AccessGrid.org

Security

Methods for improving the security for your Access Grid.

With the latest versions of Fedora, especially Fedora 12, the service iptables is enabled by default. The service iptables is essentially an application for implementing a firewall within the system.

Though firewalls are great for improving security, they can also prevent software, and in particular the Access Grid software, from operating correctly.

Therefore, it is recommended either configure the personal firewall or disable the iptables service. With the instructions provided before, configuring the firewall is relatively easy.

For those, for whatever reason who don’t want to run iptables, you can simply execute the command service iptables stop, which will stop the service. Additionally, if you run the command chkconfig iptables off, this will prevent the service from starting the next time the system is restarted.

System Services

One method of increasing security is by shutting down services that are not required. You can change whether a particular services is running or not by using the chkconfig command.

  • As super user, you can use the command: chkconfig --list to see what services are currently designed to be started upon bootup, depending on the run level.
  • To remove a service from starting up at boot, use the following command chkconfig <servicename> off. An example of a servicename is gpm
  • To add a service to the starting up list at boot, use the following command chkconfig <servicename> on. This will add the service to the default init levels
  • The following lists the current default services that are enabled from a default install of Fedora 12:
    # chkconfig --list | grep :on
    NetworkManager 0:off 1:off 2:on 3:on 4:on 5:on 6:off
    abrtd 0:off 1:off 2:off 3:on 4:off 5:on 6:off
    acpid 0:off 1:off 2:on 3:on 4:on 5:on 6:off
    atd 0:off 1:off 2:off 3:on 4:on 5:on 6:off
    auditd 0:off 1:off 2:on 3:on 4:on 5:on 6:off
    avahi-daemon 0:off 1:off 2:off 3:on 4:on 5:on 6:off
    bluetooth 0:off 1:off 2:off 3:on 4:on 5:on 6:off
    cpuspeed 0:off 1:on 2:on 3:on 4:on 5:on 6:off
    crond 0:off 1:off 2:on 3:on 4:on 5:on 6:off
    cups 0:off 1:off 2:on 3:on 4:on 5:on 6:off
    gpm 0:off 1:off 2:on 3:on 4:on 5:on 6:off
    haldaemon 0:off 1:off 2:off 3:on 4:on 5:on 6:off
    ip6tables 0:off 1:off 2:on 3:on 4:on 5:on 6:off
    iptables 0:off 1:off 2:on 3:on 4:on 5:on 6:off
    irqbalance 0:off 1:off 2:off 3:on 4:on 5:on 6:off
    lvm2-monitor 0:off 1:on 2:on 3:on 4:on 5:on 6:off
    mdmonitor 0:off 1:off 2:on 3:on 4:on 5:on 6:off
    messagebus 0:off 1:off 2:on 3:on 4:on 5:on 6:off
    microcode_ctl 0:off 1:off 2:on 3:on 4:on 5:on 6:off
    netfs 0:off 1:off 2:off 3:on 4:on 5:on 6:off
    nfslock 0:off 1:off 2:off 3:on 4:on 5:on 6:off
    ntpd 0:off 1:off 2:on 3:on 4:on 5:on 6:off
    pcscd 0:off 1:off 2:on 3:on 4:on 5:on 6:off
    portreserve 0:off 1:off 2:on 3:on 4:on 5:on 6:off
    rpcbind 0:off 1:off 2:on 3:on 4:on 5:on 6:off
    rpcgssd 0:off 1:off 2:off 3:on 4:on 5:on 6:off
    rpcidmapd 0:off 1:off 2:off 3:on 4:on 5:on 6:off
    rsyslog 0:off 1:off 2:on 3:on 4:on 5:on 6:off
    sendmail 0:off 1:off 2:on 3:on 4:on 5:on 6:off
    sshd 0:off 1:off 2:on 3:on 4:on 5:on 6:off
    udev-post 0:off 1:on 2:on 3:on 4:on 5:on 6:off

Generally speaking, particularly in regards to an Access Grid setup, the defalut running services are fine and don't pose that much of a threat.

