Securing inputs

gsmith · March 31, 2022, 10:09pm

Hello

No it does not, I have 200 nodes on one INPUT using TCP/TLS with the same configuration as shown above.

Security Considerations

SELinux will be enforcing security policies
IPtables/Firewalld will provide firewall functionality
Inputs using TCP/TLS will be configured for added security
SSL certificates be used and HTTP will redirect to HTTPS
FTP is not allowed, and all file transfers must be encrypted during transport (SSL / SSH file transfer)
SFTP users chrooted (jailed) to their own directory.
SSH key based authentication (disable root access via SSH)
Using Active Directory
Create GPO’s for authentication failure/access.

Example_IPtables

[root@graylog server]# iptables -L
Chain INPUT (policy DROP)
target     prot opt source               destination
DROP       tcp  --  anywhere             anywhere             tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE
DROP       tcp  --  anywhere             anywhere             tcp flags:!FIN,SYN,RST,ACK/SYN state NEW
DROP       tcp  --  anywhere             anywhere             tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH,ACK,URG
           tcp  --  anywhere             anywhere             tcp dpt:9922 state NEW recent: SET name: SSH side: source mask: 255.255.255.255
DROP       tcp  --  anywhere             anywhere             tcp dpt:9922 state NEW recent: UPDATE seconds: 300 hit_count: 4 TTL-Match name: SSH side: source mask: 255.255.255.255
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:9922 state NEW,ESTABLISHED
ACCEPT     udp  --  anywhere             anywhere             udp spt:domain state ESTABLISHED
ACCEPT     udp  --  anywhere             anywhere             udp spt:ntp state ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http state NEW,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:https state NEW,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere             tcp spt:http state RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere             tcp spt:https state RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:zabbix-agent state NEW,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:zabbix-trapper state NEW,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:51430 state NEW,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:51412 state NEW,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:51420 state NEW,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:51466 state NEW,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:51440 state NEW,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:51411 state NEW,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:27017 state NEW,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:27018 state NEW,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere
ACCEPT     tcp  --  anywhere             anywhere             tcp spt:smtp state ESTABLISHED
LOGINPUT   all  --  anywhere             anywhere
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:cslistener state NEW,ESTABLISHED
ACCEPT     udp  --  anywhere             anywhere             udp dpt:51430 state NEW,ESTABLISHED
ACCEPT     tcp  --  graylog.domain.com  anywhere             tcp dpts:vrace:sec-t4net-srv
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:cslistener
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:50440
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:50440 state NEW,ESTABLISHED
ACCEPT     udp  --  anywhere             anywhere             udp spt:iop state ESTABLISHED
ACCEPT     udp  --  anywhere             anywhere             udp dpt:iop state NEW,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere             tcp spt:wbem-rmi state ESTABLISHED
ACCEPT     udp  --  anywhere             anywhere             udp dpt:iop state ESTABLISHED
ACCEPT     udp  --  anywhere             anywhere             udp spt:51415 state NEW,ESTABLISHED
ACCEPT     udp  --  anywhere             anywhere             udp spt:lxi-evntsvc state NEW,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere             tcp spt:lxi-evntsvc state NEW,ESTABLISHED
ACCEPT     udp  --  anywhere             anywhere             udp spt:51420 state NEW,ESTABLISHED
ACCEPT     udp  --  anywhere             anywhere             udp spt:ipfix state NEW,ESTABLISHED
ACCEPT     udp  --  anywhere             anywhere             udp dpt:lxi-evntsvc state NEW,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:lxi-evntsvc state NEW,ESTABLISHED
ACCEPT     udp  --  anywhere             anywhere             udp spt:51415 state NEW,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere             tcp spt:lxi-evntsvc state NEW,ESTABLISHED
ACCEPT     udp  --  anywhere             anywhere             udp spt:ipfix state NEW,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:hbci state NEW,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:xmltec-xmlmail state NEW,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:9833 state NEW,ESTABLISHEDA

Chain FORWARD (policy DROP)
target     prot opt source               destination

Chain OUTPUT (policy DROP)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             anywhere             tcp spt:9922 state ESTABLISHED
ACCEPT     udp  --  anywhere             anywhere             udp dpt:domain state NEW,ESTABLISHED
ACCEPT     udp  --  anywhere             anywhere             udp dpt:ntp state NEW,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere             tcp spt:http state ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere             tcp spt:https state ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http state NEW,RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:https state NEW,RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere             tcp spt:zabbix-agent state ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere             tcp spt:zabbix-trapper state ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere             tcp spt:51430 state ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere             tcp spt:51412 state ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere             tcp spt:51420 state ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere             tcp spt:51466 state ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere             tcp spt:51440 state ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere             tcp spt:51411 state ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:smtp state NEW,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere             tcp spt:27017 state ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere             tcp spt:27018 state ESTABLISHED
LOGOUTPUT  all  --  anywhere             anywhere
ACCEPT     tcp  --  anywhere             anywhere             tcp spt:cslistener state ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ldap state NEW,RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere             tcp spt:ldap state NEW,RELATED,ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere             icmp echo-reply
ACCEPT     all  --  10.200.6.111         anywhere
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:50440 state NEW,ESTABLISHED
ACCEPT     udp  --  anywhere             anywhere             udp dpt:iop state NEW,ESTABLISHED
ACCEPT     udp  --  anywhere             anywhere             udp spt:http state ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:wbem-rmi state NEW,ESTABLISHED

Chain LOGINPUT (1 references)
target     prot opt source               destination
LOG        all  --  anywhere             anywhere             limit: avg 4/min burst 5 LOG level warning prefix "DROP INPUT: "

Chain LOGOUTPUT (1 references)
target     prot opt source               destination
LOG        all  --  anywhere             anywhere             limit: avg 4/min burst 5 LOG level warning prefix "DROP OUTPUT: "
[root@graylog server]#

As shown earlier, even if someone has IP address or the port number they can send messages to this Address and port BUTTTTT it will not go through, They would need the certificates created on your Graylog server to get access , hence TCP/TLS,SSL

Hope that helps

Topic		Replies	Views
Inputs appear as not running Graylog Central (peer support) sidecar , nxlog , nodatanx	24	7983	July 18, 2017
Best aproach for SSL in graylog Graylog Central (peer support)	17	3248	October 2, 2019
Unable to start inputs after implementing HTTPS on Graylog web interface Graylog Central (peer support)	6	2620	January 25, 2022
WARN [ProxiedResource] Unable to call and unable to start inputs Graylog Central (peer support)	24	6338	March 18, 2021
Inputs show failed, but ports are open and logs are coming in Graylog Central (peer support) basic-configuration	7	1065	April 28, 2022

Securing inputs

Related topics