perfSONAR User Q&A and Other Discussion

[Hervey Allen <>]

On 2/9/18 11:40 AM, Hans Kuhn wrote:
> Hi Andrew,
> 
> I agree that the correct solution security-wise is to bind memcached to
> localhost.
> 
> It appears the upstream package maintainer’s default for memcached is
> currently being used, and that perfsonar would need to modify
> /etc/sysconfig/memcached after installation to bind memcached to localhost.
> 
> Is there a way to submit a feature request to make this the default for
> the perfsonar-testpoint bundle?
> 
> thanks, Hans
> 

I was thinking of submitting this too the developer list and see what
people say.

I use netstat -ltu to see the open port.

- Hervey

> On 9 Feb 2018, at 11:06, Andrew Lake wrote:
> 
>> Hi,
>>
>> Updating the firewall is not going to change where any services listens,
>> but if anything tries to connect, the firewall will not allow it through.
>> Using netstat locally (which I am guessing is the output you shared)
>> is not
>> going to tell you anything about what the firewall allows through.
>> Running
>> something like "firewall-cmd --list-all” will show you your firewall
>> rules.
>>
>> Thanks,
>> Andy
>>
>>
>>
>> On February 9, 2018 at 1:42:42 PM, Hervey Allen 
>> ()
>>  wrote:
>>
>> On 2/9/18 6:18 AM, Andrew Lake wrote:
>>> Hi,
>>>
>>> The only things that needs access to memcached comes from localhost. The
>>> esmond archiving plugin in pscheduler uses it as a cache between
>>> archiving processes to speed-up some requests. You can safely block it.
>>>
>>> For a list of the ports that need to be open
>>> see http://docs.perfsonar.net/manage_security.html. If you would like a
>>> default set of firewall rules installed for you run ‘yum install
>>> perfsonar-toolkit-security’ on your testpoint which will setup rules on
>>> the host that only allow the listed ports through.
>>>
>>> Hope that helps,
>>> Andy
>>>
>>
>> I thought I'd give a quick update.
>>
>> I had installed the perfSONAR Testpoint bundle but had not done:
>>
>> # yum install perfsonar-toolkit-security
>>
>> nor
>>
>> /usr/lib/perfsonar/scripts/configure_firewall install
>>
>> Before doing either here is what listening services looked like:
>>
>> Proto Recv-Q Send-Q Local Address Foreign Address State
>> tcp 0 0 0.0.0.0:memcache 0.0.0.0:* LISTEN
>> tcp 0 0 0.0.0.0:ssh 0.0.0.0:* LISTEN
>> tcp 0 0 localhost:postgres 0.0.0.0:* LISTEN
>> tcp6 0 0 [::]:owamp-control [::]:* LISTEN
>> tcp6 0 0 [::]:memcache [::]:* LISTEN
>> tcp6 0 0 [::]:ssh [::]:* LISTEN
>> tcp6 0 0 [::]:4823 [::]:* LISTEN
>> udp 0 0 0.0.0.0:memcache 0.0.0.0:*
>> udp6 0 0 [::]:memcache [::]:*
>>
>> After doing both and restarting firewalld:
>>
>> # systemctl restart firewalld
>>
>> I'm still seeing:
>>
>> tcp 0 0 0.0.0.0:memcache 0.0.0.0:* LISTEN
>> tcp 0 0 0.0.0.0:ssh 0.0.0.0:* LISTEN
>> tcp 0 0 localhost:postgres 0.0.0.0:* LISTEN
>> tcp6 0 0 [::]:owamp-control [::]:* LISTEN
>> tcp6 0 0 [::]:memcache [::]:* LISTEN
>> tcp6 0 0 [::]:ssh [::]:* LISTEN
>> tcp6 0 0 [::]:4823 [::]:* LISTEN
>> udp 0 0 0.0.0.0:memcache 0.0.0.0:*
>> udp6 0 0 [::]:memcache [::]:*
>>
>> Or, more specifically:
>>
>> tcp 0 0 0.0.0.0:memcache 0.0.0.0:* LISTEN
>> tcp6 0 0 [::]:memcache [::]:* LISTEN
>> udp 0 0 0.0.0.0:memcache 0.0.0.0:*
>> udp6 0 0 [::]:memcache [::]:*
>>
>> For the moment my fix is to edit:
>>
>> /etc/sysconfig/memcached
>>
>> And change the default configuration of:
>>
>> PORT="11211"
>> USER="memcached"
>> MAXCONN="1024"
>> CACHESIZE="64"
>> OPTIONS=""
>>
>> to:
>>
>> PORT="11211"
>> USER="memcached"
>> MAXCONN="1024"
>> CACHESIZE="64"
>> OPTIONS="-l 127.0.0.1,::1"
>>
>> After doing:
>>
>> # systemctl restart memcached
>>
>> I now see:
>>
>> tcp 0 0 localhost:memcache 0.0.0.0:* LISTEN
>> tcp6 0 0 ip6-localhost:memcache [::]:* LISTEN
>> udp 0 0 localhost:memcache 0.0.0.0:*
>> udp6 0 0 ip6-localhost:memcache [::]:*
>>
>> double-checking by using telnet to port 11211 from both the localhost
>> and a remote host verified that I could not longer make any external
>> connections to memcache.
>>
>> Cheers,
>> - Hervey
>>
>>>
>>>
>>> On February 8, 2018 at 4:54:03 PM, Hervey Allen 
>>> (
>>> <mailto:>)
>>>  wrote:
>>>
>>>> Hi All - Our IT Security group contacted us to say that the memcached
>>>> process was open on our perfSONAR Testpoint bundle instance we had
>>>> installed.
>>>>
>>>> It is...
>>>>
>>>> Question - I have the perfSONAR default firewall rules in place.
>>>> This is
>>>> running on a CentOS 7 box. What specifically needs to talk to this
>>>> service? Is this a service that is installed with Postgres? That's what
>>>> I think is happening.
>>>>
>>>> Does Esmond need access to memcache from an archive host? Anything
>>>> else?
>>>> Based on the release notes for 4.0rc3:
>>>>
>>>> "Added memcached support to esmond archiver for tracking metadata
>>>> objects already created in order to increase archiver performance"
>>>>
>>>> I think this is the case.
>>>>
>>>> I'm trying to figure out proper strategy for recommending what to do
>>>> with the open memcached service.
>>>>
>>>> I believe adding a firewall rule to only allow access to memcached on
>>>> the perfSONAR Testpoint Bundle node and from wherever we have Esmond is
>>>> what makes sense?
>>>>
>>>> Comments or recommendations are most welcome.
>>>>
>>>> Thank you!
>>>>
>>>> - Hervey
>>>>
>>>>
>>>>
>>>> Network Startup Resource Center
>>>> https://nsrc.org/
>>
>>
>> -- 
>> Hervey Allen Assistant Director, Network Startup Resource Center
>> 
>>  http://nsrc.org/ : http://facebook.com/nsrc.org
>> GPG Fingerprint: AC08 31CB E453 6C65 2AB3 4EDB CEEB 5A74 C6E5 624F


-- 
Hervey Allen      Assistant Director, Network Startup Resource Center

   http://nsrc.org/ : http://facebook.com/nsrc.org
GPG Fingerprint:  AC08 31CB E453 6C65 2AB3 4EDB CEEB 5A74 C6E5 624F