perfsonar-user - Re: [perfsonar-user] memcached and firewall rules
Subject: perfSONAR User Q&A and Other Discussion
List archive
- From: Hervey Allen <>
- To: Hans Kuhn <>, Andrew Lake <>
- Cc:
- Subject: Re: [perfsonar-user] memcached and firewall rules
- Date: Fri, 9 Feb 2018 14:29:15 -0800
- Ironport-phdr: 9a23:lO3EJBC77QT8ZnLeqH2IUyQJP3N1i/DPJgcQr6AfoPdwSPX8pcbcNUDSrc9gkEXOFd2Cra4c0qyO6+jJYi8p2d65qncMcZhBBVcuqP49uEgeOvODElDxN/XwbiY3T4xoXV5h+GynYwAOQJ6tL1LdrWev4jEMBx7xKRR6JvjvGo7Vks+7y/2+94fcbglUmTaxe69+IAmrpgjNq8cahpdvJLwswRXTuHtIfOpWxWJsJV2Nmhv3+9m98p1+/SlOovwt78FPX7n0cKQ+VrxYES8pM3sp683xtBnMVhWA630BWWgLiBVIAgzF7BbnXpfttybxq+Rw1DWGMcDwULs5Qiqp4bt1RxD0iScHLz85/3/Risxsl6JQvRatqwViz4LIfI2ZMfxzdb7fc9wHX2pMRttfWTJPAo28aIsBDOQPMuhXoIb/u1QAogCzBRW1BO711jNEmnH70K883u88EQ/GxgsgH9cWvXrWstr1LrkSXv61zaLV0TjDa/dW1in76IPVdR0hoe+DXahuccXPyUgiDAXFjk6KqYP5JT+V0f4Ns2eC4udmSOmhhWknqwRrrTiuwMchko/JhpkPyl/Y7yl5x5w1JdKgRE5jf9GkCpVQtzqdN4twWMwiWXtkuCAkxb0aoZK7cjIFx4g5yBHEbPyHdIuI7gj/W+aWJDd1gm9udrGnhxuq70Sty/HwW8ux3VtJoSdJjsXAu3UT2xHQ6cWLVv5w80ik1DuK1A3f9vxLIU4xmKffNpEt3qQ/moINvUnCAiP7mkD7gayZe0k45uSl7vrrbqn7qpOAMoJ4lATzP6Yul8GwH+g1NwoDUmyV9Oug0bDu/lH2TKtFg/AzkKTWrJDXKtkdq6WkGQFayJwj5Ay6Dzq+0NQXg30HLFVddRKClYfpOlXOLOr+DfekmVSjjC1nx/fcPr3uGpnNL37Dn6n9fbtl9UJRyRY/wNJa6p9XBbwNPO7/V0rvuNHbDRI1Lwm5zuniBdh41Y4SRX+AAqGcPa7WrFCE+vggL/GJZIAPuTb9L/Yl5+TpjX88gVIdfbem3YEJaH+mHvVrOEOZYWH2gtgdC2sKuRA+TOPyhF2YTTFTf2qyX7475jwjEIKpE53DRo62gLyG2ie0BIdWanlbClCXD3jobZ6JW/MNaCKJPs9hiSIIWaKgS48nyRGhqhX6y7x5IerI5CEUr4zs28Vo576bqRZn1TVyFIy+zmGLBzV0l2UTbzktxqs5plZynBPL+K50mfFHXfha5P4BBg48OY/0wvc8Dd3uDFHvZNCMHXarWMurEHkYStY8xZdaY0tnBdizphbYxSHsBKUawe/YTKco+77RiiCib/12zGzLgex41wEr
- Organization: Network Startup Resource Center
On 2/9/18 11:40 AM, Hans Kuhn wrote:
> Hi Andrew,
>
> I agree that the correct solution security-wise is to bind memcached to
> localhost.
>
> It appears the upstream package maintainer’s default for memcached is
> currently being used, and that perfsonar would need to modify
> /etc/sysconfig/memcached after installation to bind memcached to localhost.
>
> Is there a way to submit a feature request to make this the default for
> the perfsonar-testpoint bundle?