Obviously, you could shutdown the SSH deamon, but this would then prevent legitimate external access to the system, i.e. remote administration.

Other services that may not be required include "cups" and "Bluetooth", but in their current state it is believed to be very low security risk.

NMAP

Nmap is a network exploration tool and security / port scanner [quote from man page]. This tool allow you to scan you local machine to see what ports are currently.

You might have to install this tool. With "root" permissions, issue the command yum install nmap

Once installed, issue the command nmap localhost

# nmap localhost
 
Starting Nmap 5.00 ( http://nmap.org ) at 2009-12-11 12:33 EST
Warning: Hostname localhost resolves to 2 IPs. Using 127.0.0.1.
Interesting ports on localhost (127.0.0.1):
Not shown: 996 closed ports
PORT STATE SERVICE
22/tcp open ssh
25/tcp open smtp
111/tcp open rpcbind
631/tcp open ipp
Nmap done: 1 IP address (1 host up) scanned in 0.09 seconds

As you see, there is only a limited number of ports opened from a default Fedora 12 install.

Setting up a personal Firewall

Using a personal firewall can protect your machine from external attacks.

  • A proposed configuration that may help in protecting your machine.  It should be noted that this configuration isn't as strict as others might like, but you can simply modify, delete or remove rules as you see fit.
  • The current rules suggested are:
    • Accept all traffic from localhost (Required for things like rat, etc)
    • Accept all multicast traffic (224.0.0.0/4)
    • Accept all port 22 traffic (SSH)
    • Accept all port 631 traffic (IPP)
    • Accept all port 5353 traffic (Multicast DNS)
    • Accept icmp traffic (ping)
    • Accept traffic from ports 5900-5920 (Required for VenueVNCServer)
    • Accept traffic from ports 10000, 10002 and 10004 (Required for Multicast Beacon)
    • Accept traffic from ports 11000 (Required for NodeService Manager)
    • Accept udp traffic from ports 50000-50200 (This is the default bridge port range - allows unicast connections to unicast bridges)
  • If running an VenueServer, you will need the following additional ports available:
    • Accept traffic from ports 8000, 8002 and 8006 (Required for VenueServer)
    • Accept traffic from ports 5222-5223 (Required if runnign a Jabber Server)
  • If running an Unicast Bridge, you will need the following additional ports available:
    • Accept traffic from ports 20000 (Required for BridgeServer)
    • Accept traffic from ports 20200 (Required for BridgeServer)

The following will provide steps on how to setup a firewall with basic rules to allow for an operational Access Grid. Note that additional rules will need to be added if the system will be running a VenueServer and/or Unicast Bridge.

  • Simply execute the following commands in order (you should be able to do a bulk copy and paste)

    service iptables stop

This will clear all current rules, then issue:

iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -d 224.0.0.0/4 -i eth0 -j ACCEPT
iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
iptables -A INPUT -m state --state NEW -m udp -p udp --dport 631 -j ACCEPT
iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 631 -j ACCEPT
iptables -A INPUT -d 224.0.0.251/32 -p udp -m udp --dport 5353 -j ACCEPT
iptables -A INPUT -m state --state NEW -m udp -p udp --dport 5900:5920 -j ACCEPT
iptables -A INPUT -m state --state NEW -m udp -p udp --dport 10000 -j ACCEPT iptables -A INPUT -m state --state NEW -m udp -p udp --dport 10002 -j ACCEPT
iptables -A INPUT -m state --state NEW -m udp -p udp --dport 10004 -j ACCEPT
iptables -A INPUT -m state --state NEW -m udp -p udp --dport 11000 -j ACCEPT
iptables -A INPUT -p udp -m udp --dport 50000:52000 -j ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p icmp -j ACCEPT
iptables -A FORWARD -j REJECT --reject-with icmp-host-prohibited

iptables -A INPUT -j REJECT --reject-with icmp-host-prohibited

  • If you issue the command service iptables status you should get the following output:

