Skip to Content.
Sympa Menu

perfsonar-user - [perfsonar-user] Re: [perf-node-users] Securing perfSONAR-PS installations

Subject: perfSONAR User Q&A and Other Discussion

List archive

[perfsonar-user] Re: [perf-node-users] Securing perfSONAR-PS installations


Chronological Thread 
  • From: Brian Tierney <>
  • To: perf-node-users <>, perfsonar-ps-users <>, perfsonar-user <>
  • Cc: Roderick Mooi <>
  • Subject: [perfsonar-user] Re: [perf-node-users] Securing perfSONAR-PS installations
  • Date: Thu, 27 Jun 2013 13:11:55 -0700
  • Authentication-results: sfpop-ironport04.merit.edu; dkim=neutral (message not signed) header.i=none


I'm wondering if anyone has tested a host IDS such as OSSec or rkhunter on a
perfSONAR node, to see if there is any performance impact.

This might be a good thing to add to perfSONAR nodes.


On Jun 27, 2013, at 6:32 AM, Jason Zurawski
<>
wrote:

> Hey Roderick;
>
> As an FYI the LHCOPN document was produced by external parties, but the
> suggestions are sound depending on the policy set forth by the operating
> institution. Note the date is about 2 years ago, so some of the items they
> are working around could have been addressed in subsequent releases.
>
> Earlier this year we published some information on ways to allow the
> toolkit to work better with firewalls:
>
> http://psps.perfsonar.net/toolkit/firewalls.html
>
> Coupled with this, the latest release has a stub iptables file that can be
> used to implement host based filtering if that is so desired.
>
> One thing that I think we discussed (not sure if it was implemented) was
> putting in some SSH protections like these:
> http://codeghar.wordpress.com/2010/04/25/secure-your-ssh/. Many people
> already implement the throttling suggestions, and that meets the checkbox
> for security on that service in many cases. It may also make sense to
> disallow root logins, or empty passwords (once the machine is setup).
> Those are a little harder for us to do by default, but certainly could work
> well.
>
> As a part of a broader campus/network security plan, its always a good idea
> to consider the use of systems that watch for strange behavior (tripwire,
> bro), and lots of sites do this already.
>
> Trying to integrate federated login techniques to the performance node has
> been shown to work, I know some locations have installed the kerberos from
> the CentoOS repos, and configured it as they would any other system.
>
> Lastly, if sites are using a non-pemanent install (like a live CD), they
> often can get away with calling this an 'appliance', and thus a reboot can
> be used to clean out the system in the event that something bad does happen.
>
> In general, our stance remains that to get accurate measurements of the
> network, the performance node should be free of infrastructure that will
> limit performance. There is value in seeing 'what the users see' however,
> so users have to have their connectivity dragged through devices that limit
> performance, the performance node should do so as well.
>
> Hope this helps;
>
> -jason
>
> On Jun 27, 2013, at 7:53 AM, Roderick Mooi wrote:
>
>> Hi everyone,
>>
>> What advice/recommendations are available for securing perfSONAR servers
>> and/or the toolkit itself?
>>
>> I've previously used this guide:
>> https://twiki.cern.ch/twiki/pub/LHCOPN/PerfsonarPS/perfSONAR-PS_Security_Guidelines.pdf
>>
>>
>> Are there any updates or other resources or recommendations particularly
>> for v3.3?
>>
>> Thanks very much!
>>
>> Regards,
>>
>> Roderick
>>
>>
>> --
>> This message is subject to the CSIR's copyright terms and conditions,
>> e-mail legal notice, and implemented Open Document Format (ODF) standard.
>> The full disclaimer details can be found at
>> http://www.csir.co.za/disclaimer.html.
>>
>> This message has been scanned for viruses and dangerous content by
>> MailScanner,
>> and is believed to be clean.
>>
>> Please consider the environment before printing this email.




Archive powered by MHonArc 2.6.16.

Top of Page