Hi team!
What's the best way to tighten networking...
# fleetp
pvirani
08/26/2022, 5:13 PMHi team!
What's the best way to tighten networking around my Fleet host? I have it all open on 0.0.0.0 and allowing all ports which is ofcourse not ideal and I want to tighten it further but without breaking osquery <> fleet comms. What's the best way to do that?
k
Kathy Satterlee
08/26/2022, 6:42 PMYou shouldn't need to worry about what ports are open for incoming traffic since all communication with the server is initiated on the host side.
p
pvirani
08/26/2022, 9:54 PMwhat if an attacker decides to initite a comm on their host
pvirani
08/26/2022, 9:55 PMare you suggesting just keeping 80 and 443 open on my Fleet server should do the trick and lock the rest down?
j
Jason
08/27/2022, 7:40 PMWe've used a WAF and allowed only the paths needed for the osquery and fleet desktop endpoints to the world
Jason
08/27/2022, 7:40 PMAdmin is restricted and of course with a waf you can block things like Tor nodes, known malicious IPs, etc
k
Keith Swagler
09/13/2022, 1:28 PM@defensivedepth has a good blog post about this here https://defensivedepth.com/2020/04/02/kolide-fleet-breaking-out-the-osquery-api-web-ui/
j
Jason
09/13/2022, 1:30 PMFYI most of these URL paths are out of date, and orbit no longer uses gRPC. However the concept is valid.
5 Views