Skip to Content.
Sympa Menu

perfsonar-user - Re: [perfsonar-user] memcached and firewall rules

Subject: perfSONAR User Q&A and Other Discussion

List archive

Re: [perfsonar-user] memcached and firewall rules


Chronological Thread 
  • From: Hervey Allen <>
  • To: Andrew Lake <>,
  • Subject: Re: [perfsonar-user] memcached and firewall rules
  • Date: Fri, 9 Feb 2018 10:42:36 -0800
  • Ironport-phdr: 9a23:8pAlzBxgg/ncNhrXCy+O+j09IxM/srCxBDY+r6Qd2+IUIJqq85mqBkHD//Il1AaPAd2Craocw8Pt8InYEVQa5piAtH1QOLdtbDQizfssogo7HcSeAlf6JvO5JwYzHcBFSUM3tyrjaRsdF8nxfUDdrWOv5jAOBBr/KRB1JuPoEYLOksi7ze+/94HObwlSmDaxfa55IQmrownWqsQYm5ZpJLwryhvOrHtIeuBWyn1tKFmOgRvy5dq+8YB6/ShItP0v68BPUaPhf6QlVrNYFygpM3o05MLwqxbOSxaE62YGXWUXlhpIBBXF7A3/U5zsvCb2qvZx1S+HNsDwULs6Wymt771zRRH1likHOT438GbUhMJ+gq1UrxCuqABwzYPPfIGVLeBzcr/Bcd4UR2dMWNtaWSxbAoO7aosCF+gPMvhCr4njuVQPrQa1CBWoBOPr1DBIgGL90Ko60+s/CwHGwhIvHtIVvXTSt9X1LrsdXfqyzKnSwjXOdvVb0irz5ojPdxAuu/CMXbRofMrX0kkvDR/Kgk+XqYz/MDOZzvwNvHaB7+puTuKvjGgnpBtrojS1wMcjlJXJipobyl/e6Sp23p06Jdq/SE54e9KrDJxQtyScOoBrQc0iW3lltDskxrAFo5K3YjYGxZo9yxLCa/GKcZKE7g//WOqJPzt1hW5pdbC6ihux/kWs1vHwW8yq3FpWsyZJjtzBum4I2hHR6sWKReVx80Kj1DuL2Q3c9uRJLEMomqbFJJMsx7w9mYYTvEveGCL9hV/4g7WMdko+/+il8+Tnbavipp+bL4J0jxvxMqUqmsClB+Q4KRIOUHSB9eS7zr3j8lX1QLRMjvIojqnUqI3WKdoYq6KjHQNZzIgu5wyiAzqm0tkUh2QLIE5ddBKClYfpOlXOIP7iDfe4hlShiDdryO7cPr3/HJrMLmPOkLH6fbZn90FQ0g0zzcpQ555MELEOPOrzWlPttNzfFhI5KxK7w/zpCNVm0YMeX3iAArWAPKPPql+H+PgvLvKIZI8Uozb9N+Ml6+D0gX84n18dYbem3YERaH+mAvRqPV+VbmTxjdccQi82uV8XSuDwhULKdTdQaj7mVqQw9xk2E8SgAJuVAsi1jaaPxyC9F4cTe3tLEHiNF2vlbYOJR61KZS6PceF7lTlRdbW7VYIwnTiqsAL8g+5nI/DK9zwws4n5355y/eKFxkJ6ziB9E8nIizLFdGpzhG5dHzI=
  • Organization: Network Startup Resource Center
On 2/9/18 6:18 AM, Andrew Lake wrote:
> Hi,
>
> The only things that needs access to memcached comes from localhost. The
> esmond archiving plugin in pscheduler uses it as a cache between
> archiving processes to speed-up some requests. You can safely block it.
>
> For a list of the ports that need to be open
> see http://docs.perfsonar.net/manage_security.html. If you would like a
> default set of firewall rules installed for you run ‘yum install
> perfsonar-toolkit-security’ on your testpoint which will setup rules on
> the host that only allow the listed ports through.
>
> Hope that helps,
> Andy
>

I thought I'd give a quick update.

