These are the listening ports on server Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:40001 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:40002 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:514 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:40003 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:40004 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:25672 0.0.0.0:* LISTEN tcp 0 0 127.0.0.1:40009 0.0.0.0:* LISTEN tcp 0 0 127.0.0.1:27017 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:40011 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:1515 0.0.0.0:* LISTEN tcp 0 0 127.0.0.1:6379 0.0.0.0:* LISTEN tcp 0 0 127.0.0.1:11211 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:6380 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:9390 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:9391 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN tcp 0 0 127.0.0.1:28017 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:4369 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN tcp6 0 0 :::3128 :::* LISTEN tcp6 0 0 :::514 :::* LISTEN tcp6 0 0 :::40005 :::* LISTEN tcp6 0 0 :::40006 :::* LISTEN tcp6 0 0 :::5672 :::* LISTEN tcp6 0 0 :::6380 :::* LISTEN tcp6 0 0 :::22 :::* LISTEN Now 1515 is in listening state and is also allowed in iptables but I am not able to telnet it. Moreover when I do manual agent key registration ,it works perfectly. I even checked by doing some fail login attempts and those login attempts were shown on AV dashboard by HIDS after I did manual key registration, but when i netstat, 1514 it isnt being shown as listening state. Now all these things contradict each other, and I myself dont know whats happening here.Neither 1515 nor 1514 can be telnet , bufail login attempts on the system for which I did manual registration is being shown on the dashboard and Ossec uses 15154 for this purpose but 1514 cant be telnet and isnt in listening state , and when I run nmap none of these ports are open . On Mon, Oct 3, 2016 at 10:58 PM, Dodain Dodo <[email protected]> wrote: > The manual agent installation works perfectly and it even shows hids > events /alarm for my host/PC . > > On Oct 3, 2016 10:51 PM, "Pedro Sanchez" <[email protected]> wrote: > > > > Hi, > > > > I think this could be a connectivity issue, ossec-authd looks listening > correctly, did you try to add the agent manually and check for 1514 > connectivity? I am not sure if both server are able to communicate on a > different way, try to use tcpdump on server side and telnet on other. > > > > Server: > > > >> tcpdump -i eth0 port 1515 -vv > > > > > > Agent: > > > >> telnet server_ip 1515 > > > > > > > > Try to add it manually, if that works, we can keep going with ossec > authd deployment. > > > > > > On Mon, Oct 3, 2016 at 5:57 PM, Dodain Dodo <[email protected]> > wrote: > >> > >> Hi Pedro, > >> > >> Thanks for replying. Sorry, I forgot to mention few details . Firstly > I am using Alienvault USM .Secondly the ossec server is listening , so the > server part is working, the prob i am getting is that agent/client isn't > able to connect to the server on port 1515 and I am not able to find out > why my agent isnt able to communicate with ossec server on port 1515. For > that i even added port 1515 in iptables , Since agent isn't able to > communicate so tcpdump on server shows 0 packets. > >> > >> tcp 0 0 0.0.0.0:1515 0.0.0.0:* > LISTEN 5504/ossec-authd > >> > >> > >> On Mon, Oct 3, 2016 at 1:21 PM, Pedro Sanchez <[email protected]> wrote: > >>> > >>> Hi Ali, > >>> > >>> Could you confirm that ossec-authd is running and listening on the > sensor? You could use > >>>> > >>>> > >>>> netstat -pna | grep 1515 > >>> > >>> > >>> The expected output will be similar to: > >>> > >>>> tcp 0 0 0.0.0.0:1515 0.0.0.0:* > LISTEN 9684/ossec-authd > >>> > >>> > >>> It seems like you have some connectivity problems, be sure that the > agent can