Ispconfig & Ossec

[akaiser]

Hi,

I've installed on my server OSSEC following the howto. When I create a site in IspConfig the directories are created with user www-data & group web(number) - also some have root - root.

The strange thing is that when I create a user with IspConfig for the site the folders are changed to wired users & groups, for example followings:

web3: web3_info - web3 (this seems to be correct)
web6: web5_internet - ossec
web7: ossec - web7
web8: ossecm - web8

web5 was a test site, I deleted it and after that: web6: web6_admin - ossec

These are the users created in ispconfig: web3_info, web6_admin, web7_webmail, web8_mailing (all these user have admin rights in IspConfig)

I've been playing around, for example at web7 I created a second user/email with the name web7_spam, when I gave this user administrator the folder changed to web7_spam - web7. But after changing web7_webmail to administrator: ossec - web7 (when no user is administrator www-data - web7)

The ossec group was created by OSSEC HIDS (http://www.howtoforge.com/intrusion_...ith_ossec_hids)

[vogelor]

i also installed OSSEC at my server -> same problem!

but don't know what do do

[till]

OSSEC has never been tested with ISPConfig, it seems that ossec is replacing some users and groups in /etc/passwd and /etc/group.

[vogelor]

Hi till!
for me, this is not a problem, because i only tested it after reading, there were some problems. this is only at my testing-server i format all 4-5 days after testing some things.

so only for your information (nothing more):

group:

Code:

root:x:0:
daemon:x:1:
bin:x:2:
sys:x:3:
adm:x:4:
tty:x:5:
disk:x:6:
lp:x:7:
mail:x:8:
news:x:9:
uucp:x:10:
man:x:12:
proxy:x:13:
kmem:x:15:
dialout:x:20:admin
fax:x:21:
voice:x:22:
cdrom:x:24:admin
floppy:x:25:admin
tape:x:26:
sudo:x:27:
audio:x:29:admin
dip:x:30:
www-data:x:33:
backup:x:34:
operator:x:37:
list:x:38:
irc:x:39:
src:x:40:
gnats:x:41:
shadow:x:42:
utmp:x:43:
video:x:44:admin
sasl:x:45:
plugdev:x:46:admin
staff:x:50:
games:x:60:
users:x:100:web14_tre,web14_ov,web14_test,web14_test2
nogroup:x:65534:
crontab:x:101:
Debian-exim:x:102:
admin:x:1000:
ssh:x:103:
bind:x:104:
mysql:x:105:
postfix:x:106:
postdrop:x:107:
admispconfig:x:1001:admispconfig
web8:x:10008:admispconfig
web9:x:10009:admispconfig
web14:x:10014:admispconfig,web14_km
ossec:x:10015:

passwd

Code:

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
Debian-exim:x:102:102::/var/spool/exim4:/bin/false
admin:x:1000:1000:Administrator,,,:/home/admin:/bin/bash
identd:x:100:65534::/var/run/identd:/bin/false
sshd:x:101:65534::/var/run/sshd:/bin/false
fetchmail:x:103:65534::/var/run/fetchmail:/bin/sh
bind:x:104:104::/var/cache/bind:/bin/false
mysql:x:105:105:MySQL Server,,,:/var/lib/mysql:/bin/false
postfix:x:106:106::/var/spool/postfix:/bin/false
ftp:x:107:65534::/home/ftp:/bin/false
admispconfig:x:1001:1001:Administrator ISPConfig:/home/admispconfig:/bin/bash
web14_tre:x:10013:10014:tre:/var/www/web14/user/web14_tre/./:/bin/bash
web14_ov:x:10011:10014:Oliver Vogel:/var/www/web14/user/web14_ov/./:/bin/bash
web14_km:x:10012:10014:Klaus Meins:/var/www/web14/./:/bin/bash
web14_test:x:10014:10014:Test:/var/www/web14/user/web14_test/./:/bin/bash
ossec:x:10015:10015::/var/ossec:/sbin/nologin
ossecm:x:10016:10015::/var/ossec:/sbin/nologin
ossece:x:10017:10015::/var/ossec:/sbin/nologin
ossecr:x:10018:10015::/var/ossec:/sbin/nologin
web14_test2:x:10015:10014:test2:/var/www/web14/user/web14_test2/./:/bin/false

[till]

The passwd file explains the problem:

Quote:

ossec:x:10015:10015::/var/ossec:/sbin/nologin
ossecm:x:10016:10015::/var/ossec:/sbin/nologin
ossece:x:10017:10015::/var/ossec:/sbin/nologin
ossecr:x:10018:10015::/var/ossec:/sbin/nologin

OSSEC has installed its own users within the userid range of ISPConfig (UID > 10000, defined in the ISPConfig settings). If the ossec userid's where > 1000 and < 10000 there should be no problem or if ossec is installed before ISPConfig.

[vogelor]

Quote:

Originally Posted by till

The passwd file explains the problem:
OSSEC has installed its own users within the userid range of ISPConfig (UID > 10000, defined in the ISPConfig settings). If the ossec userid's where > 1000 and < 10000 there should be no problem or if ossec is installed before ISPConfig.

yes, you're right!
after chancing the id's to 2000,2001 and so on and after chancing the group-file to 2000 (and rebooting the system to be sure that there is no garbage back) i created a new user and everything seems to be o.k.

[akaiser]

I've also changed the users to 2xxxx and the ispconfig configuration and now all works perfect.

Thanks a lot!