perfSONAR User Q&A and Other Discussion

[Hervey Allen <>]

On 2/12/18 6:21 AM, Andrew Lake wrote:
> Hi,
> 
> I created an issue here: https://github.com/perfsonar/project/issues/1193
> 

Thanks Andy.

> I understood the original email to say that it was expected this is
> already happening, which it is not. I agree it would be more complete to
> have it listen on localhost only and not solely rely on the firewall to
> block the port.
> 

Yes. I agree. To note, in /etc/sysconfig/memcached

If you add:

OPTIONS="-l 127.0.0.1,::1"

at the bottom of the file this will bind the daemon to localhost for
both ipv4 and ipv6. But, if you don't want the daemon to listen at all
on v6, then you just do:

OPTIONS="-l 127.0.0.1"

I actually could not find a v4 and v6 example, so guessed at the syntax.

- Hervey

> Thanks,
> Andy
> 
> 
> 
> On February 9, 2018 at 5:29:20 PM, Hervey Allen 
> (
> <mailto:>)
>  wrote:
> 
>> On 2/9/18 11:40 AM, Hans Kuhn wrote:
>> > Hi Andrew,
>> >  
>> > I agree that the correct solution security-wise is to bind memcached to
>> > localhost.
>> >  
>> > It appears the upstream package maintainer’s default for memcached is
>> > currently being used, and that perfsonar would need to modify
>> > /etc/sysconfig/memcached after installation to bind memcached to 
>> > localhost.
>> >  
>> > Is there a way to submit a feature request to make this the default for
>> > the perfsonar-testpoint bundle?
>> >  
>> > thanks, Hans
>> >  
>>
>> I was thinking of submitting this too the developer list and see what
>> people say.
>>
>> I use netstat -ltu to see the open port.
>>
>> - Hervey
>>
>> > On 9 Feb 2018, at 11:06, Andrew Lake wrote:
>> >  
>> >> Hi,
>> >>
>> >> Updating the firewall is not going to change where any services listens,
>> >> but if anything tries to connect, the firewall will not allow it 
>> >> through.
>> >> Using netstat locally (which I am guessing is the output you shared)
>> >> is not
>> >> going to tell you anything about what the firewall allows through.
>> >> Running
>> >> something like "firewall-cmd --list-all” will show you your firewall
>> >> rules.
>> >>
>> >> Thanks,
>> >> Andy
>> >>
>> >>
>> >>
>> >> On February 9, 2018 at 1:42:42 PM, Hervey Allen 
>> >> (
>> >>  
>> >> <mailto:>)
>> >>  wrote:
>> >>
>> >> On 2/9/18 6:18 AM, Andrew Lake wrote:
>> >>> Hi,
>> >>>
>> >>> The only things that needs access to memcached comes from localhost. 
>> >>> The
>> >>> esmond archiving plugin in pscheduler uses it as a cache between
>> >>> archiving processes to speed-up some requests. You can safely block it.
>> >>>
>> >>> For a list of the ports that need to be open
>> >>> see http://docs.perfsonar.net/manage_security.html. If you would like a
>> >>> default set of firewall rules installed for you run ‘yum install
>> >>> perfsonar-toolkit-security’ on your testpoint which will setup rules on
>> >>> the host that only allow the listed ports through.
>> >>>
>> >>> Hope that helps,
>> >>> Andy
>> >>>
>> >>
>> >> I thought I'd give a quick update.
>> >>
>> >> I had installed the perfSONAR Testpoint bundle but had not done:
>> >>
>> >> # yum install perfsonar-toolkit-security
>> >>
>> >> nor
>> >>
>> >> /usr/lib/perfsonar/scripts/configure_firewall install
>> >>
>> >> Before doing either here is what listening services looked like:
>> >>
>> >> Proto Recv-Q Send-Q Local Address Foreign Address State
>> >> tcp 0 0 0.0.0.0:memcache 0.0.0.0:* LISTEN
>> >> tcp 0 0 0.0.0.0:ssh 0.0.0.0:* LISTEN
>> >> tcp 0 0 localhost:postgres 0.0.0.0:* LISTEN
>> >> tcp6 0 0 [::]:owamp-control [::]:* LISTEN
>> >> tcp6 0 0 [::]:memcache [::]:* LISTEN
>> >> tcp6 0 0 [::]:ssh [::]:* LISTEN
>> >> tcp6 0 0 [::]:4823 [::]:* LISTEN
>> >> udp 0 0 0.0.0.0:memcache 0.0.0.0:*
>> >> udp6 0 0 [::]:memcache [::]:*
>> >>
>> >> After doing both and restarting firewalld:
