Hi team!
What's the best way to tighten networking around my Fleet host? I have it all open on 0.0.0.0 and allowing all ports which is ofcourse not ideal and I want to tighten it further but without breaking osquery <> fleet comms. What's the best way to do that?
k
Kathy Satterlee
08/26/2022, 6:42 PM
You shouldn't need to worry about what ports are open for incoming traffic since all communication with the server is initiated on the host side.
p
pvirani
08/26/2022, 9:54 PM
what if an attacker decides to initite a comm on their host
are you suggesting just keeping 80 and 443 open on my Fleet server should do the trick and lock the rest down?
j
Jason
08/27/2022, 7:40 PM
We've used a WAF and allowed only the paths needed for the osquery and fleet desktop endpoints to the world
Admin is restricted and of course with a waf you can block things like Tor nodes, known malicious IPs, etc