I had installed the perfSONAR Testpoint bundle but had not done:

# yum install perfsonar-toolkit-security

nor

/usr/lib/perfsonar/scripts/configure_firewall install

Before doing either here is what listening services looked like:

Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:memcache 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:ssh 0.0.0.0:* LISTEN
tcp 0 0 localhost:postgres 0.0.0.0:* LISTEN
tcp6 0 0 [::]:owamp-control [::]:* LISTEN
tcp6 0 0 [::]:memcache [::]:* LISTEN
tcp6 0 0 [::]:ssh [::]:* LISTEN
tcp6 0 0 [::]:4823 [::]:* LISTEN
udp 0 0 0.0.0.0:memcache 0.0.0.0:*
udp6 0 0 [::]:memcache [::]:*

After doing both and restarting firewalld:

# systemctl restart firewalld

I'm still seeing:

tcp 0 0 0.0.0.0:memcache 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:ssh 0.0.0.0:* LISTEN
tcp 0 0 localhost:postgres 0.0.0.0:* LISTEN
tcp6 0 0 [::]:owamp-control [::]:* LISTEN
tcp6 0 0 [::]:memcache [::]:* LISTEN
tcp6 0 0 [::]:ssh [::]:* LISTEN
tcp6 0 0 [::]:4823 [::]:* LISTEN
udp 0 0 0.0.0.0:memcache 0.0.0.0:*
udp6 0 0 [::]:memcache [::]:*

Or, more specifically:

tcp 0 0 0.0.0.0:memcache 0.0.0.0:* LISTEN
tcp6 0 0 [::]:memcache [::]:* LISTEN
udp 0 0 0.0.0.0:memcache 0.0.0.0:*
udp6 0 0 [::]:memcache [::]:*

For the moment my fix is to edit:

/etc/sysconfig/memcached

And change the default configuration of:

PORT="11211"
USER="memcached"
MAXCONN="1024"
CACHESIZE="64"
OPTIONS=""

to:

PORT="11211"
USER="memcached"
MAXCONN="1024"
CACHESIZE="64"
OPTIONS="-l 127.0.0.1,::1"

After doing:

# systemctl restart memcached

I now see:

tcp 0 0 localhost:memcache 0.0.0.0:* LISTEN
tcp6 0 0 ip6-localhost:memcache [::]:* LISTEN
udp 0 0 localhost:memcache 0.0.0.0:*
udp6 0 0 ip6-localhost:memcache [::]:*

double-checking by using telnet to port 11211 from both the localhost
and a remote host verified that I could not longer make any external
connections to memcache.

Cheers,
- Hervey

>
>
> On February 8, 2018 at 4:54:03 PM, Hervey Allen
> (
> <mailto:>)
> wrote:
>
>> Hi All - Our IT Security group contacted us to say that the memcached
>> process was open on our perfSONAR Testpoint bundle instance we had
>> installed.
>>
>> It is...
>>
>> Question - I have the perfSONAR default firewall rules in place. This is
>> running on a CentOS 7 box. What specifically needs to talk to this
>> service? Is this a service that is installed with Postgres? That's what
>> I think is happening.
>>
>> Does Esmond need access to memcache from an archive host? Anything else?
>> Based on the release notes for 4.0rc3:
>>
>> "Added memcached support to esmond archiver for tracking metadata
>> objects already created in order to increase archiver performance"
>>
>> I think this is the case.
>>
>> I'm trying to figure out proper strategy for recommending what to do
>> with the open memcached service.
>>
>> I believe adding a firewall rule to only allow access to memcached on
>> the perfSONAR Testpoint Bundle node and from wherever we have Esmond is
>> what makes sense?
>>
>> Comments or recommendations are most welcome.
>>
>> Thank you!
>>
>> - Hervey
>>
>>
>>
>> Network Startup Resource Center
>> https://nsrc.org/


--
Hervey Allen Assistant Director, Network Startup Resource Center

http://nsrc.org/ : http://facebook.com/nsrc.org
GPG Fingerprint: AC08 31CB E453 6C65 2AB3 4EDB CEEB 5A74 C6E5 624F

Archive powered by MHonArc 2.6.19.

Top of Page