Post ArzANUsYGoHALNaKfI by verita84@shit.poster.place
(DIR) More posts by verita84@shit.poster.place
(DIR) Post #Arz68J41W3a9XXS52W by phil@fed.bajsicki.com
2025-03-12T16:49:28.808Z
0 likes, 0 repeats
I have a very strange issue with my VPS.I am setting up wazuh for my personal use, and while the software seems to run just great, I'm unable to connect agents to it. 1. Wazuh does bind the ports (1514, 1515) properly. At least, netstat tells me to.2. I can tcpdump on these ports, and see activity on 1515 (agent registration port).3. The SYN packets never get a response from my VPS. It's like Wazuh is binding the ports, but isn't getting the packets or responding to them. I'm completely out of ideas. The Wazuh community Discord has been unhelpful, so far. I suspect ghosts.Any help?#wazuh #sysadmin #linux #selfhosted
(DIR) Post #Arz68SiPdGElTPPxk8 by verita84@shit.poster.place
2025-03-12T16:50:08Z
0 likes, 0 repeats
@phil ss -tlnpMake sure listening on the right interface
(DIR) Post #Arz6Dx5Y8Ilb7crF0i by i@declin.eu
2025-03-12T16:51:11.150847Z
0 likes, 0 repeats
@verita84 @phil and that there's no default firewalling getting in the way
(DIR) Post #Arz6I7cmtyeYxQOQdc by verita84@shit.poster.place
2025-03-12T16:51:54Z
0 likes, 0 repeats
@i @phil And selinux/app armor
(DIR) Post #Arz6T8ROCwMWfrJTCC by phil@fed.bajsicki.com
2025-03-12T16:52:17.860Z
0 likes, 0 repeats
@i@declin.eu @verita84@shit.poster.place Already done, as I mentioned, the SYN packets from the agents are hitting the VPS, it's just that there's no response. No issues that I can spot in ufw and iptables.
(DIR) Post #Arz6TIhi37MIVN1e1Q by verita84@shit.poster.place
2025-03-12T16:53:53Z
0 likes, 0 repeats
@phil @i Is selinux/app armor running ?
(DIR) Post #Arz6md0Enq0gxkuME4 by phil@fed.bajsicki.com
2025-03-12T16:55:05.979Z
0 likes, 0 repeats
@verita84@shit.poster.place @i@declin.eu It's clear as far as I can tell. I already checked everything I could think of.
(DIR) Post #Arz6meU3ITS9YVrgKu by i@declin.eu
2025-03-12T16:57:26.601396Z
0 likes, 0 repeats
@phil @verita84 maybe there's some authentication configuration you're supposed to do and missed, no logging off the server/agents either?
(DIR) Post #Arz6pvXcKlvLKM5tZo by verita84@shit.poster.place
2025-03-12T16:57:59Z
0 likes, 0 repeats
@phil @i Are the ports listening on the public ip or 0.0.0.0?If its on localhost or 127.0.0.1, that can be the problem
(DIR) Post #Arz70T0wjkNy2Pq2S0 by phil@fed.bajsicki.com
2025-03-12T16:59:07.583Z
0 likes, 0 repeats
@verita84@shit.poster.place @i@declin.eu Hm, that's a great point. I had assumed it's fine to localhost it, but I'll double-check.
(DIR) Post #Arz70d8l5YZnRXZQ12 by verita84@shit.poster.place
2025-03-12T16:59:55Z
0 likes, 0 repeats
@phil @i ss -tlnp
(DIR) Post #Arz7xagTrcHuuYSSWG by phil@fed.bajsicki.com
2025-03-12T17:04:06.077Z
0 likes, 0 repeats
@verita84@shit.poster.place @i@declin.eu Bound to 0.0.0.0:1515 and 1514... it should work, every other service I run, including the fedi instance I use, works... I'm baffled.
(DIR) Post #Arz7xl4bEnWT8ForVA by verita84@shit.poster.place
2025-03-12T17:10:37Z
0 likes, 0 repeats
@phil @i sudo apparmor_status
(DIR) Post #Arz8DyVd3DITR7C8f2 by phil@fed.bajsicki.com
2025-03-12T17:12:51.434Z
0 likes, 0 repeats
@verita84@shit.poster.place @i@declin.eu Don't see anything there related to Wazuh.
(DIR) Post #Arz8E8LiSvJFxGdMbA by verita84@shit.poster.place
2025-03-12T17:13:34Z
0 likes, 0 repeats
@phil @i Its running so....disable it to see if thats interfering
(DIR) Post #Arz8i8ijeKtznHi0i8 by phil@fed.bajsicki.com
2025-03-12T17:18:12.784Z
0 likes, 0 repeats
@verita84@shit.poster.place @i@declin.eu Nope, still same thing. All syn packets, all inbound, nothing outbound.
(DIR) Post #Arz8iIvrgNLXStvdZ2 by verita84@shit.poster.place
2025-03-12T17:19:01Z
0 likes, 0 repeats
@phil @i So you rebooted to properly disable apparmor?
(DIR) Post #Arz8mgfdMlysFKQW1o by verita84@shit.poster.place
2025-03-12T17:19:50Z
0 likes, 0 repeats
@phil @i Would be interesting to see if you can curl/telnet remotly to those ports
(DIR) Post #Arz90RBJkbZIGJnqhU by phil@fed.bajsicki.com
2025-03-12T17:21:29.398Z
0 likes, 0 repeats
@verita84@shit.poster.place @i@declin.eu I restarted the services, can't reboot as I'm reliant on this server being up lol. I guess a bit of downtime won't hurt, brb.
