perfSONAR User Q&A and Other Discussion

["Hans Kuhn" <>]

Hi Andrew,

I agree that the correct solution security-wise is to bind memcached to 
localhost.

It appears the upstream package maintainer’s default for memcached is 
currently being used, and that perfsonar would need to modify 
/etc/sysconfig/memcached after installation to bind memcached to 
localhost.

Is there a way to submit a feature request to make this the default for 
the perfsonar-testpoint bundle?

thanks, Hans

On 9 Feb 2018, at 11:06, Andrew Lake wrote:

> Hi,
>
> Updating the firewall is not going to change where any services 
> listens,
> but if anything tries to connect, the firewall will not allow it 
> through.
> Using netstat locally (which I am guessing is the output you shared) 
> is not
> going to tell you anything about what the firewall allows through. 
> Running
> something like "firewall-cmd --list-all” will show you your firewall 
> rules.
>
> Thanks,
> Andy
>
>
>
> On February 9, 2018 at 1:42:42 PM, Hervey Allen () 
> wrote:
>
> On 2/9/18 6:18 AM, Andrew Lake wrote:
> > Hi,
> >
> > The only things that needs access to memcached comes from localhost. 
> > The
> > esmond archiving plugin in pscheduler uses it as a cache between
> > archiving processes to speed-up some requests. You can safely block 
> > it.
> >
> > For a list of the ports that need to be open
> > see http://docs.perfsonar.net/manage_security.html. If you would like 
> > a
> > default set of firewall rules installed for you run ‘yum install
> > perfsonar-toolkit-security’ on your testpoint which will setup 
> > rules on
> > the host that only allow the listed ports through.
> >
> > Hope that helps,
> > Andy
>
> I thought I'd give a quick update.
>
> I had installed the perfSONAR Testpoint bundle but had not done:
>
> # yum install perfsonar-toolkit-security
>
> nor
>
> /usr/lib/perfsonar/scripts/configure_firewall install
>
> Before doing either here is what listening services looked like:
>
> Proto Recv-Q Send-Q Local Address Foreign Address State
> tcp 0 0 0.0.0.0:memcache 0.0.0.0:* LISTEN
> tcp 0 0 0.0.0.0:ssh 0.0.0.0:* LISTEN
> tcp 0 0 localhost:postgres 0.0.0.0:* LISTEN
> tcp6 0 0 [::]:owamp-control [::]:* LISTEN
> tcp6 0 0 [::]:memcache [::]:* LISTEN
> tcp6 0 0 [::]:ssh [::]:* LISTEN
> tcp6 0 0 [::]:4823 [::]:* LISTEN
> udp 0 0 0.0.0.0:memcache 0.0.0.0:*
> udp6 0 0 [::]:memcache [::]:*
>
> After doing both and restarting firewalld:
>
> # systemctl restart firewalld
>
> I'm still seeing:
>
> tcp 0 0 0.0.0.0:memcache 0.0.0.0:* LISTEN
> tcp 0 0 0.0.0.0:ssh 0.0.0.0:* LISTEN
> tcp 0 0 localhost:postgres 0.0.0.0:* LISTEN
> tcp6 0 0 [::]:owamp-control [::]:* LISTEN
> tcp6 0 0 [::]:memcache [::]:* LISTEN
> tcp6 0 0 [::]:ssh [::]:* LISTEN
> tcp6 0 0 [::]:4823 [::]:* LISTEN
> udp 0 0 0.0.0.0:memcache 0.0.0.0:*
> udp6 0 0 [::]:memcache [::]:*
>
> Or, more specifically:
>
> tcp 0 0 0.0.0.0:memcache 0.0.0.0:* LISTEN
> tcp6 0 0 [::]:memcache [::]:* LISTEN
> udp 0 0 0.0.0.0:memcache 0.0.0.0:*
> udp6 0 0 [::]:memcache [::]:*
>
> For the moment my fix is to edit:
>
> /etc/sysconfig/memcached
>
> And change the default configuration of:
>
> PORT="11211"
> USER="memcached"
> MAXCONN="1024"
> CACHESIZE="64"
> OPTIONS=""
>
> to:
>
> PORT="11211"
> USER="memcached"
> MAXCONN="1024"
> CACHESIZE="64"
> OPTIONS="-l 127.0.0.1,::1"
>
> After doing:
>
> # systemctl restart memcached
>
> I now see:
>
> tcp 0 0 localhost:memcache 0.0.0.0:* LISTEN
> tcp6 0 0 ip6-localhost:memcache [::]:* LISTEN
> udp 0 0 localhost:memcache 0.0.0.0:*
> udp6 0 0 ip6-localhost:memcache [::]:*
>
> double-checking by using telnet to port 11211 from both the localhost
> and a remote host verified that I could not longer make any external
> connections to memcache.
>
> Cheers,
> - Hervey
>
> > On February 8, 2018 at 4:54:03 PM, Hervey Allen 
> > (
> > <mailto:>)
> >  wrote:
> >
> > > Hi All - Our IT Security group contacted us to say that the 
> > > memcached
> > > process was open on our perfSONAR Testpoint bundle instance we had
> > > installed.
> > >
> > > It is...
> > >
> > > Question - I have the perfSONAR default firewall rules in place. 
> > > This is
> > > running on a CentOS 7 box. What specifically needs to talk to this
> > > service? Is this a service that is installed with Postgres? That's 
> > > what
> > > I think is happening.
> > >
> > > Does Esmond need access to memcache from an archive host? Anything 
> > > else?
> > > Based on the release notes for 4.0rc3:
> > >
> > > "Added memcached support to esmond archiver for tracking metadata
> > > objects already created in order to increase archiver performance"
> > >
> > > I think this is the case.
> > >
> > > I'm trying to figure out proper strategy for recommending what to do
> > > with the open memcached service.
> > >
> > > I believe adding a firewall rule to only allow access to memcached 
> > > on
> > > the perfSONAR Testpoint Bundle node and from wherever we have Esmond 
> > > is
> > > what makes sense?
> > >
> > > Comments or recommendations are most welcome.
> > >
> > > Thank you!
> > >
> > > - Hervey
> > >
> > >
> > >
> > > Network Startup Resource Center
> > > https://nsrc.org/
>
>
> --
> Hervey Allen Assistant Director, Network Startup Resource Center
>
>  http://nsrc.org/ : http://facebook.com/nsrc.org
> GPG Fingerprint: AC08 31CB E453 6C65 2AB3 4EDB CEEB 5A74 C6E5 624F