网络统计输出

网络统计输出

我已经在一台服务器上安装了 Ossec,并在 Redhat 上运行的其他一些服务器上安装了代理。问题是,一些服务器能够通信并将日志发送到服务器,而其他服务器则处于 INACTIVE 状态,即使我已经导入了安全密钥。

2013/02/23 15:34:34 ossec-agentd(4101): WARN: Waiting for server reply (not started). Tried: '192.168.109.1'.
2013/02/23 15:38:30 ossec-agentd: INFO: Trying to connect to server (192.168.109.1:1514).
2013/02/23 15:38:30 ossec-agentd: INFO: Using IPv4 for: 192.168.109.1 .
2013/02/23 15:38:51 ossec-agentd(4101): WARN: Waiting for server reply (not started). Tried: '192.168.109.1'.
2013/02/23 15:43:05 ossec-agentd: INFO: Trying to connect to server (192.168.109.1:1514).
2013/02/23 15:43:05 ossec-agentd: INFO: Using IPv4 for: 192.168.109.1 .
2013/02/23 15:43:26 ossec-agentd(4101): WARN: Waiting for server reply (not started). Tried: '192.168.109.1'.
2013/02/23 15:47:58 ossec-agentd: INFO: Trying to connect to server (192.168.109.1:1514).
2013/02/23 15:47:58 ossec-agentd: INFO: Using IPv4 for: 192.168.109.1 .
2013/02/23 15:48:19 ossec-agentd(4101): WARN: Waiting for server reply (not started). Tried: '192.168.109.1'.
2013/02/23 15:53:09 ossec-agentd: INFO: Trying to connect to server (192.168.109.1:1514).
2013/02/23 15:53:09 ossec-agentd: INFO: Using IPv4 for: 192.168.109.1 .
2013/02/23 15:53:30 ossec-agentd(4101): WARN: Waiting for server reply (not started). Tried: '192.168.109.1'.
2013/02/23 15:58:38 ossec-agentd: INFO: Trying to connect to server (192.168.109.1:1514).
2013/02/23 15:58:38 ossec-agentd: INFO: Using IPv4 for: 192.168.109.1 .
2013/02/23 15:58:59 ossec-agentd(4101): WARN: Waiting for server reply (not started). Tried: '192.168.109.1'

我咨询了安全团队,他们说主机和代理之间有防火墙。他们在服务器上启用了端口 514 UDP。但代理仍然无法与服务器通信

网络统计输出

[emerg@Monit ~]$ netstat -panu
(No info could be read for "-p": geteuid()=1344 but you should be root.)
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address               Foreign Address             State       PID/Program name   
udp        0      0 0.0.0.0:32769               0.0.0.0:*                               -                   
udp        0      0 0.0.0.0:514                 0.0.0.0:*                               -                   
udp        0      0 0.0.0.0:10000               0.0.0.0:*                               -                   
udp        0      0 0.0.0.0:657                 0.0.0.0:*                               -                   
udp        0      0 0.0.0.0:660                 0.0.0.0:*                               -                   
udp        0      0 0.0.0.0:5353                0.0.0.0:*                               -                   
udp        0      0 0.0.0.0:1514                0.0.0.0:*                               -                   
udp        0      0 0.0.0.0:111                 0.0.0.0:*                               -                   
udp        0      0 0.0.0.0:631                 0.0.0.0:*                               -                   
udp        0      0 10.1.1.109:123              0.0.0.0:*                               -                   
udp        0      0 192.168.109.1:123           0.0.0.0:*                               -                   
udp        0      0 127.0.0.1:123               0.0.0.0:*                               -                   
udp        0      0 0.0.0.0:123                 0.0.0.0:*                               -                   
udp        0      0 :::32771                    :::*                                    -                   
udp        0      0 :::5353                     :::*                                    -                   
udp        0      0 fe80::21e:c9ff:fee0:123     :::*                                    -                   
udp        0      0 fe80::21e:c9ff:fee0:123     :::*                                    -                   
udp        0      0 ::1:123                     :::*                                    -                   
udp        0      0 :::123                      :::*  

来自 Ossec HIDS 服务器的 Ossec.conf 的内容

<ossec_config>
  <global>
    <email_notification>yes</email_notification>
    <email_to>[email protected]</email_to>
    <smtp_server>10.171.1.10</smtp_server>
    <email_from>[email protected]</email_from>
  </global>

  <rules>
    <include>rules_config.xml</include>
    <include>pam_rules.xml</include>
    <include>sshd_rules.xml</include>
    <include>telnetd_rules.xml</include>
    <include>syslog_rules.xml</include>
    <include>arpwatch_rules.xml</include>
    <include>symantec-av_rules.xml</include>
    <include>symantec-ws_rules.xml</include>
    <include>pix_rules.xml</include>
    <include>named_rules.xml</include>
    <include>smbd_rules.xml</include>
    <include>vsftpd_rules.xml</include>
    <include>pure-ftpd_rules.xml</include>
    <include>proftpd_rules.xml</include>
    <include>ms_ftpd_rules.xml</include>
    <include>ftpd_rules.xml</include>
    <include>hordeimp_rules.xml</include>
    <include>roundcube_rules.xml</include>
    <include>wordpress_rules.xml</include>
    <include>vpopmail_rules.xml</include>
    <include>vmpop3d_rules.xml</include>
    <include>courier_rules.xml</include>
    <include>web_rules.xml</include>
    <include>apache_rules.xml</include>
"ossec.conf" 162L, 5585C

防火墙规则

 13M 3734M ACCEPT     udp  --  *      *       0.0.0.0/0            192.168.9.1         multiport dports 123,514

答案1

如果您假设防火墙阻止了两者,则可以在命令行上测试连接:

netcat -u servername 1514

现在,如果您输入一些文本,您应该在 OSSEC 服务器端找到如下日志消息:

less /var/ossec/logs/ossec.log
2014/02/14 17:54:07 ossec-remoted(1403): ERROR: Incorrectly formated message from 'nn.nn.nn.nnn'.

如您所见,我使用 OSSEC 默认端口 1514 进行通信。那么,您确定使用的是端口 514 吗?

有关如何调试 OSSEC 连接的分步说明,您可以查看我的博客,如何调试 OSSEC 连接

答案2

我在这里和其他网站上看到了与 OSSEC 连接相关的问题,但没有合适的答案。

您是否检查了服务器日志,是否显示“不允许来自 wxyz 的消息”?这表明(我认为)IP 地址不匹配。来自代理的消息正在通过,即没有防火墙或 NAT 问题,但服务器不接受它们。

为代理指定子网时似乎会出现 IP 地址不匹配的情况;使用单个 IP 地址不会出现此问题。创建代理 exe 文件时,假设您指定地址 10.1.20.0/24,因为主机依赖于 DHCP。您必须在服务器上的 ossec.conf 文件中添加<allowed-ips>标签:

<remote>
  <connection>secure</connection>
  <allowed-ips>10.1.20.0/24</allowed-ips>
</remote>

默认情况下不会创建此标签,添加此标签可以解决问题。您需要使用以下命令重新启动 OSSEC 服务:

/var/ossec/bin/ossec-control restart

答案3

进入受影响主机上的rids目录并删除该主机的ID。例如,如果代理/客户端 ID 为 17,则:

rm -rf /var/ossec/queue/rids/17

然后重启客户端:

service ossec-hids restart

现在检查服务器上的状态,它现在将处于活动状态。

相关内容