Access official resources from Carbon Black experts
Cb Response 5.x, 6.x
Cb Response Server is accepting all traffic or is allowing access to the solr admin console
The Cb Response cbcheck utility relies on default Redhat/Centos 6 iptables configuration. If your environment has a custom iptables configuration, default deny rules may not be in place.
Note: Refer to this guide for more information on the cbcheck utility: Incorrect Iptables Rules Prevent Cluster From Communicating Correctly
Add Default deny rules to the bottom of the iptables rules file located at /etc/sysconfig/iptables:
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
Warning: Make sure you have SSH access permitted before adding default deny rules:
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
Warning: Permitting port 8080 traffic like this entry is NOT recommended:
-A INPUT -p tcp -m state --state NEW -m tcp --dport 8080 -j ACCEPT
Use this guide instead: How to Use the Solr Web Interface Securely via SSH tunneling
Note: For general information on iptables rules, check here: https://www.digitalocean.com/community/tutorials/how-to-set-up-a-basic-iptables-firewall-on-centos-6
Here is an example /etc/sysconfig/iptables file from a standalone server:
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [2:256]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 8443 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
Note: Cluster environments have additional rules in iptables for each minion. For more information check out Appendix E Ports and Protocols of the 5.2 User Guide: Carbon Black Response v5.2 - User Guide (On-Prem)
Following any changes restart iptables:
service iptables restart
Then make sure the rules have been applied correctly by running this command:
service iptables status
Copyright © 2005-2023 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.