Re: [ossec-list] Redundancy manager (backup)

[Victor Fernandez]

Hi Martin,

I'm glad to know that everything is OK.

Your firewall configuration for the manager is good, filtering by source IP
is fine.

However the configuration for the agent should filter by source port,
because we do not know which port the agent communicates from.

I mean, the agent does not actually listen to port 1514, it communicates
with manager's port 1514 (it really creates an ephemeral port to establish
the communication). For example:

Agent (10.0.1.100:49152) → Manager (10.0.0.1:1514)


The communication protocol is UDP, it is not connection-oriented (like
TCP), but network routers often create a NAT mapping that makes possible to
send a message in reverse direction:

Manager (10.0.0.1:1514) → Agent (10.0.1.100:49152)


This is why the agent's firewall configuration should filter packets by
source port (1514) and not destination port (e.g. 49152) since this is an
ephemeral port. So I propose this configuration:

   - sudo iptables -D INPUT -j DROP
   - iptables -A INPUT -p UDP --sport 1514 -s 10.0.0.1 -j ACCEPT
   - iptables -A INPUT -p UDP --sport 1514 -s 10.0.0.2 -j ACCEPT
   - iptables -A OUTPUT -j ACCEPT
   - sudo iptables -A INPUT -j DROP

Best regards.

On Tue, Apr 11, 2017 at 5:11 PM, Martin  wrote:

> Hello,
>
> Thank you for your answers !
>
> This is finaly working, what I had to do was to allow the traffic through
> 1514 with the following ;
>
> *On the agent :*
>
>
>- sudo iptables -D INPUT -j DROP
>- iptables -A INPUT -p UDP --dport 1514 -s 10.0.0.1 -j ACCEPT
>- iptables -A INPUT -p UDP --dport 1514 -s 10.0.0.2 -j ACCEPT
>- iptables -A OUTPUT -j ACCEPT
>- sudo iptables -A INPUT -j DROP
>
> *On the manager :*
>
>
>- sudo iptables -D INPUT -j DROP
>- iptables -A INPUT -p UDP --dport 1514 -s IP_agent_1 -j ACCEPT
>- iptables -A INPUT -p UDP --dport 1514 -s IP_agent_2 -j ACCEPT
>- iptables -A INPUT -p UDP --dport 1514 -s IP_agent_3 -j ACCEPT
>- iptables -A OUTPUT -j ACCEPT
>- sudo iptables -A INPUT -j DROP
>
> I don't think that this is the right way to do it, but it works now..
>
> Best regards.
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>



-- 
Victor M. Fernandez-Castro
IT Security Engineer
Wazuh Inc.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Redundancy manager (backup)

[Martin]

Hello,

Thank you for your answers ! 

This is finaly working, what I had to do was to allow the traffic through 
1514 with the following ;

*On the agent :*


   - sudo iptables -D INPUT -j DROP
   - iptables -A INPUT -p UDP --dport 1514 -s 10.0.0.1 -j ACCEPT
   - iptables -A INPUT -p UDP --dport 1514 -s 10.0.0.2 -j ACCEPT
   - iptables -A OUTPUT -j ACCEPT
   - sudo iptables -A INPUT -j DROP
   
*On the manager :*


   - sudo iptables -D INPUT -j DROP
   - iptables -A INPUT -p UDP --dport 1514 -s IP_agent_1 -j ACCEPT
   - iptables -A INPUT -p UDP --dport 1514 -s IP_agent_2 -j ACCEPT
   - iptables -A INPUT -p UDP --dport 1514 -s IP_agent_3 -j ACCEPT
   - iptables -A OUTPUT -j ACCEPT
   - sudo iptables -A INPUT -j DROP

I don't think that this is the right way to do it, but it works now..

Best regards.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Redundancy manager (backup)

[Victor Fernandez]

Hi Martin,

please give us a clue: do you see any issue at the logs?

For example, when the agent switches to other server you should see logs
such:

ossec-agentd: INFO: Closing connection to server (10.0.0.1:1514).
ossec-agentd: INFO: Trying to connect to server (10.0.0.2:1514).


If the agent gives up:

ossec-agentd: ERROR: Unable to connect to any server.


If there is an issue with the agent key, the manager log may print:

ossec-remoted(1403): ERROR: Incorrectly formated message from '10.0.0.X'.
  (or)
ossec-remoted(1408): ERROR: Invalid ID %s for the source ip: '10.0.0.X'.
  (or)
ossec-remoted(1213): WARN: Message from '10.0.0.X' not allowed.


On the other hand, if any of the peers (agent or manager) rejects a remote
ID (Rid):

ossec-remoted(1407): ERROR: Duplicated counter for '10.0.0.1'.


Only for testing purposes, you may use this configuration at agent, it will
speed up the connection switching:

 10.0.0.1 10.0.0.2  5 <
time-reconnect>15 


And you may also disable Rid verification by adding this line to file
/var/ossec/etc/local_internal_options.conf (manager and agent):

remoted.verify_msg_id=0


Please look for any suspicious log, try to use these configurations and
write back to us.

Best regards.