>
> thanks, Hans
>
I was thinking of submitting this too the developer list and see what
people say.
I use netstat -ltu to see the open port.
- Hervey
> On 9 Feb 2018, at 11:06, Andrew Lake wrote:
>
>> Hi,
>>
>> Updating the firewall is not going to change where any services listens,
>> but if anything tries to connect, the firewall will not allow it through.
>> Using netstat locally (which I am guessing is the output you shared)
>> is not
>> going to tell you anything about what the firewall allows through.
>> Running
>> something like "firewall-cmd --list-all” will show you your firewall
>> rules.
>>
>> Thanks,
>> Andy
>>
>>
>>
>> On February 9, 2018 at 1:42:42 PM, Hervey Allen
>> ()
>> wrote:
>>
>> On 2/9/18 6:18 AM, Andrew Lake wrote:
>>> Hi,
>>>
>>> The only things that needs access to memcached comes from localhost. The
>>> esmond archiving plugin in pscheduler uses it as a cache between
>>> archiving processes to speed-up some requests. You can safely block it.
>>>
>>> For a list of the ports that need to be open
>>> see http://docs.perfsonar.net/manage_security.html. If you would like a
>>> default set of firewall rules installed for you run ‘yum install
>>> perfsonar-toolkit-security’ on your testpoint which will setup rules on
>>> the host that only allow the listed ports through.
>>>
>>> Hope that helps,
>>> Andy
>>>
>>
>> I thought I'd give a quick update.
>>
>> I had installed the perfSONAR Testpoint bundle but had not done:
>>
>> # yum install perfsonar-toolkit-security
>>
>> nor
>>
>> /usr/lib/perfsonar/scripts/configure_firewall install
>>
>> Before doing either here is what listening services looked like:
>>
>> Proto Recv-Q Send-Q Local Address Foreign Address State
>> tcp 0 0 0.0.0.0:memcache 0.0.0.0:* LISTEN
>> tcp 0 0 0.0.0.0:ssh 0.0.0.0:* LISTEN
>> tcp 0 0 localhost:postgres 0.0.0.0:* LISTEN
>> tcp6 0 0 [::]:owamp-control [::]:* LISTEN
>> tcp6 0 0 [::]:memcache [::]:* LISTEN
>> tcp6 0 0 [::]:ssh [::]:* LISTEN
>> tcp6 0 0 [::]:4823 [::]:* LISTEN
>> udp 0 0 0.0.0.0:memcache 0.0.0.0:*
>> udp6 0 0 [::]:memcache [::]:*
>>
>> After doing both and restarting firewalld:
>>
>> # systemctl restart firewalld
>>
>> I'm still seeing:
>>
>> tcp 0 0 0.0.0.0:memcache 0.0.0.0:* LISTEN
>> tcp 0 0 0.0.0.0:ssh 0.0.0.0:* LISTEN
>> tcp 0 0 localhost:postgres 0.0.0.0:* LISTEN
>> tcp6 0 0 [::]:owamp-control [::]:* LISTEN
>> tcp6 0 0 [::]:memcache [::]:* LISTEN
>> tcp6 0 0 [::]:ssh [::]:* LISTEN
>> tcp6 0 0 [::]:4823 [::]:* LISTEN
>> udp 0 0 0.0.0.0:memcache 0.0.0.0:*
>> udp6 0 0 [::]:memcache [::]:*
>>
>> Or, more specifically:
>>
>> tcp 0 0 0.0.0.0:memcache 0.0.0.0:* LISTEN
>> tcp6 0 0 [::]:memcache [::]:* LISTEN
>> udp 0 0 0.0.0.0:memcache 0.0.0.0:*
>> udp6 0 0 [::]:memcache [::]:*
>>
>> For the moment my fix is to edit:
>>
>> /etc/sysconfig/memcached
>>
>> And change the default configuration of:
>>
>> PORT="11211"
>> USER="memcached"
>> MAXCONN="1024"
>> CACHESIZE="64"
>> OPTIONS=""
>>
>> to:
>>
>> PORT="11211"
>> USER="memcached"
>> MAXCONN="1024"
>> CACHESIZE="64"
>> OPTIONS="-l 127.0.0.1,::1"
>>
>> After doing:
>>
>> # systemctl restart memcached
>>
>> I now see:
>>
>> tcp 0 0 localhost:memcache 0.0.0.0:* LISTEN
>> tcp6 0 0 ip6-localhost:memcache [::]:* LISTEN
>> udp 0 0 localhost:memcache 0.0.0.0:*
>> udp6 0 0 ip6-localhost:memcache [::]:*
>>
>> double-checking by using telnet to port 11211 from both the localhost
>> and a remote host verified that I could not longer make any external
>> connections to memcache.
