Thanks Santiago. I assume you are referring to the
"ssh_integrity_check_linux" script. I tried that but it seems to break
agentless monitoring on hosts that use port 22 for ssh connections, or for
that matter, other non standard ports. Is there any work around for this?
To put the question another way: I have servers in different cloud
instances (Amazon, Azure, etc etc) each server has a firewall in front of
it which nat's a different external port to internal port 22 for ssh
connectivity. Is there any way to have ossec use a different port number
for each ssh connection? how would that be done?
example: Server 1 external port 123 Nats to -> port 22
Server 2 external port 456 Nats to -> port 22
"
"
On Monday, January 25, 2016 at 1:21:13 PM UTC-5, Santiago Bassett wrote:
>
> Afaik, you will need to modify the script.
>
> Try changing this line:
>
> spawn ssh $hostname
>
> By:
>
> spawn ssh -p 1234 $hostname
>
> Hope that helps
>
> On Mon, Jan 25, 2016 at 7:03 AM, Log <[email protected] <javascript:>>
> wrote:
>
>> Disclaimer: I'm working with ossec for the first time.
>>
>> Is it possible to set up agentless monitoring with non-standard SSH
>> ports?
>>
>>
>> For example this configuration works as the server I'm monitoring is in
>> the same LAN as the OSSEC server
>>
>> <agentless>
>> <type>ssh_integrity_check_linux</type>
>> <frequency>36</frequency>
>> <host>[email protected] <javascript:></host>
>> <state>periodic</state>
>> <arguments>/bin /etc/ /sbin</arguments>
>> </agentless>
>>
>>
>> However using the syntax that I would normally use to connect to a Linux
>> machine from the command line does not work
>>
>> <agentless>
>> <type>ssh_integrity_check_linux</type>
>> <frequency>36</frequency>
>> <host>[email protected] -p 1234</host>
>> <state>periodic</state>
>> <arguments>/bin /etc/ /sbin</arguments>
>> </agentless>
>>
>>
>> I see this in the ossec log:
>>
>>
>> 2016/01/22 16:02:55 ossec-agentlessd: ERROR: ssh_integrity_check_linux:
>> [email protected] -p 1234: Password for '[email protected] -p 1234'
>> not found.
>>
>>
>> This is what the .passlist file entry looks like:
>>
>> [email protected]|NOPASS|-p|1234
>>
>>
>> (pubic IP address replaced with xxx.xxx.xxx.xxx)
>>
>> Is there a way to configure OSSEC to connect over a non-standard SSH
>> port? if so how would it be done?
>>
>>
>> Thank you
>>
>> --
>>
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "ossec-list" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to [email protected] <javascript:>.
>> For more options, visit https://groups.google.com/d/optout.
>>
>
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
