Haven't tested it but I guess a quick and dirty solution would be to copy the script, renaming those like:
ssh_integrity_check_linux_22 ssh_integrity_check_linux_123 ssh_integrity_check_linux_456 And then have those triggered for the different agents depending on their where their sshd service is (or the NAT port is). On Thu, Jan 28, 2016 at 10:15 AM, Log <[email protected]> wrote: > Thanks Santiago. I assume you are referring to the > "ssh_integrity_check_linux" script. I tried that but it seems to break > agentless monitoring on hosts that use port 22 for ssh connections, or for > that matter, other non standard ports. Is there any work around for this? > > To put the question another way: I have servers in different cloud > instances (Amazon, Azure, etc etc) each server has a firewall in front of > it which nat's a different external port to internal port 22 for ssh > connectivity. Is there any way to have ossec use a different port number > for each ssh connection? how would that be done? > > example: Server 1 external port 123 Nats to -> port 22 > Server 2 external port 456 Nats to -> port 22 > " > " > > > > > On Monday, January 25, 2016 at 1:21:13 PM UTC-5, Santiago Bassett wrote: >> >> Afaik, you will need to modify the script. >> >> Try changing this line: >> >> spawn ssh $hostname >> >> By: >> >> spawn ssh -p 1234 $hostname >> >> Hope that helps >> >> On Mon, Jan 25, 2016 at 7:03 AM, Log <[email protected]> wrote: >> >>> Disclaimer: I'm working with ossec for the first time. >>> >>> Is it possible to set up agentless monitoring with non-standard SSH >>> ports? >>> >>> >>> For example this configuration works as the server I'm monitoring is in >>> the same LAN as the OSSEC server >>> >>> <agentless> >>> <type>ssh_integrity_check_linux</type> >>> <frequency>36</frequency> >>> <host>[email protected]</host> >>> <state>periodic</state> >>> <arguments>/bin /etc/ /sbin</arguments> >>> </agentless> >>> >>> >>> However using the syntax that I would normally use to connect to a Linux >>> machine from the command line does not work >>> >>> <agentless> >>> <type>ssh_integrity_check_linux</type> >>> <frequency>36</frequency> >>> <host>[email protected] -p 1234</host> >>> <state>periodic</state> >>> <arguments>/bin /etc/ /sbin</arguments> >>> </agentless> >>> >>> >>> I see this in the ossec log: >>> >>> >>> 2016/01/22 16:02:55 ossec-agentlessd: ERROR: ssh_integrity_check_linux: >>> [email protected] -p 1234: Password for '[email protected] -p >>> 1234' not found. >>> >>> >>> This is what the .passlist file entry looks like: >>> >>> [email protected]|NOPASS|-p|1234 >>> >>> >>> (pubic IP address replaced with xxx.xxx.xxx.xxx) >>> >>> Is there a way to configure OSSEC to connect over a non-standard SSH >>> port? if so how would it be done? >>> >>> >>> Thank you >>> >>> -- >>> >>> --- >>> You received this message because you are subscribed to the Google >>> Groups "ossec-list" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> For more options, visit https://groups.google.com/d/optout. >>> >> >> -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
