ossec-authd fails to start when IPv6 is disabled on the OS (Linux)

[mostlyhacking]

Works fine with IPv6 enabled. When IPv6 is disabled completely, authd fails to start:

./ossec-authd -d -p 1515
ossec-authd: DEBUG: Starting ...
ossec-authd: INFO: Started (pid: 14459).
ossec-authd: DEBUG: Returning CTX for server.
getaddrinfo: Name or service not known
ossec-authd: Unable to bind to port 1515

Tested master branch on Ubuntu 14.04 and RHEL6. The 2.8.2 works fine.

[aquerubin]

On Tue, 9 Aug 2016, mostlyhacking wrote:

Works fine with IPv6 enabled. When IPv6 is disabled completely, authd
fails to start:

./ossec-authd -d -p 1515
ossec-authd: DEBUG: Starting ...
ossec-authd: INFO: Started (pid: 14459).
ossec-authd: DEBUG: Returning CTX for server.
getaddrinfo: Name or service not known
ossec-authd: Unable to bind to port 1515

Does getaddrinfo work at all when you disable IPv6? Are you using the
hostname of the server in ossec.conf or are you using it's IPv4
address? How are you disabling IPv6?

Antonio Querubin
e-mail: tony@lavanauts.org
xmpp: antonioquerubin@gmail.com

[mostlyhacking]

Everything else seems to work fine, including ossec itself.
It's a server install, so server address is not specified.
IPv6 can be disabled the following ways:
Ubuntu:
Create or edit the file /etc/sysctl.conf and add the following lines:
net.ipv6.conf.all.disable_ipv6=1
net.ipv6.conf.default.disable_ipv6=1
net.ipv6.conf.lo.disable_ipv6=1
Run the following command or reboot to apply the changes:
sysctl -p
https://benchmarks.cisecurity.org/tools2/linux/CIS_Ubuntu_14.04_LTS_Server_Benchmark_v1.0.0.pdf

RHEL6
Edit /etc/sysconfig/network, and add the following line:
NETWORKING_IPV6=no
IPV6INIT=no
Create the file /etc/modprobe.d/ipv6.conf and add the following lines:
options ipv6 disable=1
Perform the following command to turn ip6tables off:
/sbin/chkconfig ip6tables off
https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_6_Benchmark_v1.1.0.pdf

[aquerubin]

On Tue, 9 Aug 2016, mostlyhacking wrote:

Everything else seems to work fine, including ossec itself.
It's a server install, so server address is not specified.
IPv6 can be disabled the following ways:

https://benchmarks.cisecurity.org/tools2/linux/CIS_Ubuntu_14.04_LTS_Server_Benchmark_v1.0.0.pdf

https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_6_Benchmark_v1.1.0.pdf

If instead of disabling IPv6 completely (which may be breaking fundamental
functionality in getaddrinfo()), can you try following the instructions
only in sections 7.3.1-7.3.2 and 4.4.1.1-4.4.1.2 of the above docs?

Antonio Querubin
e-mail: tony@lavanauts.org
xmpp: antonioquerubin@gmail.com

[mostlyhacking]

Enabling IPv6 resulted in ossec-authd binding to the IPv6 inteface, which is not what I need. So, I disabled IPv6 support in OSSEC by changing line 52 to "hints.ai_family = AF_INET;". This not optimal, but seems to work so far.

[aquerubin]

Will using <local_ip></local_ip> in ossec.conf work for you instead of modifying the source?

Sent from my iPad

On Aug 11, 2016, at 04:42, mostlyhacking notifications@github.com wrote:

Enabling IPv6 resulted in ossec-authd binding to the IPv6 inteface, which is not what I need. So, I disabled IPv6 support in OSSEC by changing line 52 to "hints.ai_family = AF_INET;". This not optimal, but seems to work so far.

—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub, or mute the thread.

[aquerubin]

Oh wait, that only applies to clients I think.

