Channels
android_tests
apple-silicon
arm-architecture
auditing-warroom
aws
carving
code-review
community-feeds
core
darkbytes
doorman
ebpf
eclecticiq-polylogyx-extension
extensions
file-carving
fim
fleet
fleet-dev
fleetosquery
foundation
fuzzing
general
golang
goquery
infrastructure
jobs
kolide
linen-dev
linux
macos
officehours
osctrl
plugins
process-auditing
querycon
queryhub
random
selfgroup
sql
tls
uptycs
vendor-feeds
website
windows
zeek
zentral
zercurity
Title
p
pvirani
08/26/2022, 5:13 PMHi team!
What's the best way to tighten networking around my Fleet host? I have it all open on 0.0.0.0 and allowing all ports which is ofcourse not ideal and I want to tighten it further but without breaking osquery <> fleet comms. What's the best way to do that?
k
Kathy Satterlee
08/26/2022, 6:42 PMYou shouldn't need to worry about what ports are open for incoming traffic since all communication with the server is initiated on the host side.
p
pvirani
08/26/2022, 9:54 PMwhat if an attacker decides to initite a comm on their host
are you suggesting just keeping 80 and 443 open on my Fleet server should do the trick and lock the rest down?
j
Jason
08/27/2022, 7:40 PMWe've used a WAF and allowed only the paths needed for the osquery and fleet desktop endpoints to the world
Admin is restricted and of course with a waf you can block things like Tor nodes, known malicious IPs, etc
k
Keith Swagler
09/13/2022, 1:28 PM@defensivedepth has a good blog post about this here https://defensivedepth.com/2020/04/02/kolide-fleet-breaking-out-the-osquery-api-web-ui/
j
Jason
09/13/2022, 1:30 PMFYI most of these URL paths are out of date, and orbit no longer uses gRPC. However the concept is valid.