><br><div class=3D"gmail_quote">On Thu, Sep 10, 2015 at 8:54 AM, <span > dir= > >=3D"ltr"><<a href=3D"mailto:d...@udel.edu"; > target=3D"_blank">doke@udel.e= > >du</a>></span> wrote:<br><blockquote class=3D"gmail_quote" > style=3D"marg= > >in:0px 0px 0px 0.8ex;border-left:1px solid > rgb(204,204,204);padding-left:1e= > >x">James Oliver Pormento <<a href=3D"mailto: > james.porme...@pointwest.com= > >.ph">james.porme...@pointwest.com.ph</a>> said:<br> > >><br> > >>HI,<br> > >><br> > >>Thank you for the info.<br> > >>This is what we've got upon trying "netstat -ulnp":<br> > >><br> > >>Active Internet connections (only servers)<br> > >>Proto=C2=A0 Recv-Q=C2=A0 Send-Q=C2=A0 =C2=A0Local Address=C2=A0 > =C2=A0 = > >=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0Foreign<br> > >>Address=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0State=C2=A0 > =C2= > >=A0 =C2=A0 =C2=A0PID/Program name<br> > >>udp=C2=A0 =C2=A0 =C2=A0 =C2=A0 0=C2=A0 =C2=A0 =C2=A0 =C2=A00=C2=A0 > =C2= > >=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 xxx.xx.xxx.xxx:1514=C2=A0 =C2=A0 =C2=A0 > =C2= > >=A00.0.0.0:*<br> > >>8125/ossec-remoted<br> > >>udp=C2=A0 =C2=A0 =C2=A0 =C2=A0 0=C2=A0 =C2=A0 =C2=A0 =C2=A00=C2=A0 > =C2= > >=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 <a href=3D"http://0.0.0.0:514"; > rel=3D"noref= > >errer" target=3D"_blank">0.0.0.0:514</a><br> > >>0.0.0.0:*<br> > >>8126/ossec-remoted<br> > >><br> > >>Does this mean that port 1514 is open but not binding? Or does this > mea= > >n<br> > >>something else? Please advise. Thank you.<br> > ><br> > >=C2=A0 =C2=A0 That looks like the output from my server.<br> > ><br> > >=C2=A0 =C2=A0 Are you sure you're allowing 1514/udp in iptables on > both= > > machines?<br> > >Your /etc/sysconfig/iptables file should contain something like this on > the= > ><br> > >agent.=C2=A0 Where 10.20.30.40 is your ossec server.=C2=A0 Note, it's > u= > >sing --sport<br> > >for source port.=C2=A0 That's because the agents send udp packets > from = > >a random<br> > >port to the server's port 1514.=C2=A0 Then the server responds from > por= > >t 1514 to<br> > >the agent's random port.<br> > ><br> > >-A INPUT -m udp -p udp -s 10.20.30.40 --sport 1514 -j ACCEPT<br> > ><br> > >=C2=A0 =C2=A0 And something like this on the server:<br> > ><br> > >:OSSEC - [0:0]<br> > >-A OSSEC -s 1.2.3.4 -j ACCEPT -m comment --comment "my first spiffy > ag= > >ent machine"<br> > >-A OSSEC -s 1.2.3.5 -j ACCEPT -m comment --comment "my second spiffy > a= > >gent machine"<br> > >-A INPUT -m udp -p udp --dport 1514 -j OSSEC<br> > ><br> > >=C2=A0 =C2=A0 You can use tcpdump on both machines to see if the packets > ar= > >e flowing.<br> > ><br> > >tcpdump port 1514<br> > ><br> > >=C2=A0 =C2=A0 On the server, you can use agent_control -l to see the > connec= > >ted<br> > >agents.<br> > ><br> > >><br> > >><br> > >>Regards,<br> > >><br> > >><br> > >>*James Oliver "J.O." Pormento*<br> > >>*Software Engineer*<br> > >>Email: <a href=3D"mailto:james.porme...@pointwest.com.ph > ">james.porment= > >o...@pointwest.com.ph</a><br> > >>Website: <a href=3D"http://www.pointwest.com.ph"; rel=3D"noreferrer" > tar= > >get=3D"_blank">www.pointwest.com.ph</a><br> > >>*Pointwest Innovations Corporation*<br> > >><br> > >>On Wed, Sep 9, 2015 at 11:37 PM, <<a href=3D"mailto:d...@udel.edu > ">d= > >o...@udel.edu</a>> wrote:<br> > >><br> > >>> James Oliver Pormento <<a href=3D"mailto: > james.pormento@pointwe= > >st.com.ph">james.porme...@pointwest.com.ph</a>> said:<br> > >>> ><br> > >>> >We have installed OSSEC server v2.8.2 in CentOs. After > install= > >ation, it<br> > >>> >seems that port 1514 is not listening. We used the default > por= > >t(1514)<br> > >>> >during installation. We've tried to check using this > comma= > >nd in<br> > >>> >CentOs: *netstat<br> > >>> >-tlnp |grep 1514* and did not got anything. May we ask the > fol= > >lowing<br> > >>> >questions:<br> > >>><br> > >>>=C2=A0 =C2=A0 =C2=A0The port is UDP, not TCP.=C2=A0 Try > "netst= > >at -ulnp".<br> > >>><br> > >>> ><br> > >>> >1. May we ask if there's another way to make sure that > the= > > port is<br> > >>> >listening?<br> > >>> >2. Do we need to add something in the configuration file or > so= > >mething?<br> > >>> ><br> > >>> >Please advise. Thank you.<br> > >>> ><br> > >>> ><br> > >>> >Regards,<br> > >>> >James Oliver B. Pormento<br> > ><br> > >=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= > >=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 > = > >=C2=A0 =C2=A0 =C2=A0Cheers,<br> > >=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= > >=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 > = > >=C2=A0 =C2=A0 =C2=A0Doke<br> > ><br> > ></blockquote></div><br></div></div> > > > ><br> > ><span > style=3D"color:rgb(153,153,153);font-family:arial,sans-serif;font-siz= > >e:x-small;background-color:rgb(255,255,255)">CONFIDENTIALITY NOTICE: This > e= > >mail may contain confidential and privileged material for the sole use of > t= > >he intended recipient(s). Any review, use, distribution or disclosure by > ot= > >hers is strictly prohibited. If you have received this communication in > err= > >or, please notify the sender immediately by e-mail and delete the message > a= > >nd any file attachments from your computer. There is no warranty that > this = > >email is error, virus or defect free. If this is a private communication > it= > > does not represent the views of Pointwest Technologies Corporation or > thei= > >r related entities.</span> > >--001a113438705a5c3f051f5abb2f-- > > Cheers, > Doke > > -- CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. There is no warranty that this email is error, virus or defect free. If this is a private communication it does not represent the views of Pointwest Technologies Corporation or their related entities. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
