Lab 6.2

mo79uk

Hi,

I've tried various things but I'm stumped on an aspect of this exercise.

When I try to setup the shared key on the client machine as per part 14 (/var/ossec/bin/agent-auth -m 172.16.215.129 -p 1515) I get the messages:

INFO: Connected to 172.16.215.129:1515
INFO: Using agent name as: secondary.example.com
INFO: Send request to manager. Waiting for reply.
INFO: Connection closed.

How would I resolve that?

mo79uk

/var/ossec/logs/ossec.log on the server reports

2019/02/18 11:22:23 ossec-authd: INFO: Started (pid: 9154).
2019/02/18 11:22:23 Accepting connections. Random password chosen for agent authentication: 7c60a713f0d91d8193998ef01d85c92c
2019/02/18 11:22:23 IPv6: :: on port 1515
2019/02/18 11:22:23 Request to allocate and bind sockets failed.
2019/02/18 11:22:23 ossec-authd: Unable to bind to port 1515
2019/02/18 11:22:30 ossec-authd: INFO: New connection from 172.16.215.130
2019/02/18 11:22:30 ossec-authd: ERROR: Invalid password provided by 172.16.215.130. Closing connection.

lee42x

Hi, A couple of little things: The client side looks ok so far, the server side doen't seem to be binding to port 1515. Make sure that SElinux is in permissive mode and the firewall is off.

mo79uk

SElinux is disabled on the VM image used by default and I've added tcp and udp ports 1515 to the firewalls of both VMs.

I tried getting both server and agent to read the password from a file (/var/ossec/etc/authd.pass) but it's still the same problem. Not getting a suitable answer from the OSSEC mailing list/Google.

lee42x

I ran through the lab this morning, the password generated by agent-auth only goes on the agent machine. The default location is same as you have but I specified it in the command line to be clear.
My command on the server machine:

/var/ossec/bin/ossec-authd -p1515 -d -d -d -f
You can see the password to use on the client machine.

My client command:
/var/ossec/bin/agent-auth -m 192.168.122.31 -p 1515 -A remote -P /var/ossec/etc/authd.pass

If you are running version 3.2 of OSSEC, it will automatically add the client making step 6.2.10 redundant and will cause a "duplicate IP error", no problem, use manage-agents to remove the entry you added in step 6.2.10

The lab will get an update to version 3.2.0 shortly.

Thank you for pointing out the issue.
keep me posted.
Lee

mo79uk

Yes, that worked! Many thanks. Although I did get the duplicate IP error and dealt with it, it seems that was necessary to go through because ossec wouldn't start on the agent without it having imported the server's key for the definition. I don't know if that's a bug or just something weird that happened to me.

lee42x

Great !
Yes, the agent must get a key from the server to start communicating.
There seems to be some updates to ossec that need to be incorporated into the lab, specifically to resolve the duplicate ip address issue.
Thank you for your input.