Re: [graylog2] Graylog 2 beta API port listening issue in the website

2016-04-21 Thread Eric Tang 
Dear Jochen,

Thank you for your answer.


Dear Dennis,

It's not really a big matter as the APIs require authentication. Though we
don't use the API from public network so it's good to hide it up and
prevent any DDoS in case :P .
Thank you.

Eric

On Thu, Apr 21, 2016 at 7:05 PM, Dennis Oelkers  wrote:

> Hey Eric,
>
> regarding point 3: what are your exact security concerns about exposing
> the REST API?
>
> Kind regards,
> D.
>
> --
> Tel.: +49 (0)40 609 452 077
> Fax.: +49 (0)40 609 452 078
>
> TORCH GmbH - A Graylog company
> Steckelhörn 11
> 20457 Hamburg
> Germany
>
> Commercial Reg. (Registergericht): Amtsgericht Hamburg, HRB 125175
> Geschäftsführer: Lennart Koopmann (CEO)
>
> > On 21.04.2016, at 09:03, er...@muneris.io wrote:
> >
> > Dear Graylog community support / users,
> >
> > I have been using Graylog since 1.2 and its working great.
> >
> > Just discover a change about a health check in Graylog's web just might
> cause problems.
> > It's known and normal that the Graylog's web service detects the server
> node(s) healthiness with API thru TCP 12900.
> >
> > However I noticed an issue in Graylog 2.
> > When I am trying out Graylog 2 (Alpha and Beta), the web UI
> automatically calls TCP 12900 (API port) in the client side using the
> public address.
> > That is, from the developer mode of the browser, I can see URL call of
> http://:12900/system/cluster/node. This
> causes the following issues:
> >
> > 1) With the default configuration, such check listens to private IP of
> the server. So just when deploying the Graylog to internet, the check
> fails. (Unless we access the website through VPN IP or update
> rest_transport_uri in /opt/graylog/conf/graylog.conf)
> > 2) Health check should probably be done in background in the server
> (i.e. like Graylog 1.2, 1.3...the checking will not be exposed to client
> side / browser)
> > 3) We need to expose TCP 12900 of the web service to public, security
> concern arises as the API port would be facing the public internet as well
> >
> > Thank you.
> > Eric
> >
> > --
> > You received this message because you are subscribed to the Google
> Groups "Graylog Users" group.
> > To unsubscribe from this group and stop receiving emails from it, send
> an email to graylog2+unsubscr...@googlegroups.com.
> > To view this discussion on the web visit
> https://groups.google.com/d/msgid/graylog2/a43a9ea9-2b6b-4d6a-8b91-1304b84dd008%40googlegroups.com
> .
> > For more options, visit https://groups.google.com/d/optout.
>
> --
> You received this message because you are subscribed to a topic in the
> Google Groups "Graylog Users" group.
> To unsubscribe from this topic, visit
> https://groups.google.com/d/topic/graylog2/FAovHmo0ctE/unsubscribe.
> To unsubscribe from this group and all its topics, send an email to
> graylog2+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/graylog2/7FE12566-B7BC-41BB-810F-BE3D31D632EF%40graylog.com
> .
> For more options, visit https://groups.google.com/d/optout.
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/CAF2Mi_xPK29GbZGvYgpRzoOXELawQOUsZU%2B-H1tT-A13JvscUA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [graylog2] Graylog 2 beta API port listening issue in the website

2016-04-21 Thread Dennis Oelkers 
Hey Eric,

regarding point 3: what are your exact security concerns about exposing the 
REST API?

Kind regards,
D.

--
Tel.: +49 (0)40 609 452 077
Fax.: +49 (0)40 609 452 078

TORCH GmbH - A Graylog company
Steckelhörn 11
20457 Hamburg
Germany

Commercial Reg. (Registergericht): Amtsgericht Hamburg, HRB 125175
Geschäftsführer: Lennart Koopmann (CEO)

> On 21.04.2016, at 09:03, er...@muneris.io wrote:
> 
> Dear Graylog community support / users,
> 
> I have been using Graylog since 1.2 and its working great.
> 
> Just discover a change about a health check in Graylog's web just might cause 
> problems.
> It's known and normal that the Graylog's web service detects the server 
> node(s) healthiness with API thru TCP 12900.
> 
> However I noticed an issue in Graylog 2.
> When I am trying out Graylog 2 (Alpha and Beta), the web UI automatically 
> calls TCP 12900 (API port) in the client side using the public address.
> That is, from the developer mode of the browser, I can see URL call of 
> http://:12900/system/cluster/node. This causes 
> the following issues:
> 
> 1) With the default configuration, such check listens to private IP of the 
> server. So just when deploying the Graylog to internet, the check fails. 
> (Unless we access the website through VPN IP or update rest_transport_uri in 
> /opt/graylog/conf/graylog.conf)
> 2) Health check should probably be done in background in the server (i.e. 
> like Graylog 1.2, 1.3...the checking will not be exposed to client side / 
> browser)
> 3) We need to expose TCP 12900 of the web service to public, security concern 
> arises as the API port would be facing the public internet as well
> 
> Thank you.
> Eric
> 
> -- 
> You received this message because you are subscribed to the Google Groups 
> "Graylog Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to graylog2+unsubscr...@googlegroups.com.
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/graylog2/a43a9ea9-2b6b-4d6a-8b91-1304b84dd008%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/7FE12566-B7BC-41BB-810F-BE3D31D632EF%40graylog.com.
For more options, visit https://groups.google.com/d/optout.