(DIR) Post #Arz90bKtzpB1kwMe1o by verita84@shit.poster.place
2025-03-12T17:22:20Z
0 likes, 0 repeats
@phil @i Make sure that app armor isnt running after reboot
(DIR) Post #Arz9ZrbpU9bGMT61uC by phil@fed.bajsicki.com
2025-03-12T17:25:53.858Z
0 likes, 0 repeats
@verita84@shit.poster.place @i@declin.eu Not running, no. Still the same behavior, SYN packets hitting, but never SYNACK.
(DIR) Post #Arz9a210nNgYdSxHXs by verita84@shit.poster.place
2025-03-12T17:28:42Z
0 likes, 0 repeats
@phil @i Looking like something wrong on the application side nowCan you curl a web interfere on the vps for the app to see if its really working?
(DIR) Post #ArzANKbsRwzoUlhsHo by phil@fed.bajsicki.com
2025-03-12T17:35:42.810Z
0 likes, 0 repeats
@verita84@shit.poster.place @i@declin.eu Well, the webui works through the API, and it works just fine. But trying to curl into it, I get "connection reset by peer", for some reason. I can still see the packets in tcpdump, but it resets. Very confused.
(DIR) Post #ArzANUsYGoHALNaKfI by verita84@shit.poster.place
2025-03-12T17:37:40Z
0 likes, 0 repeats
@phil @i Does the app have some kind of ip allow or blacklist ?
(DIR) Post #ArzAm5j2vVnhZVrm4W by phil@fed.bajsicki.com
2025-03-12T17:41:14.164Z
0 likes, 0 repeats
@verita84@shit.poster.place @i@declin.eu Not as far as I know. Even if it did, why would my home IP be blocked by default?
(DIR) Post #ArzAmFdO5PDSIrIOdk by verita84@shit.poster.place
2025-03-12T17:42:09Z
0 likes, 0 repeats
@phil @i Some apps do that for security, only this range of IPs can connect
(DIR) Post #ArzCpfBtivGiLJBzaS by phil@fed.bajsicki.com
2025-03-12T17:47:14.618Z
0 likes, 0 repeats
@verita84@shit.poster.place @i@declin.eu Nope, nothing referring to my IP, ISP, hostname, etc. etc. in the config files.
(DIR) Post #ArzCpgL9S0GTuIWteK by phil@fed.bajsicki.com
2025-03-12T17:57:36.205Z
0 likes, 0 repeats
@verita84@shit.poster.place @i@declin.eu Even stranger, running the wazuh-authd daemon in the foreground with debugging enabled, on port 1516, and then curling into it from localhost, I get this...It's like the packets are hitting the system, but not being routed to the actual application. I have zero clue.
(DIR) Post #ArzCph98SAFOPJuoYi by i@declin.eu
2025-03-12T18:05:09.965669Z
0 likes, 0 repeats
@phil @verita84 those ports aren't for http requests, so it's understandable why curl would say the port isn't connecting
(DIR) Post #ArzD7Y80im6jeOu2zo by phil@fed.bajsicki.com
2025-03-12T18:06:17.114Z
0 likes, 0 repeats
@i@declin.eu @verita84@shit.poster.place Sure, but the problem is, the wazuh-agent isn't connecting either.
(DIR) Post #ArzD7ZCIkJ8MxzuzK4 by i@declin.eu
2025-03-12T18:08:26.358084Z
0 likes, 0 repeats
@phil @verita84 try going through the https://documentation.wazuh.com/current/user-manual/agent/agent-enrollment/troubleshooting.html maybe
(DIR) Post #ArzDrN9JsAE8vAMhxw by phil@fed.bajsicki.com
2025-03-12T18:15:15.540Z
0 likes, 0 repeats
@i@declin.eu @verita84@shit.poster.place Already done. I've been on this for two days, I'm genuinely convinced it's ghosts.
(DIR) Post #ArzDrOLPQhUYcx1sRs by i@declin.eu
2025-03-12T18:16:43.275619Z
0 likes, 0 repeats
@phil @verita84 try the docker deployment method then, so the ghussy is contained
(DIR) Post #ArzEEmcvJX4AbANL3g by vokainen099@cawfee.club
2025-03-12T18:21:00.511419Z
0 likes, 0 repeats
@phil @i @verita84 Indeed, depending on you iptables/nfttables ruleset, you can indeed do a lot of funky things with your firewall. You should check what your installed firewall (If any) or your filtering ruleset are doing
(DIR) Post #ArzGVVNgt07jwXLs9I by verita84@shit.poster.place
2025-03-12T18:46:22Z
0 likes, 0 repeats
@vokainen099 @i @phil Yeah, check ufw, nftables, iptablesOne of those maybe the culprit
(DIR) Post #ArzGjHqxykyQ2dcJLU by vokainen099@cawfee.club
2025-03-12T18:48:57.143480Z
0 likes, 0 repeats
@verita84 @i @phil If you actually have a firewall installed, you need to find it and check what it is doing. If not, and your kernel-based ipfiltering works through jptables/nfttables (There should be a service enabled for those if that's the case), you'll need to find out what the ruleset is star ng, and boy oh boy they have pesky syntax