我已经在一台服务器上安装了 Ossec,并在 Redhat 上运行的其他一些服务器上安装了代理。问题是,一些服务器能够通信并将日志发送到服务器,而其他服务器则处于 INACTIVE 状态,即使我已经导入了安全密钥。
2013/02/23 15:34:34 ossec-agentd(4101): WARN: Waiting for server reply (not started). Tried: '192.168.109.1'.
2013/02/23 15:38:30 ossec-agentd: INFO: Trying to connect to server (192.168.109.1:1514).
2013/02/23 15:38:30 ossec-agentd: INFO: Using IPv4 for: 192.168.109.1 .
2013/02/23 15:38:51 ossec-agentd(4101): WARN: Waiting for server reply (not started). Tried: '192.168.109.1'.
2013/02/23 15:43:05 ossec-agentd: INFO: Trying to connect to server (192.168.109.1:1514).
2013/02/23 15:43:05 ossec-agentd: INFO: Using IPv4 for: 192.168.109.1 .
2013/02/23 15:43:26 ossec-agentd(4101): WARN: Waiting for server reply (not started). Tried: '192.168.109.1'.
2013/02/23 15:47:58 ossec-agentd: INFO: Trying to connect to server (192.168.109.1:1514).
2013/02/23 15:47:58 ossec-agentd: INFO: Using IPv4 for: 192.168.109.1 .
2013/02/23 15:48:19 ossec-agentd(4101): WARN: Waiting for server reply (not started). Tried: '192.168.109.1'.
2013/02/23 15:53:09 ossec-agentd: INFO: Trying to connect to server (192.168.109.1:1514).
2013/02/23 15:53:09 ossec-agentd: INFO: Using IPv4 for: 192.168.109.1 .
2013/02/23 15:53:30 ossec-agentd(4101): WARN: Waiting for server reply (not started). Tried: '192.168.109.1'.
2013/02/23 15:58:38 ossec-agentd: INFO: Trying to connect to server (192.168.109.1:1514).
2013/02/23 15:58:38 ossec-agentd: INFO: Using IPv4 for: 192.168.109.1 .
2013/02/23 15:58:59 ossec-agentd(4101): WARN: Waiting for server reply (not started). Tried: '192.168.109.1'
我咨询了安全团队,他们说主机和代理之间有防火墙。他们在服务器上启用了端口 514 UDP。但代理仍然无法与服务器通信
网络统计输出
[emerg@Monit ~]$ netstat -panu
(No info could be read for "-p": geteuid()=1344 but you should be root.)
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
udp 0 0 0.0.0.0:32769 0.0.0.0:* -
udp 0 0 0.0.0.0:514 0.0.0.0:* -
udp 0 0 0.0.0.0:10000 0.0.0.0:* -
udp 0 0 0.0.0.0:657 0.0.0.0:* -
udp 0 0 0.0.0.0:660 0.0.0.0:* -
udp 0 0 0.0.0.0:5353 0.0.0.0:* -
udp 0 0 0.0.0.0:1514 0.0.0.0:* -
udp 0 0 0.0.0.0:111 0.0.0.0:* -
udp 0 0 0.0.0.0:631 0.0.0.0:* -
udp 0 0 10.1.1.109:123 0.0.0.0:* -
udp 0 0 192.168.109.1:123 0.0.0.0:* -
udp 0 0 127.0.0.1:123 0.0.0.0:* -
udp 0 0 0.0.0.0:123 0.0.0.0:* -
udp 0 0 :::32771 :::* -
udp 0 0 :::5353 :::* -
udp 0 0 fe80::21e:c9ff:fee0:123 :::* -
udp 0 0 fe80::21e:c9ff:fee0:123 :::* -
udp 0 0 ::1:123 :::* -
udp 0 0 :::123 :::*
来自 Ossec HIDS 服务器的 Ossec.conf 的内容
<ossec_config>
<global>
<email_notification>yes</email_notification>
<email_to>[email protected]</email_to>
<smtp_server>10.171.1.10</smtp_server>
<email_from>[email protected]</email_from>
</global>
<rules>
<include>rules_config.xml</include>
<include>pam_rules.xml</include>
<include>sshd_rules.xml</include>
<include>telnetd_rules.xml</include>
<include>syslog_rules.xml</include>
<include>arpwatch_rules.xml</include>
<include>symantec-av_rules.xml</include>
<include>symantec-ws_rules.xml</include>
<include>pix_rules.xml</include>
<include>named_rules.xml</include>
<include>smbd_rules.xml</include>
<include>vsftpd_rules.xml</include>
<include>pure-ftpd_rules.xml</include>
<include>proftpd_rules.xml</include>
<include>ms_ftpd_rules.xml</include>
<include>ftpd_rules.xml</include>
<include>hordeimp_rules.xml</include>
<include>roundcube_rules.xml</include>
<include>wordpress_rules.xml</include>
<include>vpopmail_rules.xml</include>
<include>vmpop3d_rules.xml</include>
<include>courier_rules.xml</include>
<include>web_rules.xml</include>
<include>apache_rules.xml</include>
"ossec.conf" 162L, 5585C
防火墙规则
13M 3734M ACCEPT udp -- * * 0.0.0.0/0 192.168.9.1 multiport dports 123,514
答案1
如果您假设防火墙阻止了两者,则可以在命令行上测试连接:
netcat -u servername 1514
现在,如果您输入一些文本,您应该在 OSSEC 服务器端找到如下日志消息:
less /var/ossec/logs/ossec.log
2014/02/14 17:54:07 ossec-remoted(1403): ERROR: Incorrectly formated message from 'nn.nn.nn.nnn'.
如您所见,我使用 OSSEC 默认端口 1514 进行通信。那么,您确定使用的是端口 514 吗?
有关如何调试 OSSEC 连接的分步说明,您可以查看我的博客,如何调试 OSSEC 连接。
答案2
我在这里和其他网站上看到了与 OSSEC 连接相关的问题,但没有合适的答案。
您是否检查了服务器日志,是否显示“不允许来自 wxyz 的消息”?这表明(我认为)IP 地址不匹配。来自代理的消息正在通过,即没有防火墙或 NAT 问题,但服务器不接受它们。
为代理指定子网时似乎会出现 IP 地址不匹配的情况;使用单个 IP 地址不会出现此问题。创建代理 exe 文件时,假设您指定地址 10.1.20.0/24,因为主机依赖于 DHCP。您必须在服务器上的 ossec.conf 文件中添加<allowed-ips>
标签:
<remote>
<connection>secure</connection>
<allowed-ips>10.1.20.0/24</allowed-ips>
</remote>
默认情况下不会创建此标签,添加此标签可以解决问题。您需要使用以下命令重新启动 OSSEC 服务:
/var/ossec/bin/ossec-control restart
答案3
进入受影响主机上的rids目录并删除该主机的ID。例如,如果代理/客户端 ID 为 17,则:
rm -rf /var/ossec/queue/rids/17
然后重启客户端:
service ossec-hids restart
现在检查服务器上的状态,它现在将处于活动状态。