https://github.com/osquery/osquery logo
Title
p

pvirani

08/26/2022, 5:13 PM
Hi team! What's the best way to tighten networking around my Fleet host? I have it all open on 0.0.0.0 and allowing all ports which is ofcourse not ideal and I want to tighten it further but without breaking osquery <> fleet comms. What's the best way to do that?
k

Kathy Satterlee

08/26/2022, 6:42 PM
You shouldn't need to worry about what ports are open for incoming traffic since all communication with the server is initiated on the host side.
p

pvirani

08/26/2022, 9:54 PM
what if an attacker decides to initite a comm on their host
are you suggesting just keeping 80 and 443 open on my Fleet server should do the trick and lock the rest down?
j

Jason

08/27/2022, 7:40 PM
We've used a WAF and allowed only the paths needed for the osquery and fleet desktop endpoints to the world
Admin is restricted and of course with a waf you can block things like Tor nodes, known malicious IPs, etc
k

Keith Swagler

09/13/2022, 1:28 PM
j

Jason

09/13/2022, 1:30 PM
FYI most of these URL paths are out of date, and orbit no longer uses gRPC. However the concept is valid.