Skip to Content.
Sympa Menu

perfsonar-user - Re: [perfsonar-user] memcached and firewall rules

Subject: perfSONAR User Q&A and Other Discussion

List archive

Re: [perfsonar-user] memcached and firewall rules


Chronological Thread 
  • From: "Hans Kuhn" <>
  • To: "Andrew Lake" <>
  • Cc: "Hervey Allen" <>,
  • Subject: Re: [perfsonar-user] memcached and firewall rules
  • Date: Fri, 09 Feb 2018 11:40:56 -0800
  • Ironport-phdr: 9a23:Bmr7wxwDmCpzToDXCy+O+j09IxM/srCxBDY+r6Qd2+IUIJqq85mqBkHD//Il1AaPAd2Craocw8Pt8InYEVQa5piAtH1QOLdtbDQizfssogo7HcSeAlf6JvO5JwYzHcBFSUM3tyrjaRsdF8nxfUDdrWOv5jAOBBr/KRB1JuPoEYLOksi7ze+/94HObwlSmDaxfa55IQmrownWqsQYm5ZpJLwryhvOrHtIeuBWyn1tKFmOgRvy5dq+8YB6/ShItP0v68BPUaPhf6QlVrNYFygpM3o05MLwqxbOSxaE62YGXWUXlhpIBBXF7A3/U5zsvCb2qvZx1S+HNsDtU7s6RSqt4LtqSB/wiScIKTg58H3MisdtiK5XuQ+tqwBjz4LRZoyeKfhwcb7Hfd4CRWRPQNtfWSJGDI2/bYQPAeUOMvpXoYTmu1sOtB6+CRW2Ce/zyDJFgGL9060g0+QmFAHLxAIsEdAUv3TSt9X+KaIcUf21zKnOwznIcvRb2Tfn54jOaRAsuveMXalqccXN00UvEBnFjlqJpIHjIjib2OMNs22B4OphU+Kik2gnqxprojez3MssjZPJho0NxlDc6yp52og1Jca/SE59e9GkCoFctyeEOItqWs8iTXtntzokxbIdvp67eysKxI47yB7YbvyKdZWD7BH7VOuJPDt0mnFodKihixqs/0Ws0PDwW8m23VpQsyZJjsHAum4M2hDP98SKT+Zx8Vu/1TuKyQze6f1ILEU6mKbFJZ4t37s9lpQOvkveBSD7nVn5g7WIeko+/+Wl5Ovqb7f6qpKZK4B4lgDzP6Qol8eiG+o3KBIOUHKe+emk1L3s40n5QLJSg/0ziKbZsZTaKd4dpq6iGQ9azpwv6xGlDzepyNgYnH8HI0xZeB+fkoTlJVLDLOrmAfuhjVmgiipnyvDEM7H7H5nBMmDPkLL7crZ8705cxhAzzdda559MCrEOOvTzWlTqudzeFR85KRC7z/zgCNVn2YMSQXiPDbOBMKPOrV+I4foiI/GSa48Ptjb9MP8l5/j0gn8jgFMdYLKp0oUNaH2jGvRmIl6ZYWb3gtsfC2sKvww+TPD0h12YVz5ceWqyU7wm6j4lFY2mENSLeof4ypWH0D22AdVyb2NLQBjYGHHkZq2JQLEKZT7EceF7lTlRH5ioTZRp9gyuskWyn7puKPH8/DYCvtTkztcjtL6brg076TEhV5fV6GqKVWwh2zpQHzI=

Hi Andrew,

I agree that the correct solution security-wise is to bind memcached to localhost.

It appears the upstream package maintainer’s default for memcached is currently being used, and that perfsonar would need to modify /etc/sysconfig/memcached after installation to bind memcached to localhost.

Is there a way to submit a feature request to make this the default for the perfsonar-testpoint bundle?

thanks, Hans

On 9 Feb 2018, at 11:06, Andrew Lake wrote:

Hi,

Updating the firewall is not going to change where any services listens,
but if anything tries to connect, the firewall will not allow it through.
Using netstat locally (which I am guessing is the output you shared) is not
going to tell you anything about what the firewall allows through. Running
something like "firewall-cmd --list-all” will show you your firewall rules.

Thanks,
Andy



On February 9, 2018 at 1:42:42 PM, Hervey Allen () wrote:

On 2/9/18 6:18 AM, Andrew Lake wrote:
Hi,

The only things that needs access to memcached comes from localhost. The
esmond archiving plugin in pscheduler uses it as a cache between
archiving processes to speed-up some requests. You can safely block it.

