logo

Knowledge Base

Access official resources from Carbon Black experts

Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

Cb Response Server Is Accepting Traffic On All Ports

Cb Response Server Is Accepting Traffic On All Ports

Version

Cb Response 5.x, 6.x

Issue

Cb Response Server is accepting all traffic or is allowing access to the solr admin console

Cause

The Cb Response cbcheck utility relies on default Redhat/Centos 6 iptables configuration. If your environment has a custom iptables configuration, default deny rules may not be in place.

Note: Refer to this guide for more information on the cbcheck utility: Incorrect Iptables Rules Prevent Cluster From Communicating Correctly

Solution

Add Default deny rules to the bottom of the iptables rules file located at /etc/sysconfig/iptables:

-A INPUT -j REJECT --reject-with icmp-host-prohibited

-A FORWARD -j REJECT --reject-with icmp-host-prohibited

Warning: Make sure you have SSH access permitted before adding default deny rules:
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
Warning: Permitting port 8080 traffic like this entry is NOT recommended:
-A INPUT -p tcp -m state --state NEW -m tcp --dport 8080 -j ACCEPT
Use this guide instead: How to Use the Solr Web Interface Securely via SSH tunneling
Note: For general information on iptables rules, check here: https://www.digitalocean.com/community/tutorials/how-to-set-up-a-basic-iptables-firewall-on-centos-6

Here is an example /etc/sysconfig/iptables file from a standalone server:

*filter

:INPUT ACCEPT [0:0]

:FORWARD ACCEPT [0:0]

:OUTPUT ACCEPT [2:256]

-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

-A INPUT -p icmp -j ACCEPT

-A INPUT -i lo -j ACCEPT

-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT

-A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT

-A INPUT -p tcp -m state --state NEW -m tcp --dport 8443 -j ACCEPT

-A INPUT -j REJECT --reject-with icmp-host-prohibited

-A FORWARD -j REJECT --reject-with icmp-host-prohibited

COMMIT

Note: Cluster environments have additional rules in iptables for each minion. For more information check out Appendix E Ports and Protocols of the 5.2 User Guide: Carbon Black Response v5.2 - User Guide (On-Prem)

Following any changes restart iptables:

service iptables restart

Then make sure the rules have been applied correctly by running this command:

service iptables status

Labels (1)
Labels:
Was this article helpful? Yes No
No ratings
Article Information
Author:
cmichaels
Creation Date:
‎02-21-2017
Views:
1378
Contributors
logo