>>
>> Cheers,
>> - Hervey
>>
>>>
>>>
>>> On February 8, 2018 at 4:54:03 PM, Hervey Allen
>>> (
>>> <mailto:>)
>>> wrote:
>>>
>>>> Hi All - Our IT Security group contacted us to say that the memcached
>>>> process was open on our perfSONAR Testpoint bundle instance we had
>>>> installed.
>>>>
>>>> It is...
>>>>
>>>> Question - I have the perfSONAR default firewall rules in place.
>>>> This is
>>>> running on a CentOS 7 box. What specifically needs to talk to this
>>>> service? Is this a service that is installed with Postgres? That's what
>>>> I think is happening.
>>>>
>>>> Does Esmond need access to memcache from an archive host? Anything
>>>> else?
>>>> Based on the release notes for 4.0rc3:
>>>>
>>>> "Added memcached support to esmond archiver for tracking metadata
>>>> objects already created in order to increase archiver performance"
>>>>
>>>> I think this is the case.
>>>>
>>>> I'm trying to figure out proper strategy for recommending what to do
>>>> with the open memcached service.
>>>>
>>>> I believe adding a firewall rule to only allow access to memcached on
>>>> the perfSONAR Testpoint Bundle node and from wherever we have Esmond is
>>>> what makes sense?
>>>>
>>>> Comments or recommendations are most welcome.
>>>>
>>>> Thank you!
>>>>
>>>> - Hervey
>>>>
>>>>
>>>>
>>>> Network Startup Resource Center
>>>> https://nsrc.org/
>>
>>
>> --
>> Hervey Allen Assistant Director, Network Startup Resource Center
>>
>> http://nsrc.org/ : http://facebook.com/nsrc.org
>> GPG Fingerprint: AC08 31CB E453 6C65 2AB3 4EDB CEEB 5A74 C6E5 624F
--
Hervey Allen Assistant Director, Network Startup Resource Center
http://nsrc.org/ : http://facebook.com/nsrc.org
GPG Fingerprint: AC08 31CB E453 6C65 2AB3 4EDB CEEB 5A74 C6E5 624F
- [perfsonar-user] memcached and firewall rules, Hervey Allen, 02/08/2018
- Re: [perfsonar-user] memcached and firewall rules, Andrew Lake, 02/09/2018
- Re: [perfsonar-user] memcached and firewall rules, Hervey Allen, 02/09/2018
- Re: [perfsonar-user] memcached and firewall rules, Stephen Fromm, 02/09/2018
- Re: [perfsonar-user] memcached and firewall rules, Hervey Allen, 02/09/2018
- Re: [perfsonar-user] memcached and firewall rules, Andrew Lake, 02/09/2018
- Re: [perfsonar-user] memcached and firewall rules, Hans Kuhn, 02/09/2018
- Re: [perfsonar-user] memcached and firewall rules, Hervey Allen, 02/09/2018
- Re: [perfsonar-user] memcached and firewall rules, Andrew Lake, 02/12/2018
- Re: [perfsonar-user] memcached and firewall rules, Hervey Allen, 02/12/2018
- Re: [perfsonar-user] memcached and firewall rules, Andrew Lake, 02/12/2018
- Re: [perfsonar-user] memcached and firewall rules, Hervey Allen, 02/09/2018
- Re: [perfsonar-user] memcached and firewall rules, Hans Kuhn, 02/09/2018
- Re: [perfsonar-user] memcached and firewall rules, Andrew Lake, 02/09/2018
- Re: [perfsonar-user] memcached and firewall rules, Andrew Lake, 02/09/2018
Archive powered by MHonArc 2.6.19.