How to disable http options method in graylog

(Jolla) #1

Hi

I’m new to graylog, I have setup it in kubernetes and use an external IP to point to that service. the version is 2.5.1

My colleague do a security scan, he say I should disable http OPTIONS method.

I searched there are some configure solution for nginx, apache httpd, but nginx/apache are reverse proxy in front of Graylog, I’d prefer using graylog directly.

Is there some configuration in graylog to disable http options method?

[ Update ]: I find that graylog is using jersey service, if we can disable from jersey side ?

Thanks.

0 Likes

(Tess) #2

Seeing how the OPTIONS method is meant to be an integral part of APIs, I doubt that it’s a good idea to disable it. See here ->

http://zacstewart.com/2012/04/14/http-options-method.html

The more important questions would be:

  • Which environment are you exposing your Graylog GUI and your Graylog API to?
  • Have you applied ACLs through a firewall?
  • What kind of risk is associated with the environment that you’re exposing it to?

A Graylog host connected to an internal LAN, with firewall rules blocking access to the GUI, API and the associated Mongo and Elastic hosts sounds pretty good. And it’s a completely different case than a Graylog frontend exposed to the Internet. Why would anyone ever do that? :smiley:

So start asking both your buddy and yourself questions. What is the reason your colleague provides for you having to disable the OPTIONS method? Are you sure that you should even do this, or will it break Graylog? What is your risk profile? And so son…

2 Likes

(Ben van Staveren) #3

Disabling the OPTIONS method is suggested (sort of) in OWASP - but it’s more illustrated as an attack vector, or at least something that lets you see if TRACE/other methods are available.

Disabling it is, in my ISO27001 lead auditor opinion not necessary because many apps using XHR will use an OPTIONS request to pre-flight anything. There’s no serious risk in allowing OPTIONS, especially not if you talk directly to Graylog since it returns sane values.

*   Trying 10.8.9.1...
* Connected to 10.8.9.1 (10.8.9.1) port 9000 (#0)
> OPTIONS / HTTP/1.1
> Host: 10.8.9.1:9000
> User-Agent: curl/7.47.0
> Accept: */*
>
< HTTP/1.1 200 OK
< Allow: HEAD,GET,OPTIONS
< X-Graylog-Node-ID: [redacted]
< Content-Type: text/plain
< Date: Thu, 07 Feb 2019 13:32:00 GMT
< Content-Length: 18
<
* Connection #0 to host 10.8.9.1 left intact

You tell me how that’s exploitable :wink: Or your buddy, for that matter…

2 Likes

(Tess) #4

Ooohh la-dee-dah, let me get you the fancy pants! :wink:

Good analysis on your part, thanks.

1 Like

(Ben van Staveren) #5

Yes please. I do like me some fancy pants!

0 Likes

(system) closed #6

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

0 Likes