Help with OSSEC HIDS rules

fred974 · Mar 24, 2015

Hello,

I keep getting the following email notification from the OSSEC server.

Code:

OSSEC HIDS Notification.
2015 Mar 24 21:10:29

Received From: trinity->/var/log/maillog
Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system."
Portion of the log(s):

Mar 24 21:10:27 trinity smtpd[1161]: smtp-out: Error on session 82cbe6af7d343823: Connection failed: No route to host



--END OF NOTIFICATION

This message occur because I relay my email to Gmail. By default, the system try to connect to the Google mail server via IPv6. As I don't have IPv6 setup on my machine, it then to go connect via IPv4 and the message get send successfully...

I have tried to disable IPv6 but without success...
/etc/rc.conf

Code:

ip6addrctl_enable="NO"

In order to stop receiving this email notification, I tough of adding the following rule in my rules/local_rules.xml

Code:

<rule id="ID" level="0">
  <if_sid>1002</if_sid>
  <program_name>^smtpd</program_name>
  <match>Connection failed: No route to host</match>
  <description>Ignore no route to host errors</description>
</rule>

The problem with the above is that it will will permanently disable all "No route to host" errors, including IPv4....

My understanding is that I need to use the accumulator functionality to keep track of the information between log messages.
I looked at the syntax on the ossec-docs.readthedocs.org website here but I don't really understand it all...

This is the message cat /var/log/maillog | grep smtpd

Code:

Mar 24 22:00:06 webjail smtpd[1161]: smtp-out: Connecting to tls://IPv6:2a00:1450:400c:c05::6c:587 (wi-in-x6c.1e100.net) on session 82cbe6b6bc60037c...
Mar 24 22:00:06 webjail smtpd[1161]: smtp-out: Error on session 82cbe6b6bc60037c: Connection failed: No route to host
Mar 24 22:00:06 webjail smtpd[1161]: smtp-out: Disabling route [] <-> IPv6:2a00:1450:400c:c05::6c (wi-in-x6c.1e100.net) for 800s
Mar 24 22:00:08 webjail smtpd[1161]: smtp-out: Connecting to tls://173.194.67.108:587 (wi-in-f108.1e100.net) on session 82cbe6b7b9412046...
Mar 24 22:00:08 webjail smtpd[1161]: smtp-out: Connected on session 82cbe6b7b9412046
Mar 24 22:00:08 webjail smtpd[1161]: smtp-out: Started TLS on session 82cbe6b7b9412046: version=TLSv1/SSLv3, cipher=ECDHE-RSA-AES128-GCM-SHA256, bits=128
Mar 24 22:00:09 webjail smtpd[1161]: smtp-out: Server certificate verification succeeded on session 82cbe6b7b9412046
Mar 24 22:00:10 webjail smtpd[1161]: relay: Ok for 6e3c8e546ed38fc1: session=82cbe6b7b9412046, from=<root@webjail.mycompagny.ltd>, to=<myemailaddress@gmail.com>, rcpt=<->, source=192.168.o.145, relay=173.194.67.108 (wi-in-f108.1e100.net), delay=4s, stat=250 2.0.0 OK 1427234410 g2sm4406727wib.1 - gsmtp
Mar 24 22:00:20 webjail smtpd[1161]: smtp-out: Closing session 82cbe6b7b9412046: 1 message sent.

Could any one help me on this one please?

fred974 · Mar 26, 2015

Hello everyone,

I'll really appreciate any suggestion on this problem or pointers.

youngunix · Mar 28, 2015

To disable IPv6, try adding the following entries to /etc/rc.conf:

Code:

ip6addrctl_policy="ipv4_prefer" # Use IPv4 instead of IPv6
ipv6_activate_all_interfaces="NO" # Do not automatically add IPv6 addresses

You might have to reboot for the changes to take effect.

fred974 · Mar 30, 2015

Hi youngunix,

I set the the following in my rc.conf file and restarted the server

Code:

ip6addrctl_enable="NO"
ip6addrctl_policy="ipv4_prefer" # Use IPv4 instead of IPv6
ipv6_activate_all_interfaces="NO" # Do not automatically add IPv6 addresses

I still get the following email from OSSEC

Code:

OSSEC HIDS Notification.
2015 Mar 30 12:10:29

Received From: trinity->/var/log/maillog
Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system."
Portion of the log(s):

