documentation icon indicating copy to clipboard operation
documentation copied to clipboard
verified publisher icon Graylog2

Add section about using authbind

Open joschi opened this issue 9 years ago • 7 comments

People regularly struggle with the concept of privileged ports and how to allow Graylog to bind to these (e. g. port 514 for syslog).

  • https://en.wikipedia.org/wiki/Authbind
  • https://debian-administration.org/article/386/Running_network_services_as_a_non-root_user.
  • https://github.com/Graylog2/fpm-recipes/blob/2.0/recipes/graylog-server/files/environment#L10-L12

joschi avatar Oct 20 '16 10:10 joschi

Using setcap could be an alternative, although it's not as nice because you have to allow all Java programs to bind to privileged ports.

https://blogs.oracle.com/sduloutr/entry/binding_a_server_to_privileged

bernd avatar Oct 20 '16 10:10 bernd

I did read the technical explanation and it does not sound credible; if this was a java issue binding to lower ports how does it bind to 514 then?

ok after some tinkering I discovered that the OVA which ships with 2.1.0+62db7e0, codename Smuttynose uses authbind to make it work on 514 so that's how they get it going. Hence I only had to add UDP 162 to the authbind-by-port config and that allowed me to run the snmp plug-in as native 162 listener. Remember to use "!" when specifying a UDP port for authbind-by-port:

touch '/etc/authbind/byport/!162' chmod 500 '/etc/authbind/byport/!162' chown graylog '/etc/authbind/byport/!162'

Remember to surround the path with '' because of the ! used in front of the numeric port for UDP. If you do NOT use ! then the port will be TCP and snmp plug-in won't work since snmp is UDP to begin with. Hope that help others to get their plug-in going for native snmp.

ubuntu@graylog:/etc/authbind/byport$ ls -la
total 8
drwxr-xr-x 2 root    root    4096 Oct 26 15:33 .
drwxr-xr-x 5 root    root    4096 Oct 26 07:22 ..
-r-x------ 1 graylog graylog    0 Oct 26 15:19 !162
-r-xr-x--- 1 graylog graylog    0 Sep 21 13:35 !514
ubuntu@graylog:/etc/authbind/byport$

bubba198 avatar Oct 26 '16 21:10 bubba198

@bubba198 Please don't hijack this issue. Privileged ports are not a "Java issue" but simply restriction of the network stack of the operating system.

You can read up on privileged ports at https://www.w3.org/Daemon/User/Installation/PrivilegedPorts.html

joschi avatar Oct 27 '16 07:10 joschi

Another good explanation: https://www.reddit.com/r/graylog/comments/5qcjw0/using_authbind_to_run_graylog/

joschi avatar Jan 27 '17 08:01 joschi

Or just add a port forward:

firewall-cmd --zone=public --add-masquerade
firewall-cmd --zone=public --add-forward-port=port=443:proto=tcp:toport=9000 --permanent
firewall-cmd --reload

This seems a lot more straightforward than having to install and configure authbind.

miztroh-zz avatar Feb 14 '18 15:02 miztroh-zz

@miztroh Yes, just as the FAQ already mentions: http://docs.graylog.org/en/2.4/pages/faq.html#how-can-i-start-an-input-on-a-port-below-1024

joschi avatar Feb 14 '18 16:02 joschi

@joschi Bingo.

miztroh-zz avatar Feb 14 '18 16:02 miztroh-zz