For a list of the ports that need to be open
see http://docs.perfsonar.net/manage_security.html. If you would like a
default set of firewall rules installed for you run ‘yum install
perfsonar-toolkit-security’ on your testpoint which will setup rules on
the host that only allow the listed ports through.

Hope that helps,
Andy


I thought I'd give a quick update.

I had installed the perfSONAR Testpoint bundle but had not done:

# yum install perfsonar-toolkit-security

nor

/usr/lib/perfsonar/scripts/configure_firewall install

Before doing either here is what listening services looked like:

Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:memcache 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:ssh 0.0.0.0:* LISTEN
tcp 0 0 localhost:postgres 0.0.0.0:* LISTEN
tcp6 0 0 [::]:owamp-control [::]:* LISTEN
tcp6 0 0 [::]:memcache [::]:* LISTEN
tcp6 0 0 [::]:ssh [::]:* LISTEN
tcp6 0 0 [::]:4823 [::]:* LISTEN
udp 0 0 0.0.0.0:memcache 0.0.0.0:*
udp6 0 0 [::]:memcache [::]:*

After doing both and restarting firewalld:

# systemctl restart firewalld

I'm still seeing:

tcp 0 0 0.0.0.0:memcache 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:ssh 0.0.0.0:* LISTEN
tcp 0 0 localhost:postgres 0.0.0.0:* LISTEN
tcp6 0 0 [::]:owamp-control [::]:* LISTEN
tcp6 0 0 [::]:memcache [::]:* LISTEN
tcp6 0 0 [::]:ssh [::]:* LISTEN
tcp6 0 0 [::]:4823 [::]:* LISTEN
udp 0 0 0.0.0.0:memcache 0.0.0.0:*
udp6 0 0 [::]:memcache [::]:*

Or, more specifically:

tcp 0 0 0.0.0.0:memcache 0.0.0.0:* LISTEN
tcp6 0 0 [::]:memcache [::]:* LISTEN
udp 0 0 0.0.0.0:memcache 0.0.0.0:*
udp6 0 0 [::]:memcache [::]:*

For the moment my fix is to edit:

/etc/sysconfig/memcached

And change the default configuration of:

PORT="11211"
USER="memcached"
MAXCONN="1024"
CACHESIZE="64"
OPTIONS=""

to:

PORT="11211"
USER="memcached"
MAXCONN="1024"
CACHESIZE="64"
OPTIONS="-l 127.0.0.1,::1"

After doing:

# systemctl restart memcached

I now see:

tcp 0 0 localhost:memcache 0.0.0.0:* LISTEN
tcp6 0 0 ip6-localhost:memcache [::]:* LISTEN
udp 0 0 localhost:memcache 0.0.0.0:*
udp6 0 0 ip6-localhost:memcache [::]:*

double-checking by using telnet to port 11211 from both the localhost
and a remote host verified that I could not longer make any external
connections to memcache.

Cheers,
- Hervey



On February 8, 2018 at 4:54:03 PM, Hervey Allen
(
<mailto:>)
wrote:

Hi All - Our IT Security group contacted us to say that the memcached
process was open on our perfSONAR Testpoint bundle instance we had
installed.

It is...

Question - I have the perfSONAR default firewall rules in place. This is
running on a CentOS 7 box. What specifically needs to talk to this
service? Is this a service that is installed with Postgres? That's what
I think is happening.

Does Esmond need access to memcache from an archive host? Anything else?
Based on the release notes for 4.0rc3:

"Added memcached support to esmond archiver for tracking metadata
objects already created in order to increase archiver performance"

I think this is the case.

I'm trying to figure out proper strategy for recommending what to do
with the open memcached service.

I believe adding a firewall rule to only allow access to memcached on
the perfSONAR Testpoint Bundle node and from wherever we have Esmond is
what makes sense?

Comments or recommendations are most welcome.

Thank you!

- Hervey



Network Startup Resource Center
https://nsrc.org/


--
Hervey Allen Assistant Director, Network Startup Resource Center

http://nsrc.org/ : http://facebook.com/nsrc.org
GPG Fingerprint: AC08 31CB E453 6C65 2AB3 4EDB CEEB 5A74 C6E5 624F



Archive powered by MHonArc 2.6.19.

Top of Page