Mar 30 12:10:28 trinity smtpd[1168]: smtp-out: Error on session 4dd6bf71c563cea8: Connection failed: No route to host



--END OF NOTIFICATION

I have been told that I could disable IPV6 from kernel but I am not sure if I should or not.
Any advise?

youngunix · Mar 31, 2015

Yes, you can disable IPv6 through the kernel by adjusting its configuration file and rebuilding it. However, I would either leave it as a last resort or if you really know what you are doing.
In this situation, I think that IPv6 might not be the problem but let's find out if it is disabled or not. Run the following:

# ifconfig | egrep inet6

fred974 · Mar 31, 2015

Thank you for your help youngunix
Here is the information..
ifconfig | egrep inet6

Code:

        inet6 ::1 prefixlen 128
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x7
        inet6 fe80::f24d:a2ff:fe00:5602%tun0 prefixlen 64 scopeid 0x9

kpa · Mar 31, 2015

fred974 said:
Thank you for your help youngunix
Here is the information..
ifconfig | egrep inet6

Code:

inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x7 inet6 fe80::f24d:a2ff:fe00:5602%tun0 prefixlen 64 scopeid 0x9

Post the full output of ifconfig -a inet6. Every interface except lo0 should have the IFDISABLED flag set if IPv6 is properly disabled. If this is the case then there's a bug in the OSSEC software that makes it believe that IPv6 is enabled when it's not.

youngunix · Apr 1, 2015

fred974 said:
Thank you for your help youngunix
Here is the information..
ifconfig | egrep inet6

Code:

inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x7 inet6 fe80::f24d:a2ff:fe00:5602%tun0 prefixlen 64 scopeid 0x9

That clearly indicates that IPv6 is not disabled, because that command should return nothing.

kpa said:
ifconfig -a inet6

If ifconfig works like it does in Linux (which I don't see the reason why it wouldn't), that command will return an error.

kpa · Apr 1, 2015

youngunix said:
That clearly indicates that IPv6 is not disabled, because that command should return nothing.

If ifconfig works like it does in Linux (which I don't see the reason why it wouldn't), that command will return an error.

No, that's not true on FreeBSD. With IPv6 disabled there are still link-local addresses on the interfaces and ifconfig inet6 will still return information about the IPv6 configuration on the interfaces. It's the IFDISABLED flag that determines if IPv6 is on or off on a particular interface.

Many commands in FreeBSD like ifconfig(8) have a totally different origins and history compared to their Linux counterparts, you can't assume that they work the same in many cases.

youngunix · Apr 1, 2015

kpa said:
No, that's not true on FreeBSD. With IPv6 disabled there are still link-local addresses on the interfaces and ifconfig inet6 will still return information about the IPv6 configuration on the interfaces. It's the IFDISABLED flag that determines if IPv6 is on or off on a particular interface.

Many commands in FreeBSD like ifconfig(8) have a totally different origins and history compared to their Linux counterparts, you can't assume that they work the same in many cases.

Now that you mentioned that, I recall how annoying it is when working on one and switching to the other. However, some utilities do work the same on both.
As for the problem at hand, I think that IPv6 should be disabled with the options added to /etc/rc.conf and rebooting of course, but OSSEC might have some misconfiguration somewhere.
We'll wait on OP's response and see.

fred974 · Apr 1, 2015

Hi youngunix
There is no bug in OSSEC as it get the info from the log files.
Maybe a bug with mail/opensmtpd

ifconfig -a inet6

Code:

bce0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=c01bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,VLAN_HWTSO,LINKSTATE>
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
bce1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=c01bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,VLAN_HWTSO,LINKSTATE>
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
bce2: flags=8802<BROADCAST,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=c01bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,VLAN_HWTSO,LINKSTATE>
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
bce3: flags=8802<BROADCAST,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=c01bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,VLAN_HWTSO,LINKSTATE>
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
pflog0: flags=141<UP,RUNNING,PROMISC> metric 0 mtu 33160
pfsync0: flags=0<> metric 0 mtu 1500
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
        inet6 ::1 prefixlen 128
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x7
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
lagg0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=c01bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,VLAN_HWTSO,LINKSTATE>
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1500
        options=80000<LINKSTATE>
        inet6 fe80::f24d:a2ff:fe00:5602%tun0 prefixlen 64 scopeid 0x9
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
        Opened by PID 1163

I use lagg0 as Failover Mode
/etc/rc.conf

Code:

