Skip to Content.
Sympa Menu

perfsonar-user - Re: [perfsonar-user] memcached and firewall rules

Subject: perfSONAR User Q&A and Other Discussion

List archive

Re: [perfsonar-user] memcached and firewall rules


Chronological Thread 
  • From: Andrew Lake <>
  • To: Hervey Allen <>,
  • Subject: Re: [perfsonar-user] memcached and firewall rules
  • Date: Fri, 9 Feb 2018 11:06:29 -0800
  • Ironport-phdr: 9a23:TOsXpB0c/5xQ6T97smDT+DRfVm0co7zxezQtwd8ZseISK/ad9pjvdHbS+e9qxAeQG9mDsrQc06L/iOPJYSQ4+5GPsXQPItRndiQuroEopTEmG9OPEkbhLfTnPGQQFcVGU0J5rTngaRAGUMnxaEfPrXKs8DUcBgvwNRZvJuTyB4Xek9m72/q99pHPfglEniaxba9vJxiqsAvdsdUbj5F/Iagr0BvJpXVIe+VSxWx2IF+Yggjx6MSt8pN96ipco/0u+dJOXqX8ZKQ4UKdXDC86PGAv5c3krgfMQA2S7XYBSGoWkx5IAw/Y7BHmW5r6ryX3uvZh1CScIMb7Vq4/Vyi84Kh3SR/okCYHOCA/8GHLkcx7kaZXrAu8qxBj34LYZYeYP+d8cKzAZ9MXXWpPUcRfVyJGDYyyYYgBAfcfM+lEtITyvUcCoAGkCAS2GO/iyDlFjWL2060g1OQhFBnL0RAmH90TqnTbstv0P7oUX++vz6nH0yjIYvRM1jf79YfJcgssru+XXb5qd8re11UvGhrDg16Np4LlODaV2f4Ms2id9+dgU/mvi3Q7pA1rpTiv3MgshpHRho0L0FDE+z55wIEzJdKiUk53e9ikH4VMty2COYt5WN8tTH9ztyY9zb0GuoS3czQNyJQiwRPUdv+Jc5CQ7x7+SuqcIi10iXx/dL+wmhq+60mtx+7kWsWqzFpHqjBJn9rMu3wXyRDf9MaKRuFg8kql3TuC0R3Y5PteLkAuj6XbLoYswr4umZoXtkTOBiH2l1v4gaOMckUr4eyo5/7oYrXhuJ+QL450igfgPaQygsGzHPo0PwsUU2WV4+ix26Dv8Vf4TbhJlvE2l7PWsJHeJcQVvK65BApV35455Ba5Ejin0M8VkmccLF5ffhKIkZTpN0nUIP/kFfe/n0iskDBzyvDeILLhGJvNLmPEkLfnZ7l98VdQyBcozd9B/ZJZEbUBIPPoWk/tr9zUEAU1Mw2yw+b7Ftp9zIUeVnyTAqOHKq/dr0KH5v98a9WLMa8YoijwOrAM4/rjizdtmVIHY6S49Z0Mcnv+Ge5pdQHReXf2jMwGF24Q+xclQfbCiVueXCRVamroGa8w+2IVEoWjWK7FSpqgn/Sl1SS2VslfYGxXIl2XV3Hla9PXCL83dCuOL5o5wXQ/Xr+7RtpkjEn2uQ==
Hi,

Updating the firewall is not going to change where any services listens, but if anything tries to connect, the firewall will not allow it through. Using netstat locally (which I am guessing is the output you shared) is not going to tell you anything about what the firewall allows through. Running something like "firewall-cmd --list-all” will show you your firewall rules.

Thanks,
Andy



On February 9, 2018 at 1:42:42 PM, Hervey Allen () wrote:

On 2/9/18 6:18 AM, Andrew Lake wrote:
> Hi,
>
> The only things that needs access to memcached comes from localhost. The
> esmond archiving plugin in pscheduler uses it as a cache between
> archiving processes to speed-up some requests. You can safely block it.
>
> For a list of the ports that need to be open
> see http://docs.perfsonar.net/manage_security.html. If you would like a
> default set of firewall rules installed for you run ‘yum install
> perfsonar-toolkit-security’ on your testpoint which will setup rules on
> the host that only allow the listed ports through.
>
> Hope that helps,
> Andy
>

I thought I'd give a quick update.

