Hi Sergio,
Is there a complete and ACTUAL list of PUBLIC lcg services (server:port)
available ?
Here we do filter all network connections with a centralized firewall so
such an information would help me stop guessing about them.
Regards,
Dan
Sergio Fantinel wrote:
> Kostas,
> thanks to point out potential vulnerability, but your suggestion
> to turn off the fmon collector is a little bit drastic!
> I suggest instead a less invasive solution to isolate the connection
> only from inside a site with iptables.
> One can close access as below, where 193.206.185.0/255.255.255.0 need
> to be substituted by your network and netmask.
>
> iptables -A INPUT -p tcp -s 193.206.185.0/255.255.255.0 --dport 12409
> -j ACCEPT
> iptables -A INPUT -p tcp --dport 12409 -j REJECT
> iptables -A INPUT -p udp -s 193.206.185.0/255.255.255.0 --dport 12409
> -j ACCEPT
> iptables -A INPUT -p udp --dport 12409 -j REJECT
>
> the same thing if you want to block access to the query soap port 12411
>
> I think it is possible to fine tune the rules so only services (CE,
> SE, RB, BDII) inside a site can connect!
>
> Reagrds,
> Sergio
>
> Kostas Georgiou wrote:
>
>> On Tue, Jun 07, 2005 at 12:36:02PM +0200, Sergio Fantinel wrote:
>>
>>
>>> Kostas Georgiou wrote:
>>>
>>>
>>>> Is there any reason why it needs to run as root though? Is there any
>>>> client authentication or does it allow everyone in the world to write
>>>> to it?
>>>
>>>
>>> It is better to route this questions to German. About the auth I
>>> think LeMON (ex. fmon) trust the LAN and leave to the site
>>> administration blocking access by firewalls and/or iptables host
>>> config. But German I think can correct/add more info on this.
>>
>>
>>
>> Thanks for the reply. We'll disable it here at Imperial (and i advice
>> every other admin to do the same) until the software is fixed and proper
>> authentication (hint SSL or GSI) is added. Since it's only collecting
>> information it doesn't have to run as root either.
>>
>> Cheers,
>> Kostas
>>
>> PS> SSL is now around a decade old, there is no excuse for software not
>> to have authentication at 2005.
>>
>
|