Firewalls and Security Software

The perfSONAR Toolkit utilizes a number of tools the help protect against attacks on the system. Some of these tools include:

  • A default set of iptables and ip6tables (for CentOS6) or firewalld (for CentOS7) rules that only allow connections to ports required by perfSONAR tools.

  • Inclusion of the fail2ban intrusion detection system (IDS) to log suspicious activity such as brute-force SSH attacks

None of these solutions will protect your host from all kinds of attacks so best common practices and good sense should be used when administering your host. In addition to tools like above it’s important update your host with the latest packages and to watch the mailing lists for important security announcements.

Default Firewall Rules and perfSONAR port requirements

The perfSONAR Toolkit uses iptables and ip6tables to implement IPv4 and IPv6 firewall rules respectively. The default configurations for iptabel are in /etc/sysconfig/iptables and /etc/sysconfig/ip6tables. Also see /usr/lib/firewalld/services and /etc/perfsonar/toolkit/perfsonar_firewalld_settings.conf for firewalld settings on CentOS7.

The current perfSONAR release uses the following ports (used by a Tool when requesting a test. See also Test and Tool Reference) by default:

perfSONAR Tools Ports

Tool

TCP ports

UDP Ports

owamp (control)

861

owamp (test)

8760-9960

twamp (control)

862

twamp (test)

18760-19960

pscheduler

443

traceroute

33434-33634

simplestream

5890-5900

nuttcp

5000, 5101

iperf3

5201

iperf2

5001

ntp

123

Depending on operating system version used and how your perfSONAR host is customized with additional software (e.g. NDT, BWCTL) additional ports may be applied to the firewall:

Note

Some tools are deprecated in the latest perfSONAR version but their ports are still left open for those wishing to run them.

perfSONAR Tools Ports

Tool

TCP ports

UDP Ports

bwctl (control)

4823

bwctl (peer)

6001-6200

6001-6200

bwctl (test)

5001-5900

5001-5900

ndt (control)

7123

ndt (test)

3001-3003

ndt (flash)

843

DHCPv6

546, 547

Some ports are also used to access the perfSOANR Toolkit management interfaces:

perfSONAR Toolkit Ports

Tool

TCP ports

management interface

80, 443

esmond

80, 443

Lookup Service

8090

Note

ICMP also needs to be open

Adding Your Own Firewall Rules

For operating systems using iptables, the rules added by the perfSONAR Toolkit are contained within a special perfSONAR chain of iptables (and ip6tables). You may add rules to the other chains, such as the INPUT chain, just as you would any other firewall rule. It is NOT recommended you change the perfSONAR chain as any changes you make could be overwritten by a software update.

For operating systems using firewalld (e.g. CentOS 7) it organizes the rules into “zones” and makes it more difficult to distinguish perfSONAR rules from custom rules. If you add a standard service to the zone it will get overwritten next time perfsonar-toolkit-security upgrades. We recommend looking at firewalld rich rules for adding custom rules.

For more information see:

Fail2ban Intrusion Detection System

By default the perfSONAR Toolkit installs and configures the fail2ban Intrusion Detection System (IDS). This software will log suspicious activity such as a rapid succession of failed SSH login attempts in /var/log/secure. By default it will not act to mitigate any attempts, only log them (though the default IP table rules do SSH throttling). If you would like to change this default behavior to send email or block unwanted intrusions, see the configuration file /etc/fail2ban/jail.conf and the fail2ban manual for details.

Limiting tests to Research and Education Networks Only

ESnet provides a file containing all R&E subnets, which is updated nightly. Instructions on how to download this file and configure pScheduler to use it are described on the page Limiting Tests to R&E Networks Only.

Managing Login Access

perfSONAR nodes are meant to be used, both by local users and the public at large, to perform a variety of network tests. The open access policy is at odds with ways to mitigate the risk of exposing functionality to those that would cause harm. The following is a possible approach for managing access to the host:

  • SSHD can be turned off completely if remote access to the machine via the terminal is not need (e.g. in cases where console access is available either directly, or indirectly)

  • If SSHD is turned on, consider using a jump host setup wherein access to the perfSONAR node can only be accomplished through a single (or set) of trusted hosts. This type of restriction can be implemented in IPTables.

Managing Archive Whitelist for Graphs

The perfSONAR graphs have the ability to reach out to external measurement archives. If you would like to limit the hosts that the graphs can reach, you can edit the file /usr/lib/perfsonar/graphs/etc/graphs.json. The url_whitelist parameter can be uncommented (remove the #) and the names of the host you want to allow can be added to the list. Any address not in the list will result in an error. This change affects both the line graphs and the traceroute viewer.