Sent from my iPad

On Aug 13, 2016, at 11:11, Antonio Querubin tony@lavanauts.org wrote:

Will using <local_ip></local_ip> in ossec.conf work for you instead of modifying the source?

Sent from my iPad

On Aug 11, 2016, at 04:42, mostlyhacking notifications@github.com wrote:

Enabling IPv6 resulted in ossec-authd binding to the IPv6 inteface, which is not what I need. So, I disabled IPv6 support in OSSEC by changing line 52 to "hints.ai_family = AF_INET;". This not optimal, but seems to work so far.

—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub, or mute the thread.

[Wuk-jvi]

I have same problem on SLES12 SP1 OSSEC 2.9.0rc2, but with me both remoted and authd won't start if ipv6 is disabled. Everything else seems to work without problem.

ossec:/var/ossec/etc # /var/ossec/bin/ossec-remoted -V

OSSEC HIDS v2.9.0 - Trend Micro Inc.

This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License (version 2) as
published by the Free Software Foundation. For more details, go to
http://www.ossec.net/main/license/

ossec:/var/ossec/etc # /var/ossec/bin/ossec-authd -V

OSSEC HIDS v2.9.0 - Trend Micro Inc.

This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License (version 2) as
published by the Free Software Foundation. For more details, go to
http://www.ossec.net/main/license/

ossec:/var/ossec/etc #
ossec:/var/ossec/etc # sysctl -w net.ipv6.conf.all.disable_ipv6=1
net.ipv6.conf.all.disable_ipv6 = 1
ossec:/var/ossec/etc #
ossec:/var/ossec/etc # /var/ossec/bin/ossec-remoted -d -f
2016/08/22 16:42:07 ossec-remoted: DEBUG: Starting ...
2016/08/22 16:42:07 ossec-remoted: INFO: Started (pid: 2619).
ossec:/var/ossec/etc # 2016/08/22 16:42:07 ossec-remoted: DEBUG: Forking remoted: '0'.
2016/08/22 16:42:07 getaddrinfo: Name or service not known
2016/08/22 16:42:07 ossec-remoted(1206): ERROR: Unable to Bind port '1514'

ossec:/var/ossec/etc # /var/ossec/bin/ossec-authd -d
2016/08/22 16:42:19 ossec-authd: DEBUG: Starting ...
2016/08/22 16:42:19 ossec-authd: INFO: Started (pid: 2621).
2016/08/22 16:42:19 ossec-authd: DEBUG: Returning CTX for server.
2016/08/22 16:42:19 getaddrinfo: Name or service not known
2016/08/22 16:42:19 ossec-authd: Unable to bind to port 1515
ossec:/var/ossec/etc # sysctl -w net.ipv6.conf.all.disable_ipv6=0
net.ipv6.conf.all.disable_ipv6 = 0

ossec:/var/ossec/etc # /var/ossec/bin/ossec-remoted -d -f
2016/08/22 16:42:43 ossec-remoted: DEBUG: Starting ...
2016/08/22 16:42:43 ossec-remoted: INFO: Started (pid: 2624).
ossec:/var/ossec/etc # 2016/08/22 16:42:43 ossec-remoted: DEBUG: Forking remoted: '0'.
2016/08/22 16:42:43 ossec-remoted: INFO: Started (pid: 2625).
2016/08/22 16:42:43 ossec-remoted: DEBUG: Running manager_init
2016/08/22 16:42:43 ossec-remoted: INFO: (unix_domain) Maximum send buffer set to: '212992'.
2016/08/22 16:42:43 ossec-remoted(4111): INFO: Maximum number of agents allowed: '16384'.
2016/08/22 16:42:43 ossec-remoted(1410): INFO: Reading authentication keys file.
2016/08/22 16:42:43 ossec-remoted: DEBUG: OS_StartCounter.
2016/08/22 16:42:43 ossec-remoted: OS_StartCounter: keysize: 1
2016/08/22 16:42:43 ossec-remoted: INFO: No previous counter available for 'localhost'.
2016/08/22 16:42:43 ossec-remoted: INFO: Assigning counter for agent localhost: '0:0'.
2016/08/22 16:42:43 ossec-remoted: INFO: No previous sender counter.
2016/08/22 16:42:43 ossec-remoted: INFO: Assigning sender counter: 0:0
2016/08/22 16:42:43 ossec-remoted: DEBUG: OS_StartCounter completed.