>> >>
>> >> # systemctl restart firewalld
>> >>
>> >> I'm still seeing:
>> >>
>> >> tcp 0 0 0.0.0.0:memcache 0.0.0.0:* LISTEN
>> >> tcp 0 0 0.0.0.0:ssh 0.0.0.0:* LISTEN
>> >> tcp 0 0 localhost:postgres 0.0.0.0:* LISTEN
>> >> tcp6 0 0 [::]:owamp-control [::]:* LISTEN
>> >> tcp6 0 0 [::]:memcache [::]:* LISTEN
>> >> tcp6 0 0 [::]:ssh [::]:* LISTEN
>> >> tcp6 0 0 [::]:4823 [::]:* LISTEN
>> >> udp 0 0 0.0.0.0:memcache 0.0.0.0:*
>> >> udp6 0 0 [::]:memcache [::]:*
>> >>
>> >> Or, more specifically:
>> >>
>> >> tcp 0 0 0.0.0.0:memcache 0.0.0.0:* LISTEN
>> >> tcp6 0 0 [::]:memcache [::]:* LISTEN
>> >> udp 0 0 0.0.0.0:memcache 0.0.0.0:*
>> >> udp6 0 0 [::]:memcache [::]:*
>> >>
>> >> For the moment my fix is to edit:
>> >>
>> >> /etc/sysconfig/memcached
>> >>
>> >> And change the default configuration of:
>> >>
>> >> PORT="11211"
>> >> USER="memcached"
>> >> MAXCONN="1024"
>> >> CACHESIZE="64"
>> >> OPTIONS=""
>> >>
>> >> to:
>> >>
>> >> PORT="11211"
>> >> USER="memcached"
>> >> MAXCONN="1024"
>> >> CACHESIZE="64"
>> >> OPTIONS="-l 127.0.0.1,::1"
>> >>
>> >> After doing:
>> >>
>> >> # systemctl restart memcached
>> >>
>> >> I now see:
>> >>
>> >> tcp 0 0 localhost:memcache 0.0.0.0:* LISTEN
>> >> tcp6 0 0 ip6-localhost:memcache [::]:* LISTEN
>> >> udp 0 0 localhost:memcache 0.0.0.0:*
>> >> udp6 0 0 ip6-localhost:memcache [::]:*
>> >>
>> >> double-checking by using telnet to port 11211 from both the localhost
>> >> and a remote host verified that I could not longer make any external
>> >> connections to memcache.
>> >>
>> >> Cheers,
>> >> - Hervey
>> >>
>> >>>
>> >>>
>> >>> On February 8, 2018 at 4:54:03 PM, Hervey Allen 
>> >>> (
>> >>>  
>> >>> <mailto:>
>> >>> <mailto:
>> >>>  
>> >>> <mailto:>>)
>> >>>  wrote:
>> >>>
>> >>>> Hi All - Our IT Security group contacted us to say that the memcached
>> >>>> process was open on our perfSONAR Testpoint bundle instance we had
>> >>>> installed.
>> >>>>
>> >>>> It is...
>> >>>>
>> >>>> Question - I have the perfSONAR default firewall rules in place.
>> >>>> This is
>> >>>> running on a CentOS 7 box. What specifically needs to talk to this
>> >>>> service? Is this a service that is installed with Postgres? That's 
>> >>>> what
>> >>>> I think is happening.
>> >>>>
>> >>>> Does Esmond need access to memcache from an archive host? Anything
>> >>>> else?
>> >>>> Based on the release notes for 4.0rc3:
>> >>>>
>> >>>> "Added memcached support to esmond archiver for tracking metadata
>> >>>> objects already created in order to increase archiver performance"
>> >>>>
>> >>>> I think this is the case.
>> >>>>
>> >>>> I'm trying to figure out proper strategy for recommending what to do
>> >>>> with the open memcached service.
>> >>>>
>> >>>> I believe adding a firewall rule to only allow access to memcached on
>> >>>> the perfSONAR Testpoint Bundle node and from wherever we have Esmond 
>> >>>> is
>> >>>> what makes sense?
>> >>>>
>> >>>> Comments or recommendations are most welcome.
>> >>>>
>> >>>> Thank you!
>> >>>>
>> >>>> - Hervey
>> >>>>
>> >>>>
>> >>>>
>> >>>> Network Startup Resource Center
>> >>>> https://nsrc.org/
>> >>
>> >>
>> >> -- 
>> >> Hervey Allen Assistant Director, Network Startup Resource Center
>> >> 
>> >>  
>> >> <mailto:>
>> >>  http://nsrc.org/ :
>> http://facebook.com/nsrc.org
>> >> GPG Fingerprint: AC08 31CB E453 6C65 2AB3 4EDB CEEB 5A74 C6E5 624F
>>
>>
>> -- 
>> Hervey Allen Assistant Director, Network Startup Resource Center
>> 
>>  
>> <mailto:>
>>  http://nsrc.org/ :
>> http://facebook.com/nsrc.org
>> GPG Fingerprint: AC08 31CB E453 6C65 2AB3 4EDB CEEB 5A74 C6E5 624F


-- 
Hervey Allen      Assistant Director, Network Startup Resource Center

   http://nsrc.org/ : http://facebook.com/nsrc.org
GPG Fingerprint:  AC08 31CB E453 6C65 2AB3 4EDB CEEB 5A74 C6E5 624F