Welcome to the Linux Foundation Forum!

Lab 6.2

Posts: 42
edited February 2019 in LFS216 Class Forum

Hi,

I've tried various things but I'm stumped on an aspect of this exercise.

When I try to setup the shared key on the client machine as per part 14 (/var/ossec/bin/agent-auth -m 172.16.215.129 -p 1515) I get the messages:

INFO: Connected to 172.16.215.129:1515
INFO: Using agent name as: secondary.example.com
INFO: Send request to manager. Waiting for reply.
INFO: Connection closed.

How would I resolve that?

Welcome!

It looks like you're new here. Sign in or register to get started.
Sign In

Comments

  • Posts: 42

    /var/ossec/logs/ossec.log on the server reports

    2019/02/18 11:22:23 ossec-authd: INFO: Started (pid: 9154).
    2019/02/18 11:22:23 Accepting connections. Random password chosen for agent authentication: 7c60a713f0d91d8193998ef01d85c92c
    2019/02/18 11:22:23 IPv6: :: on port 1515
    2019/02/18 11:22:23 Request to allocate and bind sockets failed.
    2019/02/18 11:22:23 ossec-authd: Unable to bind to port 1515
    2019/02/18 11:22:30 ossec-authd: INFO: New connection from 172.16.215.130
    2019/02/18 11:22:30 ossec-authd: ERROR: Invalid password provided by 172.16.215.130. Closing connection.

  • Posts: 380

    Hi, A couple of little things: The client side looks ok so far, the server side doen't seem to be binding to port 1515. Make sure that SElinux is in permissive mode and the firewall is off.

  • Posts: 42

    SElinux is disabled on the VM image used by default and I've added tcp and udp ports 1515 to the firewalls of both VMs.

    I tried getting both server and agent to read the password from a file (/var/ossec/etc/authd.pass) but it's still the same problem. Not getting a suitable answer from the OSSEC mailing list/Google.

  • Posts: 380

    I ran through the lab this morning, the password generated by agent-auth only goes on the agent machine. The default location is same as you have but I specified it in the command line to be clear.
    My command on the server machine:

    /var/ossec/bin/ossec-authd -p1515 -d -d -d -f
    You can see the password to use on the client machine.

    My client command:
    /var/ossec/bin/agent-auth -m 192.168.122.31 -p 1515 -A remote -P /var/ossec/etc/authd.pass

    If you are running version 3.2 of OSSEC, it will automatically add the client making step 6.2.10 redundant and will cause a "duplicate IP error", no problem, use manage-agents to remove the entry you added in step 6.2.10

    The lab will get an update to version 3.2.0 shortly.

    Thank you for pointing out the issue.
    keep me posted.
    Lee

  • Posts: 42
    edited February 2019

    Yes, that worked! Many thanks. Although I did get the duplicate IP error and dealt with it, it seems that was necessary to go through because ossec wouldn't start on the agent without it having imported the server's key for the definition. I don't know if that's a bug or just something weird that happened to me.

  • Posts: 380

    Great !
    Yes, the agent must get a key from the server to start communicating.
    There seems to be some updates to ossec that need to be incorporated into the lab, specifically to resolve the duplicate ip address issue.
    Thank you for your input.

Welcome!

It looks like you're new here. Sign in or register to get started.
Sign In

Welcome!

It looks like you're new here. Sign in or register to get started.
Sign In

Categories

Upcoming Training