Barnyard2 with MySQL over SSL issue
-
~~Barnyard2 has been working well for me but I want a secure connection to the mysql server. I setup my mysql server to use SSL, created a test user with the REQUIRE SSL option and it works great on everything except pfsense. I can connect to the remote mysql as the test user on my client machines, but when I try to connect to it from pfsense I get denied access with the following error:
ERROR 1045 (28000): Access denied for user 'testremote'@'pfSense.localdomain' (using password: YES)
I'm assuming this is from SSL since it works fine with remote users that aren't required to use SSL. Is there something I need to setup on pfsense to allow mysql client connections to use SSL?~~
UPDATE: So I got the SSL working, turns out I just needed to create a my.cnf file with the certificate information but now I can't get barnyard2 to use it. I added the SSL information to the Barnyard2 output setting:
output database: log, mysql, user=test2 password=password dbname=snort host=192.168.1.17 sensor_name=OPT2 disable_signature_reference_table ssl_key=/usr/local/etc/snort/snort_40391_em3/client-key.pem ssl_ca=/usr/local/etc/snort/snort_40391_em3/ca.pem ssl_cert=/usr/local/etc/snort/snort_40391_em3/client-cert.pem ssl_ca_path=/usr/local/etc/snort/snort_40391_em3 ssl_cipher=DHE-RSA-AES256-SHAI get the following error when starting barnyard:
Aug 11 20:24:43 pfsense.localdomain barnyard2[85206]: Initializing daemon mode
Aug 11 20:24:43 pfsense.localdomain barnyard2[85298]: Daemon initialized, signaled parent pid: 85206
Aug 11 20:24:43 pfsense.localdomain barnyard2[85206]: Daemon parent exiting
Aug 11 20:24:43 pfsense.localdomain barnyard2[85298]: PID path stat checked out ok, PID path set to /var/run
Aug 11 20:24:43 pfsense.localdomain barnyard2[85298]: Writing PID "85298" to file "/var/run/barnyard2_em340391.pid"
Aug 11 20:24:43 pfsense.localdomain barnyard2[85298]: database mysql_error: SSL connection error: Unable to get private key
Aug 11 20:24:43 pfsense.localdomain barnyard2[85298]: Barnyard2 exiting
Aug 11 20:24:43 pfsense.localdomain barnyard2[85298]: database: Closing connection to database "snort"I can't figure out why barnyard2 can't get the private key. Does anyone know what the permissions need to be set on the key file or what I need to do to allow barnyard2 to use the key? The key works if I try connecting to mysql from the shell so I'm kind of baffled.
-
It is likely your changes to the barnyard configuration are not "sticking". Each time you stop and restart Barnyard2 via the GUI, the configuration file on pfSense is re-created using settings from within the GUI configuration. Exactly how are you entering the extra SSL key information. Are you using an advanced pass-through option?
Bill
-
Thanks for responding. I created a pass-through entry for mysql output. Since the GUI MySQL settings don't really make it possible to do this and a logging option must be enabled, I enabled logging via Syslog and then added the following entry to the barnyard2 pass-through options:
[output database: log, mysql, user=test2 password=password dbname=snort host=192.168.1.17 sensor_name=OPT2 disable_signature_reference_table ssl_key=/etc/ssl/client-key.pem ssl_ca=/etc/ssl/ca.pem ssl_cert=/etc/ssl/client-cert.pem ssl_ca_path=/etc/ssl ssl_cipher=DHE-RSA-AES256-SHAEvery time I start barnyard2 it fails because of the following error: database mysql_error: SSL connection error: Unable to get private key
Since barnyard2 runs as root, I figured the private key should be owned by root. I can login with the key manually in the pfsense shell, but it doesn't work with barnyard2. I thought maybe it had something to do with daemon so I tried changing the owner to deamon which also didn't work. I just can't figure out how to get a secure MySQL connection to work over barnyard2. Any advice?
-
It's been a while since I've toyed with Barnyard2. It definitely sounds like a permissions or path thing to me, though. Remember the running Barnyard2 process will not have the same environment variables set as your shell account will have. So things that "just work" at a CLI prompt many times will not work when executed from within a script or a daemon.
Is your private key literally in /etc, or is it maybe actually in /usr/local/etc? The latter is where I think it should generally be on FreeBSD and pfSense. All of the Snort, Suricata and Barnyard2 stuff is in /usr/local/etc.
Bill