On Mon, Apr 10, 2017 at 4:57 PM, Martin  wrote:

> Even after 1 hour my agents won't connect to the second manager.
>
> Here are the step that i've done so far;
>
>- Having my two managers with the same ossec.conf, local_decoder,
>local_rules, client, client.keys
>- Opening the port 1514 on all the agents and the manager.
>- Specify the manager's ip on the agents
>
>   
> 10.0.0.1 10.0.0.2 
>
> Maybe it has to do with what Viktor said about Rids counter, i'm not sure.
>
> Best regards.
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>



-- 
Victor M. Fernandez-Castro
IT Security Engineer
Wazuh Inc.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Redundancy manager (backup)

[dan (ddp)]

On Wed, Apr 5, 2017 at 11:32 AM, Martin  wrote:
> Hello Victor,
>
> I tried to run a second manager and I've the same file
> /var/ossec/etc/client.keys on it and on the first manager. I've copied the
> local_rules, ossec.conf, local_decoder as well.
>
> And I've specified on the agents to listen on him as you told me ;
>
>  10.0.0.1 10.0.0.2
> 
>
> My first manager (10.0.0.1 here) is shutdown and none the agents are
> listening on 10.0.0.2.
>
> What sould I look into ?
>

It takes a while (30min?) for the agents to switch over.

> Best regards.
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Redundancy manager (backup)

[Martin]

Hello Victor,

I tried to run a second manager and I've the same file 
/var/ossec/etc/client.keys 
on it and on the first manager. I've copied the local_rules, ossec.conf, 
local_decoder as well.

And I've specified on the agents to listen on him as you told me ;

 10.0.0.1 10.0.0.2 


My first manager (10.0.0.1 here) is shutdown and none the agents are 
listening on 10.0.0.2. 

What sould I look into ? 

Best regards.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Redundancy manager (backup)

[Victor Fernandez]

Sorry I forgot to mention Chef, you can definitely use it to deploy your
agents.

If you are interested on it, take a look at:
https://github.com/sous-chefs/ossec.

Best regards.

On Tue, Apr 4, 2017 at 2:55 PM, Martin  wrote:

> Is it possible to deploy them (agents) easily via chef ?
>
> THank you again for your answers!
>
> Best regards.
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>



-- 
Victor M. Fernandez-Castro
IT Security Engineer
Wazuh Inc.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Redundancy manager (backup)

[Martin]

Is it possible to deploy them (agents) easily via chef ? 

THank you again for your answers!

Best regards.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Redundancy manager (backup)

[Victor Fernandez]

Hi Martin,

there are actually some options to deploy agents, you can use Puppet or
Ansible to make a large deployment. A very simple unattended installation
could be installing the agent with preloaded variables. You can find file
etc/preloaded-vars.conf at the source code, fill it (uncomment and set the
options) and launch the install.sh. With a proper filled preloaded-vars.conf,
it will make an unattended installation.

The next step is adding the agent to the manager, you may use the Auth
system (ossec-authd server on manager and agent-auth on agents) to register
automatically agents.

There are some approaches to get a high availability system, the most
important task is to ensure that file /var/ossec/etc/client.keys is always
synchronized between every manager in your system. If you have Rids
counters enabled (OSSEC has them enabled by default) you should make the
same with file /var/ossec/queue/rids/sender_counter, that stores the
message counter (it does this to numerate each message and avoid some
security threats like replay attacks).  There is no an unique way to
achieve high availability, it depends on your system (how many managers you
have, whether they are parallel or there is a main manager and a backup
server, whether you will use shared storage, etc).

Best regards.

On Tue, Apr 4, 2017 at 10:32 AM, Martin  wrote:

> I know it is possible with "Unattended Source Installation" but i'd still
> have to add manually these agents on the manager or is there another way :)
> ?
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>



-- 
Victor M. Fernandez-Castro
IT Security Engineer
Wazuh Inc.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Redundancy manager (backup)

[Martin]

I know it is possible with "Unattended Source Installation" but i'd still 
have to add manually these agents on the manager or is there another way :) 
?

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Redundancy manager (backup)

[Martin]

Hi Victor,

Now that I know it is possible to have a second manager in case the first 
one stop running.  I'm wondering, is there a proper way to copy the first 
manager to duplicate it ? Like that i won't have to configure the second 
manager as I did with the first one.

And I was looking aswell if there were a way to automaticaly deploy agent 
on server and add them on the manager without having to use the script 
.install ? Because, let's say I've 100 agents to deploy, it will take me a 
while doing it with the script ...


Thank you for your answer !

Best regards.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Redundancy manager (backup)

[Victor Fernandez]

Hi Martin,

when agents connect to manager, the latter sends an ACK message to confirm
that the connection is established. From that moment on, agents send data
with no arrival confirmation. This means that, if the server went down,
agents would keep sending data, that will be lost.

There is a mechanism to test connections: every 10 minutes agents send
keep-alive messages to the manager, and the server responds with an ACK
message. If an agent does not send a keep-alive in 30 minutes, the manager
marks it as disconnected and produces an alert.

On the other hand, if the manager does not answer 3 keep-alive messages in
a row, the agent considers that the server is down and tries to reconnect,
in the meanwhile it "locks" every component (File Integrity Monitoring, Log
collecting, etc.) in order to prevent them from sending data that would be
lost.

You may use a secondary manager and configure two remote servers, with a
configuration such this:

 10.0.0.1 10.0.0.2 


The agent will always try to connect first to the first defined server. In
case that it could not connect to it, it will try do to it with the next
one. You can define as many servers as you want.

Best regards.


On Mon, Apr 3, 2017 at 6:47 PM, Martin  wrote:

> Hello everyone,
>
> I was wondering, what happen if the "manager" bug / shutdown ?
>
> It might sounds stupid but what behavior will the agents have ? Will they
> make my server bug, consume too much cpu/ram or trying to send message all
> the time etc ?
>
> Is there a way to have a second manager as a backup or make redundancy ?
>
> Best regards !
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>



-- 
Victor M. Fernandez-Castro
IT Security Engineer
Wazuh Inc.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.