Welcome to the Linux Foundation Forum!

Lab 6.2

mo79uk
mo79uk Posts: 42
edited February 2019 in LFS216 Class Forum

Hi,

I've tried various things but I'm stumped on an aspect of this exercise.

When I try to setup the shared key on the client machine as per part 14 (/var/ossec/bin/agent-auth -m 172.16.215.129 -p 1515) I get the messages:

INFO: Connected to 172.16.215.129:1515
INFO: Using agent name as: secondary.example.com
INFO: Send request to manager. Waiting for reply.
INFO: Connection closed.

How would I resolve that?

Comments

  • mo79uk
    mo79uk Posts: 42

    /var/ossec/logs/ossec.log on the server reports

    2019/02/18 11:22:23 ossec-authd: INFO: Started (pid: 9154).
    2019/02/18 11:22:23 Accepting connections. Random password chosen for agent authentication: 7c60a713f0d91d8193998ef01d85c92c
    2019/02/18 11:22:23 IPv6: :: on port 1515
    2019/02/18 11:22:23 Request to allocate and bind sockets failed.
    2019/02/18 11:22:23 ossec-authd: Unable to bind to port 1515
    2019/02/18 11:22:30 ossec-authd: INFO: New connection from 172.16.215.130
    2019/02/18 11:22:30 ossec-authd: ERROR: Invalid password provided by 172.16.215.130. Closing connection.

  • lee42x
    lee42x Posts: 380

    Hi, A couple of little things: The client side looks ok so far, the server side doen't seem to be binding to port 1515. Make sure that SElinux is in permissive mode and the firewall is off.

  • mo79uk
    mo79uk Posts: 42

    SElinux is disabled on the VM image used by default and I've added tcp and udp ports 1515 to the firewalls of both VMs.

    I tried getting both server and agent to read the password from a file (/var/ossec/etc/authd.pass) but it's still the same problem. Not getting a suitable answer from the OSSEC mailing list/Google.

  • lee42x
    lee42x Posts: 380

    I ran through the lab this morning, the password generated by agent-auth only goes on the agent machine. The default location is same as you have but I specified it in the command line to be clear.
    My command on the server machine:

    /var/ossec/bin/ossec-authd -p1515 -d -d -d -f
    You can see the password to use on the client machine.

    My client command:
    /var/ossec/bin/agent-auth -m 192.168.122.31 -p 1515 -A remote -P /var/ossec/etc/authd.pass

    If you are running version 3.2 of OSSEC, it will automatically add the client making step 6.2.10 redundant and will cause a "duplicate IP error", no problem, use manage-agents to remove the entry you added in step 6.2.10

    The lab will get an update to version 3.2.0 shortly.

    Thank you for pointing out the issue.
    keep me posted.
    Lee

  • mo79uk
    mo79uk Posts: 42
    edited February 2019

    Yes, that worked! Many thanks. Although I did get the duplicate IP error and dealt with it, it seems that was necessary to go through because ossec wouldn't start on the agent without it having imported the server's key for the definition. I don't know if that's a bug or just something weird that happened to me.

  • lee42x
    lee42x Posts: 380

    Great !
    Yes, the agent must get a key from the server to start communicating.
    There seems to be some updates to ossec that need to be incorporated into the lab, specifically to resolve the duplicate ip address issue.
    Thank you for your input.

Categories

Upcoming Training