The perfSONAR Toolkit utilizes a number of tools the help protect against attacks on the system. Some of these tools include:
- A default set of iptables and ip6tables (or firewalld for CentOS7) rules that only allow connections to ports required by perfSONAR tools.
- Inclusion of the fail2ban intrusion detection system (IDS) to log suspicious activity such as brute-force SSH attacks
None of these solutions will protect your host from all kinds of attacks so best common practices and good sense should be used when administering your host. In addition to tools like above it’s important update your host with the latest packages and to watch the mailing lists for important security announcements.
The perfSONAR Toolkit uses iptables and ip6tables to implement IPv4 and IPv6 firewall rules respectively. The default configurations for each in /etc/sysconfig/iptables and /etc/sysconfig/ip6tables. Also see /usr/lib/firewalld/services and /etc/perfsonar/toolkit/perfsonar_firewalld_settings.conf for rules on CentOS7.
perfSONAR uses the following ports:
| perfSONAR Tools Ports | ||
|---|---|---|
| Tool | TCP ports | UDP Ports |
| owamp | 861 | 8760-9960 |
| pscheduler | 443 | |
| iperf3 | 5201 | |
| iperf2 | 5001 | |
| nuttcp | 5000, 5101 | |
| traceroute | 33434-33634 | |
| simplestream | 5890-5900 | |
| ntp | 123 | |
| bwctl |
|
5001-5900, 6001-6200 |
Notes:
| perfSONAR Toolkit Ports | |
|---|---|
| Tool | TCP ports |
| management interface | 80, 443 |
| esmond | 80, 443 |
| Lookup Service | 8090 |
The rules added by the perfSONAR toolkit are contained within a special perfSONAR chain of iptables (and ip6tables). You may add rules to the other chains, such as the INPUT chain, just as you would any other firewall rule. It is NOT recommended you change the perfSONAR chain as any changes you make could be overwritten by a software update.
For more information see:
By default the perfSONAR Toolkit installs and configures the fail2ban Intrusion Detection System (IDS). This software will log suspicious activity such as a rapid succession of failed SSH login attempts in /var/log/secure. By default it will not act to mitigate any attempts, only log them (though the default IP table rules do SSH throttling). If you would like to change this default behavior to send email or block unwanted intrusions, see the configuration file /etc/fail2ban/jail.conf and the fail2ban manual for details.
ESnet provides a file containing all R&E subnets, which is updated nightly. Instructions on how to download this file and configure pScheduler and bwctl to use it are described on the page Limiting Tests to R&E Networks Only.
perfSONAR nodes are meant to be used, both by local users and the public at large, to perform a variety of network tests. The open access policy is at odds with ways to mitigate the risk of exposing functionality to those that would cause harm. The following is a possible approach for managing access to the host:
The NTAC Performance Working Group has published a document related to deploying perfSONAR while still justifying cybersecurity policy. This document can be found here: