I'm trying to make a portforwarding for different ports for communications, but it seems they are lost on reboot.
I'm using a script to make them, and it uses the following syntax:
upnpc -a 192.168.1.95 22 22 TCP
...
Since my system is made to actually stress the gateway to reboot, I need to have these ports open after a reboot. I could do it in the software (running the script if connection lost), but I don't want to do that unless it is absolutely necessary.
Do you have some idea of how to make a portforwarding with UPnP such that the forwarding is persisted after a reboot?
Port mappings are specifically not required to be persistent between gateway reboots, clients are supposed to keep an eye on the mappings and re-map when needed. WANIPConnection spec v2 also does not even allow indefinite mappings: another reason to keep the client running as long as you need the mapping to exist.
Related
Ubuntu 20.04: what are the security risks without firewall?
Installed Ubuntu 20.04, but forget to enable firewall using ufw.
SSH 22 port: use keys(2048 bit) for login, no password.
Setting UsePAM=true, any risk?
Any other services that may have security holes without firewall, and hackers can break into the server?
Case for firewall
Yes you should enable the firewall. It's an important security layer.
Software has bugs. The firewall layer prevents some bugs or mistakes from causing harm.
Security is layered for the same reason airplanes have redundant systems. Even single engine airplanes are designed to glide when they lose thrust.
SSH and Services You Know About
While proper SSH configuration is another topic, it illustrates a reason firewalls are needed. You're config is on the right track but without reading the entire man-page you're still unsure if it's secure.
If you're unsure about SSH, a firewall can limit access from source IPs that you define adding another layer.
SSH is but one of a handful of services you're running that might be accessible over the public internet. Sometimes services become open to the public unintentionally.
Third Party Software
One type of bug is a software update or install that inadvertently opens a service and exposes that service to the public internet.
I frequently see application installs that open a private service bound to 0.0.0.0 when it should be bound to 127.0.0.1. If you don't know the difference, you aren't alone. Binding to 0.0.0.0 (or *) means open to the public internet.
This isn't just a user-workstation problem. Package managers are susceptible to this too. NPM, Python PIP, and Apt all can run executables on your system.
Checking for Open Services
Run sudo netstat -n to show active internet connections.
For example, here's output:
Active Internet connections
Proto Recv-Q Send-Q Local Address Foreign Address (state)
tcp4 31 0 192.168.1.17.53624 3.xxx.96.61.443 CLOSE_WAIT
tcp4 0 0 192.168.1.17.53622 162.xxx.35.136.443 ESTABLISHED
udp4 0 0 *.3722 *.*
[...]
I do not know what udp port 3722 is but my system will accept traffic from ANYWHERE to that port.
Closing
The firewall is a layer that lives lower in the network stack than applications and thus provides a layer to guard against configuration and application problems.
Enabling the firewall will prevent you accidentally exposing something you didn’t know was open - telnet, ftp, databases, Jupyter to name a few.
Regarding ssh with disabled password and ssh keys, it’s a good way to enable shell access but be aware that if there is no password on the ssh key, and the private key is stolen, then the thief will have access.
Also, remember ssh only encrypts transport. If you trust everyone who has or can obtain root access, that’s not a big deal, but if someone dishonest connects as root on the same host, then they can still spy on connections. Just something to be aware of.
I do not trust anything, so I want to write my own firewall. I'm not satisfied with the application firewalls in Linux and Windows and the distro firewalls are not adequate for my purposes. I'm frustrated with distro firewalls, most of them like pfSense, OPN Sense, ipfire just seem to give illusion of firewall but all they do is packet filtering. I'm unable to block everything and only allow few websites with it, I have created a rule to block DNS requests, applied that rule and rebooted the firewall distro but it doesn't seem to have any effect. I either have to block everything or allow everything, both of which are undesirable. The sc*mbags seemed to have deliberately made the interface unintuitive to sell service, they claim their firewalls are free but made the interface obtuse, so that they can steal money by selling service.
I'm thinking of writing my own firewall, one of this will be an application which will run on the client system and the other would be standalone distro, both will run together to allow better management. The application on the client will create a special packet signed with the hash of the application, OS, etc and the intermediary firewall distro will check this hash and allow rules and policies to be created based on this hash. Does the TCP/IP protocol allow this?
I have searched the net for resources about network API on Linux, and there are three resources about writing my own firewall, two are questions here and one is netfilter. I don't know anything about TCP/IP protocol, so I don't know if I can use the packets made TCP/IP to achieve this or I have to creatively find a way to create a special packet.
Problem: I am developing a graphical front end for a distributed CPU/GPU simulator. As this simulator utilizes MPI, it requires a hostfile detailing the hostnames for all computers being used on the network so that it knows what machines to distribute across. As the end users for my application are not computer scientists (and may not even be very computer literate), I can't expect them to know/find the hostnames of every computer on their network/cluster. I would like to programmatically perform this hostname discovery so that, upon application start-up, the user can see the available machines, and from those, pick the hosts they want to run on. If possible, I would like this solution to be cross platform but as the simulator currently contains some linux dependencies I can deal with a Linux only solution.
What I have tried so far: I tried utilizing the nmap package to discover hosts on a network with commands like nmap -sP <ip address range> using the ip address range for that local network. However, it only dumps the IP addresses for the hosts (not the host names) and I'm not sure how to translate these IP addresses into ssh hostnames (as MPI uses ssh for host discovery). Additionally, I used a similar approach with ping supplying the broadcast address and it returned nearly identical results.
I apologize for the broad nature of this question and the lack of code shown but I am not very experienced with network probing / programming and I am really not even sure where to start. I tried googling this but I was unable to find a suitable option (possibly because my lack of experience caused me to use improper terminology triggering improper results) My background is primarily in graphics and user interface programming, so this is a little beyond my comfort zone.
SSH doesn't care if it is given hostnames or IP addresses to connect to (not sure if this applies when there are host-specific configurations). Most MPI implementations don't care too, e.g. in Open MPI connection URIs addresses are all numeric, so a hostfile with IPs would be fine. HTTP servers on the other hand care because of the virtual hosting thing where many different sites resolve to the same IP address but the server is supplied the actual hostname via the Host HTTP header.
Unsolicited advice: finding hosts by ping is fine, but it doesn't guarantee that you have found machines, where SSH is running. You would better scan for systems with port 22 open that accept TCP connections:
$ nmap -oX -sT -p22 <ip range>
-oX produces XML output that can be easily parsed. -oG is also a nice format for automated parsing of the scan results. Also having SSH running doesn't necessarily mean that the user would be able to log into the system - for example it could be a network router or another remotely manageable device. One also has to take care of only showing machines where the user can log on without having to supply a password, e.g. with RSA/DSA public keys, otherwise starting an MPI job would be a really tedious task. You can test each host found with something like:
$ ssh -2 -o "PreferredAuthentications=gssapi-with-mic,hostbased,publickey" \
<host> hostname
This command basically excludes all interactive authentication methods. If connection succeeds, it will output the hostname of the remote machine. Otherwise you'd get a permission denied error and a non-zero exit code from the SSH client.
I am trying to setup NFS mounts between two machines on the same local network, however it seems I need to be more specific in my firewall (FIREHOL) setup as the client side cannot mount the exports.
Did look at netstat to determine the ports that open up, but they seems to be non-static/changing.
I know it is firewall related as disabled/stopping my Firehol causes the problem to dissapear.
Any specific areas I should investigate?
Well, first of all, you need to make sure that portmap is also enabled in your Firehol configuration.
I am not super sure about the low level workings of NFS's ports, but it does not use the same ports everytime.
You could do something like the following to enable the NFS ports, as well as portmap. (Check rpcinfo -p)
This would enable the rpc queries (to determine the ports, for the firewall, to know AFTER NFS was started(or restarted))
I also suggest the use of 'src' to restrict the client IP's you are serving to, if you don't already have it :)
Lastly, remember to restart the firewall/firehol AFTER nfs restarts, so rpcqueries are happy with the ports for nfs service.