# service iptables status
Table: filter
Chain INPUT (policy ACCEPT)
num  target     prot opt source     destination
1    ACCEPT     all  --  0.0.0.0/0  0.0.0.0/0
2    ACCEPT     all  --  0.0.0.0/0  224.0.0.0/4
3    ACCEPT     tcp  --  0.0.0.0/0  0.0.0.0/0     state NEW tcp dpt:22
4    ACCEPT     udp  --  0.0.0.0/0  0.0.0.0/0     state NEW udp dpt:631
5    ACCEPT     tcp  --  0.0.0.0/0  0.0.0.0/0     state NEW tcp dpt:631
6    ACCEPT     udp  --  0.0.0.0/0  224.0.0.251   udp dpt:5353
7    ACCEPT     udp  --  0.0.0.0/0  0.0.0.0/0     state NEW udp dpts:5900:5920
8    ACCEPT     udp  --  0.0.0.0/0  0.0.0.0/0     state NEW udp dpt:10000
9    ACCEPT     udp  --  0.0.0.0/0  0.0.0.0/0     state NEW udp dpt:10002
10   ACCEPT     udp  --  0.0.0.0/0  0.0.0.0/0     state NEW udp dpt:10004
11   ACCEPT     udp  --  0.0.0.0/0  0.0.0.0/0     state NEW udp dpt:11000
12   ACCEPT     udp  --  0.0.0.0/0  0.0.0.0/0     udp dpts:50000:52000
13   ACCEPT     all  --  0.0.0.0/0  0.0.0.0/0     state RELATED,ESTABLISHED
14   ACCEPT     icmp --  0.0.0.0/0  0.0.0.0/0
15   REJECT     all  --  0.0.0.0/0  0.0.0.0/0     reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT)
num  target     prot opt source     destination
1    REJECT     all  --  0.0.0.0/0  0.0.0.0/0     reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source     destination

  • Then issue the command service iptables save, which will save the iptables rules.
  • Hopefully your firewall will now be up and running and saved.

  • To add a iptable chain rule, you can issue a command similar to iptables -I INPUT -p tcp -m tcp --dport 6666:7777 -j ACCEPT, which would accept all traffic using any port within the port range of 6666 - 7777.
  • To remove an iptable chain rule, you can issue a command similar to iptables -D INPUT 14, which would delete the rule number 5 from the rule base. Which in the above case, would prevent icmp traffic, which would not allows pings.

Additional rules for VenueServer and Unicast Bridge

  • You can execute the following commands to add rules if running a VenueServer:

iptables -I INPUT -m state --state NEW -m udp -p udp --dport 8000 -j ACCEPT
iptables -I INPUT -m state --state NEW -m udp -p udp --dport 8002 -j ACCEPT
iptables -I INPUT -m state --state NEW -m udp -p udp --dport 8006 -j ACCEPT
iptables -I INPUT -m state --state NEW -m tcp -p tcp --dport 8000 -j ACCEPT
iptables -I INPUT -m state --state NEW -m tcp -p tcp --dport 8002 -j ACCEPT
iptables -I INPUT -m state --state NEW -m tcp -p tcp --dport 8006 -j ACCEPT

  • You can execute the following commands to add rules if running a Unicast Bridge:

iptables -I INPUT -m state --state NEW -m udp -p udp --dport 20000 -j ACCEPT
iptables -I INPUT -m state --state NEW -m udp -p udp --dport 20200 -j ACCEPT
iptables -I INPUT -m state --state NEW -m tcp -p tcp --dport 20000 -j ACCEPT
iptables -I INPUT -m state --state NEW -m tcp -p tcp --dport 20200 -j ACCEPT

  • To save any newly added iptables rules, issue the command service iptables save.
  • Hopefully your firewall will now have all the new rules added.

 

login or register to post comments