Bind input on port 162 UDP

[thomasegis]

Hello,

I am trying to run the SNMP plugin but I have a problem starting an input on the standard default SNMP trap receive port (162). The input refuses to start. In the server log I have the follwing exception (/var/log/graylog/server/current) : 2016-10-03_10:00:42.66344 Caused by: java.net.SocketException: Operation not permitted

It looks like a classical low port binding problem for non-root user. However, this looks weird because Graylog is starting Syslog TCP and UDP inputs on port 514 without any problem.

My system : Graylog virtual appliance (graylog-2.1.1-1), RAM 32GB, 8 vCPU

I tried to add a special permission to java (see details here: http://serverfault.com/questions/112795/how-to-run-a-server-on-port-80-as-a-normal-user-on-linux/660121#660121): sudo /sbin/setcap 'cap_net_bind_service+ep' /opt/graylog/embedded/jre/bin/java

After that server does start at all. The following error is logged (/var/log/graylog/server/current):

2016-10-03_09:59:23.69982 It looks like you are trying to access MongoDB over HTTP on the native driver port.
2016-10-03_09:59:23.70439 /opt/graylog/embedded/jre/bin/java: error while loading shared libraries: libjli.so: cannot open shared object file: No such file or directory

So I revert back the permission with the command: sudo /sbin/setcap 'cap_net_bind_service-ep' /opt/graylog/embedded/jre/bin/java

Is there's a way to allow that SNMP input to start on port 162 ?

[thomasegis]

I found a workarround reading the issue #12 (see https://debian-administration.org/article/386/Running_network_services_as_a_non-root_user). One way to fix this is to bind the input onto a non privileged port (such as 1620) and to redirect packets from UDP 162 to that port. This does the job but it would be more elegant to find a way to allow binding the 162 port.

Using iptables, this could be done by (tested on the Virtual Graylog appliance 2.1.1-1):

• go to the /etc/network/if-up.d directory
• Assuming there is no iptables rules defined, create a firewall file and give it the exection permission.

sudo touch /etc/network/if-up.d/firewall
sudo chmod a+x /etc/network/if-up.d/firewall

Edit the new file:

sudo nano /etc/network/if-up.d/firewall

and insert these lines:

#!/bin/sh

PATH=/sbin:/bin:/usr/sbin:/usr/bin

# Flush any existing firewall rules we might have
iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -X

# Perform the rewriting magic.
iptables -t nat -A PREROUTING -p udp --dport 162 -j REDIRECT --to 1620

restart the network (or reboot).

[joschi]

@thomasegis You also could have used authbind to allow the Graylog Java process to bind to privileged ports: https://github.com/Graylog2/fpm-recipes/blob/2.0/recipes/graylog-server/files/environment#L10-L12