### lagg Failover Mode
ifconfig_bce0="up"
ifconfig_bce1="up"
defaultrouter="192.168.1.1"
cloned_interfaces="lagg0"
# LACP
ifconfig_lagg0="inet 192.168.1.185 netmask 255.255.255.0 laggproto lacp laggport bce0 laggport bce1"

ip6addrctl_enable="NO"
ip6addrctl_policy="ipv4_prefer"  # Use IPv4 instead of IPv6
ipv6_activate_all_interfaces="NO"  # Do not automatically add IPv6 addresses

tun0 is my OpenVPN VPN tunnel

So from what kpa is saying IPv6 is disabled on my system except form my tun0 interface.

How do I disable it without compiling a custom kernel?
Here is my openvpn.conf file

Code:

1 local 192.168.1.185
  2 port 1194
  3
  4 #client-config-dir clients
  5
  6 script-security 2
  7 setenv-safe wan lagg0
  8 #setenv-safe wan bce0
  9 up /usr/local/etc/openvpn/up.sh
10 down /usr/local/etc/openvpn/down.sh
11
12 proto udp
13 dev tun
14
15 ca ca.crt
16 cert trinity.crt
17 key trinity.key
18 dh dh1024.pem
19
20 #server 192.168.10.0 255.255.255.0
21 server 10.8.20.0 255.255.255.0
22 ifconfig-pool-persist ipp.txt
23 push "route 192.168.1.0 255.255.255.0"
24
25 keepalive 10 120
26 cipher BF-CBC
27 comp-lzo
28
29 max-clients 2
30
31 user nobody
32 group nobody
33
34 persist-key
35 persist-tun
36 status       openvpn-status.log
37 log-append   /var/log/openvpn.log
38 verb 6
39 mute 20

Thank you

kpa · Apr 1, 2015

I think you're using a /usr/local/etc/openvpn/up.sh script that enables IPv6 for the tun(4) interface. There's probably something like:

Code:

/sbin/ifconfig ${dev} inet6 -ifdisabled

Remove that line and IPv6 should be then disabled properly after restarting OpenVPN. Alternatively you can change the line to this so that IPv6 is for sure disabled regardless of the initial state:

Code:

/sbin/ifconfig ${dev} inet6 ifdisabled

You can turn off IPv6 for tun0 on the fly without restarting security/openvpn simply by:

ifconfig tun0 inet6 ifdisabled

fred974 · Apr 1, 2015

Hi kpa

This is the content of my openvpn/up.sh

Code:

 #!/bin/sh
  2
  3 ANCHOR="openvpn"
  4
  5 #/sbin/ifconfig ${dev} inet6 -ifdisabled
  6
  7 /sbin/pfctl -a ${ANCHOR} -F rules
  8 /sbin/pfctl -a ${ANCHOR} -F nat
  9 /sbin/pfctl -a ${ANCHOR} -f - <<EOT
10 nat on ${OPENVPN_wan} inet from ${dev}:network to any -> (${OPENVPN_wan}:0) port 1024:65535
11 pass quick on ${dev} all
12 pass in quick on ${OPENVPN_wan} inet proto udp from any to (${OPENVPN_wan}) port ${local_port_1}
13 EOT

If I remember correctly, you gave me this code when I was setting up OpenVPN

kpa · Apr 2, 2015

fred974 said:

Hi kpa

This is the content of my openvpn/up.sh

Code:

 #!/bin/sh
  2
  3 ANCHOR="openvpn"
  4
  5 #/sbin/ifconfig ${dev} inet6 -ifdisabled
  6
  7 /sbin/pfctl -a ${ANCHOR} -F rules
  8 /sbin/pfctl -a ${ANCHOR} -F nat
  9 /sbin/pfctl -a ${ANCHOR} -f - <<EOT
10 nat on ${OPENVPN_wan} inet from ${dev}:network to any -> (${OPENVPN_wan}:0) port 1024:65535
11 pass quick on ${dev} all
12 pass in quick on ${OPENVPN_wan} inet proto udp from any to (${OPENVPN_wan}) port ${local_port_1}
13 EOT

If I remember correctly, you gave me this code when I was setting up OpenVPN

Yes I remember now, I gave you the up/down scripts a while ago. You could change the commented out line to read:

Code:

/sbin/ifconfig ${dev} inet6 ifdisabled

Also check the down.sh script for a similar line, I can't remember what it did exactly right now.