ossec:/var/ossec/etc #
ossec:/var/ossec/etc # /var/ossec/bin/ossec-authd -d
2016/08/22 16:42:36 ossec-authd: DEBUG: Starting ...
2016/08/22 16:42:36 ossec-authd: INFO: Started (pid: 2623).
2016/08/22 16:42:36 ossec-authd: DEBUG: Returning CTX for server.
2016/08/22 16:42:36 ossec-authd: DEBUG: Going into listening mode.

[mattwwarren]

Has anyone found a workaround for this? Alternatively, I'll take a method to generate and distribute agent keys via ansible, which seems like a better way to manage this.

[mattwwarren]

Upon some further reading, I'm confused by the comment in the above linked line 52, which says, "Allow IPv4 and IPv6"

But that is clearly not the case

[root@(ossec)(cde-pilot)(us-west-2b) ~]# lsof -P | grep LISTEN
sshd      2402    root    3u     IPv4              10417       0t0        TCP *:22 (LISTEN)
sshd      2402    root    4u     IPv6              10422       0t0        TCP *:22 (LISTEN)
ossec-aut 2713    root    3u     IPv6              11688       0t0        TCP *:1515 (LISTEN)

Shouldn't the authd process also be listening on IPv4?

I am happy to open an additional bug to address that specific question but I suspect the causes are closely related.

[aquerubin]

On Wed, 8 Feb 2017, mattwwarren wrote: Upon some further reading, I'm confused by the comment in the above linked [line 52](https://github.com/ossec/ossec-hids/blob/master/src/os_net/os_net.c#L52), which says, "Allow IPv4 and IPv6" But that is clearly not the case `[root@(ossec)(cde-pilot)(us-west-2b) ~]# lsof -P | grep LISTEN sshd 2402 root 3u IPv4 10417 0t0 TCP *:22 (LISTEN) sshd 2402 root 4u IPv6 10422 0t0 TCP *:22 (LISTEN) ossec-aut 2713 root 3u IPv6 11688 0t0 TCP *:1515 (LISTEN)` Shouldn't the authd process also be listening on IPv4? I am happy to open an additional bug to address that specific question but I suspect the causes are closely related.

See RFC 3493, particularly sections 3.5-3.7, regarding use of a single socket and IPv4-mapped IPv6 addresses for backward compatibility with IPv4. On most OS, opening a single IPv6 socket is all that's needed to accept connections on both IPv4 or IPv6 addresses. However, not all OS comply with RFC 3493. Those that do not comply by default, eg. FreeBSD, usually provide some kind of knob that restores RFC compliance. In FreeBSD for example, setting ipv6_ipv4mapping="YES" in /etc/rc.conf restores RFC-3493 compliance. Regardless of whether an OS is enabled for IPv4-mapped addresses, an application can explicitly choose to create and bind to separate IPv4 and IPv6 sockets if the developer wishes to do things that way for whatever reasons. You can see this is the approach taken by sshd in your output dump above.

…

-- Antonio Querubin e-mail: tony@lavanauts.org xmpp: antonioquerubin@gmail.com

[dwendt]

@aquerubin
Can you just copy whatever flags opensshd uses for getaddrinfo (or rather, to bind separate ports), then? I didn't see this issue when I made a new one. I compiled without AI_V4MAPPED being defined, the alternative set of getaddrinfo flags were used, and everything worked fine.

#1145

[martydelaney3]

Is there any update on if this is planned to be reverted/patched?
We have ipv6 disabled in our environment for security compliance but would still really like to be able to utilize this method of registering agents.