I had installed the perfSONAR Testpoint bundle but had not done:

# yum install perfsonar-toolkit-security

nor

/usr/lib/perfsonar/scripts/configure_firewall install

Before doing either here is what listening services looked like:

Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:memcache 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:ssh 0.0.0.0:* LISTEN
tcp 0 0 localhost:postgres 0.0.0.0:* LISTEN
tcp6 0 0 [::]:owamp-control [::]:* LISTEN
tcp6 0 0 [::]:memcache [::]:* LISTEN
tcp6 0 0 [::]:ssh [::]:* LISTEN
tcp6 0 0 [::]:4823 [::]:* LISTEN
udp 0 0 0.0.0.0:memcache 0.0.0.0:*
udp6 0 0 [::]:memcache [::]:*

After doing both and restarting firewalld:

# systemctl restart firewalld

I'm still seeing:

tcp 0 0 0.0.0.0:memcache 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:ssh 0.0.0.0:* LISTEN
tcp 0 0 localhost:postgres 0.0.0.0:* LISTEN
tcp6 0 0 [::]:owamp-control [::]:* LISTEN
tcp6 0 0 [::]:memcache [::]:* LISTEN
tcp6 0 0 [::]:ssh [::]:* LISTEN
tcp6 0 0 [::]:4823 [::]:* LISTEN
udp 0 0 0.0.0.0:memcache 0.0.0.0:*
udp6 0 0 [::]:memcache [::]:*

Or, more specifically:

tcp 0 0 0.0.0.0:memcache 0.0.0.0:* LISTEN
tcp6 0 0 [::]:memcache [::]:* LISTEN
udp 0 0 0.0.0.0:memcache 0.0.0.0:*
udp6 0 0 [::]:memcache [::]:*

For the moment my fix is to edit:

/etc/sysconfig/memcached

And change the default configuration of:

PORT="11211"
USER="memcached"
MAXCONN="1024"
CACHESIZE="64"
OPTIONS=""

to:

PORT="11211"
USER="memcached"
MAXCONN="1024"
CACHESIZE="64"
OPTIONS="-l 127.0.0.1,::1"

After doing:

# systemctl restart memcached

I now see:

tcp 0 0 localhost:memcache 0.0.0.0:* LISTEN
tcp6 0 0 ip6-localhost:memcache [::]:* LISTEN
udp 0 0 localhost:memcache 0.0.0.0:*
udp6 0 0 ip6-localhost:memcache [::]:*

double-checking by using telnet to port 11211 from both the localhost
and a remote host verified that I could not longer make any external
connections to memcache.

Cheers,
- Hervey

>
>
> On February 8, 2018 at 4:54:03 PM, Hervey Allen (
> <mailto:>) wrote:
>
>> Hi All - Our IT Security group contacted us to say that the memcached
>> process was open on our perfSONAR Testpoint bundle instance we had
>> installed.
>>
>> It is...
>>
>> Question - I have the perfSONAR default firewall rules in place. This is
>> running on a CentOS 7 box. What specifically needs to talk to this
>> service? Is this a service that is installed with Postgres? That's what
>> I think is happening.
>>
>> Does Esmond need access to memcache from an archive host? Anything else?
>> Based on the release notes for 4.0rc3:
>>
>> "Added memcached support to esmond archiver for tracking metadata
>> objects already created in order to increase archiver performance"
>>
>> I think this is the case.
>>
>> I'm trying to figure out proper strategy for recommending what to do
>> with the open memcached service.
>>
>> I believe adding a firewall rule to only allow access to memcached on
>> the perfSONAR Testpoint Bundle node and from wherever we have Esmond is
>> what makes sense?
>>
>> Comments or recommendations are most welcome.
>>
>> Thank you!
>>
>> - Hervey
>>
>>
>>
>> Network Startup Resource Center
>> https://nsrc.org/


--
Hervey Allen Assistant Director, Network Startup Resource Center
http://nsrc.org/ : http://facebook.com/nsrc.org
GPG Fingerprint: AC08 31CB E453 6C65 2AB3 4EDB CEEB 5A74 C6E5 624F

Archive powered by MHonArc 2.6.19.

Top of Page