actually access to 1515 port, you could use tcpdump at OSSEC > Manager to listen for incoming packets to 1515 port: > >>> > >>>> root@ubuntu5:/var/ossec/etc# tcpdump -i eth0 port 1515 -vv > >>>> tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size > 65535 bytes > >>>> 01:20:11.033864 IP (tos 0x0, ttl 128, id 22397, offset 0, flags [DF], > proto TCP (6), length 52) > >>>> 192.168.1.30.57495 > 192.168.1.10.1515: Flags [S], cksum 0x4748 > (correct), seq 2326532896, win 8192, options [mss 1460,nop,wscale > 8,nop,nop,sackOK], length 0 > >>>> 01:20:11.033931 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], > proto TCP (6), length 52) > >>>> 192.168.1.10.1515 > 192.168.1.30.57495: Flags [S.], cksum 0x839f > (incorrect -> 0x141f), seq 3245350808, ack 2326532897, win 29200, options > [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0 > >>>> 01:20:11.034075 IP (tos 0x0, ttl 128, id 22398, offset 0, flags [DF], > proto TCP (6), length 40) > >>>> 192.168.1.30.57495 > 192.168.1.10.1515: Flags [.], cksum 0xbefc > (correct), seq 1, ack 1, win 2053, length 0 > >>>> 01:20:11.035593 IP (tos 0x0, ttl 128, id 22399, offset 0, flags [DF], > proto TCP (6), length 203) > >>>> 192.168.1.30.57495 > 192.168.1.10.1515: Flags [P.], cksum 0xeedb > (correct), seq 1:164, ack 1, win 2053, length 163 > >>>> 01:20:11.035668 IP (tos 0x0, ttl 64, id 37466, offset 0, flags [DF], > proto TCP (6), length 40) > >>> > >>> > >>> > >>> Best regards, > >>> > >>> Pedro S. > >>> > >>> On Mon, Oct 3, 2016 at 10:03 AM, Ali Khan <[email protected]> > wrote: > >>>> > >>>> Hi All, > >>>> > >>>> > >>>> I am trying to use ossec agent-auth to auto agent key registration > with ossec server. > >>>> > >>>> I did the followoing on server > >>>> > >>>> openssl genrsa -out /var/ossec/etc/sslmanager.key 2048 > >>>> openssl req -new -x509 -key /var/ossec/etc/sslmanager.key -out > /var/ossec/etc/sslmanager.cert -days 365 > >>>> /var/ossec/bin/ossec-authd -p 1515 -i >/dev/null 2>&1 & > >>>> add the following rule to /etc/ossim/firewall_include : > >>>> -A INPUT –p tcp –-dport 1515 –j ACCEPT > >>>> Run ossim-reconfig and then again started /var/ossec/bin/ossec-authd > -p 1515 -i >/dev/null 2>&1 & and the process starts. > >>>> > >>>> > >>>> However when i run ./agent-auth -m 192.168.10.246 -p 1515 on > agent i get the following error : > >>>> > >>>> > >>>> 2016/10/03 12:34:58 ossec-authd: INFO: Started (pid: 9656). > >>>> 2016/10/03 12:34:58 ossec-authd: Unable to connect to > 192.168.10.246:1515 > >>>> > >>>> Any kind of help would be appreciated. > >>>> > >>>> Looking forward to your reply . > >>>> > >>>> -- > >>>> > >>>> --- > >>>> You received this message because you are subscribed to the Google > Groups "ossec-list" group. > >>>> To unsubscribe from this group and stop receiving emails from it, > send an email to [email protected]. > >>>> For more options, visit https://groups.google.com/d/optout. > >>> > >>> > >>> -- > >>> > >>> --- > >>> You received this message because you are subscribed to a topic in the > Google Groups "ossec-list" group. > >>> To unsubscribe from this topic, visit https://groups.google.com/d/ > topic/ossec-list/2Nhb2FDqLBU/unsubscribe. > >>> To unsubscribe from this group and all its topics, send an email to > [email protected]. > >>> For more options, visit https://groups.google.com/d/optout. > >> > >> > >> -- > >> > >> --- > >> You received this message because you are subscribed to the Google > Groups "ossec-list" group. > >> To unsubscribe from this group and stop receiving emails from it, send > an email to [email protected]. > >> For more options, visit https://groups.google.com/d/optout. > > > > > > -- > > > > --- > > You received this message because you are subscribed to a topic in the > Google Groups "ossec-list" group. > > To unsubscribe from this topic, visit https://groups.google.com/d/ > topic/ossec > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
