Hugging Face's logo

ineso22
/
Mozdef

Model card Files
xet
 Community
Mozdef
File size: 6,230 Bytes
7c89ed7
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
# MozDef - Global Access Configuration

## 🌐 Making MozDef Globally Accessible

**Date:** $(date)
**Status:** Configured for global access

---

## βœ… Configuration Changes

### 1. Docker Compose Port Binding
Updated `docker/compose/docker-compose.yml` to explicitly bind all ports to `0.0.0.0`:

```yaml
nginx:
  ports:
    - "0.0.0.0:80:80"      # Meteor Web Interface
    - "0.0.0.0:8080:8080"   # Loginput API
    - "0.0.0.0:8081:8081"   # REST API (now exposed)
    - "0.0.0.0:9090:9090"   # Kibana Dashboard
```

**Changes:**
- βœ… All ports now explicitly bound to `0.0.0.0` (all interfaces)
- βœ… REST API port 8081 now exposed (was commented out)
- βœ… Services accessible from external networks

---

## πŸ”— Accessible Endpoints

### Server Information
- **External IP:** $(hostname -I | awk '{print $1}')
- **Hostname:** $(hostname)

### Web Interfaces
- **Meteor Web UI:** http://$(hostname -I | awk '{print $1}')
- **Kibana Dashboard:** http://$(hostname -I | awk '{print $1}'):9090

### API Endpoints
- **Loginput API:** http://$(hostname -I | awk '{print $1}'):8080
  - Status: `GET http://$(hostname -I | awk '{print $1}'):8080/status`
  - Events: `POST http://$(hostname -I | awk '{print $1}'):8080/events`

- **REST API:** http://$(hostname -I | awk '{print $1}'):8081
  - Status: `GET http://$(hostname -I | awk '{print $1}'):8081/status`
  - Various endpoints: `/api/*`

---

## πŸ”₯ Firewall Configuration

### UFW (Ubuntu Firewall)
If using UFW, ensure ports are open:

```bash
sudo ufw allow 80/tcp
sudo ufw allow 8080/tcp
sudo ufw allow 8081/tcp
sudo ufw allow 9090/tcp
sudo ufw reload
```

### iptables
If using iptables directly:

```bash
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 8080 -j ACCEPT
iptables -A INPUT -p tcp --dport 8081 -j ACCEPT
iptables -A INPUT -p tcp --dport 9090 -j ACCEPT
```

### Cloud Provider Security Groups
If using AWS, GCP, Azure, or other cloud providers:
- Ensure security groups allow inbound traffic on ports 80, 8080, 8081, 9090
- Configure rules for HTTP/HTTPS traffic

---

## βœ… Verification Steps

### 1. Check Port Bindings
```bash
docker-compose -f docker/compose/docker-compose.yml -p mozdef ps
```

Should show:
```
mozdef-nginx-1: 0.0.0.0:80->80/tcp, 0.0.0.0:8080->8080/tcp, 0.0.0.0:8081->8081/tcp, 0.0.0.0:9090->9090/tcp
```

### 2. Check Listening Ports
```bash
netstat -tuln | grep -E ":(80|8080|8081|9090)"
# or
ss -tuln | grep -E ":(80|8080|8081|9090)"
```

Should show ports listening on `0.0.0.0` (all interfaces).

### 3. Test Local Access
```bash
EXTERNAL_IP=$(hostname -I | awk '{print $1}')
curl -I http://$EXTERNAL_IP
curl -I http://$EXTERNAL_IP:8080/status
curl -I http://$EXTERNAL_IP:8081/status
curl -I http://$EXTERNAL_IP:9090/app/kibana
```

### 4. Test External Access
From another machine or browser:
- Open: `http://YOUR_SERVER_IP`
- Should see MozDef login page

---

## πŸ”’ Security Considerations

### 1. HTTPS/SSL (Recommended)
For production, configure SSL/TLS:
- Use Let's Encrypt for free SSL certificates
- Configure Nginx with SSL
- Redirect HTTP to HTTPS

### 2. Authentication
- MozDef has built-in authentication
- Ensure strong passwords
- Consider 2FA if available

### 3. Firewall Rules
- Only open necessary ports
- Consider restricting access by IP if possible
- Use fail2ban for additional protection

### 4. Network Security
- Use VPN for administrative access
- Consider reverse proxy with authentication
- Monitor access logs

---

## πŸš€ Quick Start Commands

### Restart Services After Configuration
```bash
cd /root/MozDef
docker-compose -f docker/compose/docker-compose.yml -p mozdef restart nginx
```

### Check Service Status
```bash
docker-compose -f docker/compose/docker-compose.yml -p mozdef ps
```

### View Logs
```bash
docker-compose -f docker/compose/docker-compose.yml -p mozdef logs -f nginx
```

### Test Event Submission
```bash
curl -X POST http://YOUR_SERVER_IP:8080/events \
  -H "Content-Type: application/json" \
  -d '{
    "timestamp": "'$(date -u +"%Y-%m-%dT%H:%M:%S+00:00")'",
    "utctimestamp": "'$(date -u +"%Y-%m-%dT%H:%M:%S+00:00")'",
    "hostname": "test.example.com",
    "processname": "test.py",
    "processid": 1234,
    "severity": "INFO",
    "summary": "Test event",
    "category": "test",
    "source": "test",
    "tags": ["test"],
    "details": {}
  }'
```

---

## πŸ“ Troubleshooting

### Issue: Cannot access from external network

**Check 1: Port Binding**
```bash
docker inspect mozdef-nginx-1 | grep -A 10 "Ports"
```
Should show `0.0.0.0` bindings.

**Check 2: Firewall**
```bash
sudo ufw status
# or
sudo iptables -L -n | grep -E "(80|8080|8081|9090)"
```

**Check 3: Cloud Security Groups**
- Verify security group rules allow inbound traffic
- Check network ACLs

**Check 4: Service Status**
```bash
docker-compose -f docker/compose/docker-compose.yml -p mozdef ps
```
All services should be "Up" and "healthy".

### Issue: Port already in use

If port is already in use:
```bash
# Find process using port
sudo lsof -i :80
# or
sudo netstat -tulpn | grep :80

# Stop conflicting service or change MozDef port
```

### Issue: Connection timeout

1. Check if service is running:
   ```bash
   docker-compose -f docker/compose/docker-compose.yml -p mozdef ps
   ```

2. Check service logs:
   ```bash
   docker-compose -f docker/compose/docker-compose.yml -p mozdef logs nginx
   ```

3. Verify network connectivity:
   ```bash
   ping YOUR_SERVER_IP
   telnet YOUR_SERVER_IP 80
   ```

---

## βœ… Success Criteria

- [x] All ports bound to `0.0.0.0`
- [x] REST API port 8081 exposed
- [x] Firewall rules configured
- [x] Services accessible from external network
- [x] All endpoints responding

---

## 🎯 Next Steps

1. **Test External Access:**
   - Open browser: `http://YOUR_SERVER_IP`
   - Verify MozDef login page appears

2. **Configure SSL (Optional but Recommended):**
   - Set up Let's Encrypt certificate
   - Configure HTTPS in Nginx

3. **Monitor Access:**
   - Check access logs
   - Monitor for unauthorized access attempts

4. **Document Access:**
   - Document URLs for team
   - Set up bookmarks
   - Configure monitoring

---

**Status:** βœ… Configured for global access

**Last Updated:** $(date)