[ddpbsd]

@martydelaney3 Did pull request #1259 not help with this at all?

[martydelaney3]

I'm running ossec-hids/ossec-hids-server version 2.9.2.
When testing authd I still receive the error 'getaddrinfo: Name or service not known'
If I then change the info in /etc/sysctl.conf, with
net.ipv6.conf.all.disable_ipv6 = 0
net.ipv6.conf.default.disable_ipv6 = 0
(from #1061)
it will then properly start authd.
Is pull request #1259 included within version 2.9.2?
If so it does not appear to have directly fixed the issue, or I have a configuration issue somewhere.
If it is not included in 2.9.2 then I'll just need to wait for it to be included in the next update.

[ddpbsd]

From a quick look at the source, I don't think it was included in 2.9.2. Testing it with master would be great.

[martydelaney3]

I'm attempting to test this but after installing from source, attempting to run ossec-authd gives me the error "ERROR: Not compiled. Missing OpenSSL support."
I'm running this from centOS 7.4 and have openssl-devel installed.

[ddpbsd]

I didn't have any issues using CentOS 7.3. Fresh VM, fresh checkout.

[root@jumpbox etc]# rpm -qa | grep openssl
openssl-libs-1.0.2k-8.el7.x86_64
openssl-devel-1.0.2k-8.el7.x86_64
openssl-1.0.2k-8.el7.x86_64

[martydelaney3]

After recreating vms and recompiling from scratch I am now able to start ossec-authd on the server installation.
I am however still experiencing an issue when I attempt to register an agent.
I have run 'ossec-authd -n' and then when pointing my client machine to the server with 'agent-auth -m server-ip' it errors out on the server with the message "ERROR: Invalid request for new agent from: 10.128.0.4"
Any tips on what could be occurring here?

[phamvuong]

Is there any progress on this bug ? As mentioned by martydelaney3, IPv6 is disabled for security issue, so I'm looking for new release or any workaround for this.

[ddpbsd]

@phamvuong Have you tried MASTER?

[phamvuong]

@ddpbsd thank you very much for your reply. I have tested on master and it works well now. However, my system does not allow to compile from source. Do you have any release plan for this bug ?

[atomicturtle]

I just backported this into the 2.9.3 branch, we're working up a release for this now

[packetfairy]

It's been a couple months since the last update on this issue. Can we please get an ETA on a fixed release? It seems like packages in the repo still exhibit this error.

[aquerubin]

I believe this was fixed in the latest release but the repos may not be up to date. Tony

…

On Feb 15, 2018, at 16:24, rob cascella ***@***.***> wrote: It's been a couple months since the last update on this issue. Can we please get an ETA on a fixed release? It seems like packages in the repo still exhibit this error. — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or mute the thread.

[ddpbsd]

@packetfairy You're still seeing this issue with 2.9.3? Does it work with master?

[phamvuong]

As mentioned in this comment, the fix has been merged but not included in 2.9.3
freedomofpress/securedrop#2136 (comment)

[ddpbsd]

Thanks.

[smith3v]

Thank you for the fix in 2.9.3. It seems it doesn't work for some ossec components. I observe the following log records:

2018/04/04 16:57:52 getaddrinfo: Name or service not known
2018/04/04 16:57:52 ossec-remoted(1206): ERROR: Unable to Bind port '1514'
...
2018/04/07 17:27:15 ossec-authd: INFO: Started (pid: 9065).
2018/04/07 17:27:15 getaddrinfo: Name or service not known
2018/04/07 17:27:15 ossec-authd: Unable to bind to port 1515

I'm using Ubuntu 14.04 LTS and OSSEC 2.9.3

# dpkg -l | grep ossec
ii  ossec-hids-server                2.9.3-3861trusty                           amd64        OSSEC Server - Host Based Intrusion Detection System

Anybody else observe the issue?