Example (where 192.168.152.176 is your client machine)
server portmap accept src 192.168.152.176
server nfs accept src 192.168.152.176
I have a new tomcat application server running on tomcat 6, java 6 (openjdk), centos 6.2. The server is a virtual machine running under qemu-kvm on a centos 6.2 host. Both host and guest are 64-bit.
I have a case where a connection is opened, (from a connection pool) then a "long computation" occurs for about 4 hours, during which the connection is not used. Finally, a "commit" is issued, and the server gives a "connection reset" exception, specifically:
Caused by: java.net.SocketException: Connection reset
at java.net.SocketInputStream.read(SocketInputStream.java:185)
at oracle.net.ns.Packet.receive(Packet.java:282)
at oracle.net.ns.DataPacket.receive(DataPacket.java:103)
at oracle.net.ns.NetInputStream.getNextPacket(NetInputStream.java:230)
at oracle.net.ns.NetInputStream.read(NetInputStream.java:175)
at oracle.net.ns.NetInputStream.read(NetInputStream.java:100)
at oracle.net.ns.NetInputStream.read(NetInputStream.java:85)
at oracle.jdbc.driver.T4CSocketInputStreamWrapper.readNextPacket(T4CSocketInputStreamWrapper.java:122)
at oracle.jdbc.driver.T4CSocketInputStreamWrapper.read(T4CSocketInputStreamWrapper.java:78)
at oracle.jdbc.driver.T4CMAREngine.unmarshalUB1(T4CMAREngine.java:1179)
at oracle.jdbc.driver.T4CMAREngine.unmarshalSB1(T4CMAREngine.java:1155)
at oracle.jdbc.driver.T4CTTIfun.receive(T4CTTIfun.java:279)
at oracle.jdbc.driver.T4CTTIfun.doRPC(T4CTTIfun.java:186)
at oracle.jdbc.driver.T4C7Ocommoncall.doOCOMMIT(T4C7Ocommoncall.java:75)
at oracle.jdbc.driver.T4CConnection.doCommit(T4CConnection.java:558)
The database server and the client are on the same subnet, except the server is a real physical host, and obviously the app-server is a guest running inside a physical machine on the same subnet.
The host used "bridged" networking.
This may not be a software problem at all but rather a linux os configuration (iptables?) issue, but I really don't know.
I have run into this a couple of times. Almost always caused by a network timeout (load balancer or firewall). But you have clearly mentioned that your servers are on the same subnet, so not really sure what is going on. Since you suspect iptables, can you turn it off, run the test and see if it works (too easy huh :)
Regardless, assuming you are connecting to an Oracle db, the following tweak helps
http://raibledesigns.com/rd/entry/tomcat_oracle_connectivity_problems
If you use a different db (say mysql) the setting might be different but the logic is the same. Setup a keepalive value to prevent the connection from being idle for too long. This way the firewal/load balancer/iptables software will not terminate it.
As you can see in this post in Oracle Forums, this can have more than one problem / solution.
Check if your JDBC driver version is correct
Check your ORACLE_HOME environment variable
try add the argument -Djava.security.egd=file:///dev/urandom
Your logic use a singleton to get the connection? In the post this are mentioned too
Hope this helps you.
#user is referring to a good workaround, by configuring "SQLNET.EXPIRE_TIME=10" in sqlnet.ora.
However, this workaround is only applicable if your application is using thick OCI (jdbc:oci), not thin (jdbc:thin) driver.
Linux has software firewall, i.e. iptables, which can drop idle network connection, so even you are in the same subnet, you have iptables software firewall. This is activated by default in all modern Linux, and up to Linux administrator to disable it.
By default, Linux iptables does not drop idle TCP/IP connections (jdbc belongs to TCP/IP protocol), so the Linux administrator must configured iptables to do so. Following is the detail explanation for any reader who are interested to know more:
http://www.digitage.co.uk/digitage/software/linux-security/cutter
Business users, security team, or architect often suggest network/OS admin to abort idle connection using firewall, as well as router. This is always a "recommendation" in the anti-hacking community, but it is not properly discussed, and causing application instability. Eventually, you should discuss with the team to find a balance