Ports 9200 and 8080 are exposed through the firewall allowing access to Elastic Search
search cancel

Ports 9200 and 8080 are exposed through the firewall allowing access to Elastic Search

book

Article ID: 385859

calendar_today

Updated On:

Products

Security Analytics

Issue/Introduction

The firewall is allowing access to all open ports on the Security Analytics server.  This is due to a misconfiguration in the security firewall settings.

Cause

The last ACCEPT rule is missing the RELATED,ESTABLISHED state.  This may have been done during a firewall change in the UI.

Resolution

Update the firewall ACCEPT rule with RELATED,ESTABLISHED.  This can be fixed in the releases after 8.2.8 in the UI.  Previous releases will require CLI access (as root) with the following commands.

 

Results of iptables -L before the change (line 12)

ACCEPT   all  --  anywhere        anywhere

Results of iptables -L after the change (line 12)

ACCEPT   all  --  anywhere        anywhere       state RELATED,ESTABLISHED

 

-------------------------------------------

To correct the configuration, login as root at the command line interface and run:

# make a backup of the firewall rules in case there is a mistake after the change
iptables-save > /home/apache/tmp/iptables

# write the firewall rules to /etc/sysconfig/iptables from memory before any changes are made.  This will provide a known beginning point.
iptables-save > /etc/sysconfig/iptables

# edit /etc/sysconfig/iptables by adding "RELATED,ESTABLISHED" to the Accept Any rule
sed -i --follow-symlinks 's/^-A INPUT -j ACCEPT$/-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT/' '/etc/sysconfig/iptables'

# test the change, no output is expected
iptables-restore --test < /etc/sysconfig/iptables

# load the rules in memory from the changed file
iptables-restore < /etc/sysconfig/iptables

# Verify changes and list the rules and look for RELATED,ESTABLISHED on the 12th line.
iptables -L

For example,

[root@hostname ~]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            
DROP       icmp --  anywhere             anywhere             icmp timestamp-request
DROP       icmp --  anywhere             anywhere             icmp timestamp-reply
ACCEPT     icmp --  anywhere             anywhere            
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:https
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ssh
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:8843
ACCEPT     udp  --  anywhere             anywhere             udp spt:ftp-data
ACCEPT     tcp  --  anywhere             anywhere             tcp spt:ftp-data
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
DROP       all  --  anywhere             anywhere            

Chain FORWARD (policy DROP)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination  

Powered by Wolken Software