Windows Client Unable to connect to GRR Server

[ID1010TERROR]

Background:

I've installed GRR Server on-top of an existing SecurityOnion Beta3 system (This isn't a fresh install).
I did this using the new install script here:
https://github.com/Security-Onion-Solutions/security-onion/wiki/GRR
For the Server this appears to work without any issues.

The Problem:

On my Windows client I am able to access GRR Server on https://Domain-I-Specified/ (after modifying Windows Hosts file). I am able to authenticate into the GRR Server and pull down the GRR Client.exe file.
(Notice that the HTTPS connection works)

Upon running the executable it does appear install, and I can see the service is running, however it does not connect to the GRR Server as specified by: https://grr-doc.readthedocs.io/en/v3.2.1/deploying-grr-clients/how-to-check-if-client-talks-back.html

After viewing the debug Log I see:
"Could not connect to GRR Servers ['http://IP:8080/'], directly or through these proxies:[‘’]”
(Notice that the HTTP connection Fails)

Additional Info:

I have verified that this was not an issue of the SecurityOnion firewall by disabling the ufw service on that system.

Related issue:

• Failing Client Install - Running Client and Server on Security Onion Beta3 for testing

References:

• Original discussion on Google Groups
• SecurityOnion GRR Install script
• Deploying GRR Clients
• How to Check if client talks back

Thanks,
Jay

[weslambert]

Are there firewall rule(s) available for Docker to use as described here?

https://github.com/Security-Onion-Solutions/security-onion/wiki/GRR#firewall-rules
(recently updated)

You can check the DOCKER-USER iptables chain with:

sudo iptables -L DOCKER-USER

Thanks,
Wes

[ID1010TERROR]

This Issue was Resolved

By applying the fix you suggested in the Google Groups discussion, the Windows Client can now communicate with the GRR Server.

1. Re-enable ufw (if stopped)
   sudo service ufw start

2. Stop and remove "so-grr" container.
   sudo docker stop so-grr && sudo docker rm so-grr

3. Restart so-grr container, providing your external ip for EXTERNAL_HOSTNAME value:
   sudo docker run -d --name so-grr --restart unless-stopped -e EXTERNAL_HOSTNAME="YOUR_EXTERNAL_IP" --ulimit nofile=1048576:1048576 -p 0.0.0.0:8000:8000 -p 0.0.0.0:8080:8080 -v $HOME/grr/etc:/usr/share/grr-server/install_data/etc -v $HOME/grr/datastore:/usr/share/grr-server/lib/python2.7/site-packages/grr/var/grr-datastore grrdocker/grr:latest grr

4. Add an iptables rule for the remote host
   ("REMOTE_HOST_IP" here should be the host on which the client is installed)
   sudo iptables -I DOCKER-USER ! -i docker0 -o docker0 -s REMOTE_HOST_IP -p tcp --dport 8080 -j ACCEPT

5. Restart GRR client service

Reference:

Google Group Discussion

---

To answer your question the DOCKER-USER IPChain previously had the following entries:

ACCEPT all -- anywhere anywhere
DROP all -- anywhere anywhere
RETRUN all -- anywhere anywhere

[weslambert]

Thanks, Jay. This should be fixed in the install script for any future installs. Thanks, Wes

…

On Jan 14, 2018 3:00 PM, "Jay" ***@***.***> wrote: This Issue was solved by applying the fix you suggested in the Google Groups as per below: https://groups.google.com/d/msg/security-onion/GrzL6VwC80k/f17cFKWsAgAJ 1. Re-enable ufw (if stopped) sudo service ufw start 2. Stop and remove "so-grr" container. sudo docker stop so-grr && sudo docker rm so-grr 3. Restart so-grr container, providing your external ip for EXTERNAL_HOSTNAME value: sudo docker run -d --name so-grr --restart unless-stopped -e EXTERNAL_HOSTNAME="YOUR_EXTERNAL_IP" --ulimit nofile=1048576:1048576 -p 0.0.0.0:8000:8000 -p 0.0.0.0:8080:8080 -v $HOME/grr/etc:/usr/share/grr-server/install_data/etc -v $HOME/grr/datastore:/usr/share/grr-server/lib/python2. 7/site-packages/grr/var/grr-datastore grrdocker/grr:latest grr 4. Add an iptables rule for the remote host ("REMOTE_HOST_IP" here should be the host on which the client is installed) sudo iptables -I DOCKER-USER ! -i docker0 -o docker0 -s REMOTE_HOST_IP -p tcp --dport 8080 -j ACCEPT 5. Restart GRR client service — You are receiving this because you commented. Reply to this email directly, view it on GitHub <#2 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AQDNqA5zOHFZqGf5mf8nwDFMNaaBekAtks5tKlzSgaJpZM4RdsI0> .