[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-users] (securing dom0 - firewall rules. was: ) Re: Live Migration Config

There needs to be either some documentation about how to secure your xen
host, or the default configuration needs to be changed to be far "less
permissive" :-) and documentation added about how to relax the security.

Even being able to bind xferd to a specific IP address (e.g. 10.0.0.1)
would be a start (not "secure" but I'd rather have to deal with "only" the
clients of a big co-lo (or if you're lucky, your own lan) instead of the
whole internet)...

Here's a start... This isn't rock solid, but it is a million times better
than being wide open. It blocks the xen (http and event) and xfrd ports,
the console ports for doms numbered 1 to 99. Increase 9699 if you cycle
through a lot of domUs. It is Linux/bash specific, and assumes you have
iptables enabled on the dom0. I have also used the REJECT target, but you
could use DENY if REJECT wasn't enabled in your kernel compile.

And of course, all of this might be obsolete for xen 3

   #!/bin/bash

   FW=/sbin/iptables
   # accept any traffic that comes in the loopback interface
   # this should cover ALL legit traffic to 127.0.0.1
   $FW -A INPUT -i lo --jump ACCEPT

   # hhm, this should deny remaining traffic to 127.0.0.1
   # that should block traffic where outside systems have routed
   # 127.0.0.1 to us.
   $FW -A INPUT -p TCP -d 127.0.0.1 --jump REJECT

   # add explicit rules here to allow access
   # $FW -A INPUT -p TCP -s OPENIP --dport OPENPORT --jump REJECT

   #block everything else
   for port in 8000 8001 8002 ; do
      $FW -A INPUT -p TCP --dport $port --jump REJECT
   done

   console=9600
   while [ $console -lt 9699 ] ; do
      $FW -A INPUT -p TCP --dport $console --jump REJECT
      let console=$console+1
   done


On my 2.0.7 boxes it looks like the xen http interface is on ports
8000 and maybe 8001 (but those are bound to 127.0.0.1) and xfrd is on 8002
- the first two seem to be specified in /etc/xen/xend-config.sxp (hhmm,
8002 seems to be in xfrd.h, used by a compiled C program xfrd, it can be
specified as a command line option though...)

   # Port xend should use for the HTTP interface.
   (xend-port         8000)
   # Port xend should use for the event interface.
   (xend-event-port   8001)

and for consoles the following seem relevent:

   (console-port-base 9600)
   (console-address   'localhost')

however, my port 8000 and 8001 daemons are _also_ bound to
localhost...

   [root@xen2 /etc/xen]# netstat -atn | grep LIST
   tcp        0      0 127.0.0.1:8000              0.0.0.0:* LISTEN
   tcp        0      0 127.0.0.1:8001              0.0.0.0:* LISTEN
   tcp        0      0 0.0.0.0:8002                0.0.0.0:* LISTEN
   tcp        0      0 127.0.0.1:9605              0.0.0.0:* LISTEN

(9605 being a console port)

   [root@xen2 /etc/xen]# xm list
   Name              Id  Mem(MB)  CPU  State  Time(s)  Console
   Domain-0           0      123    0  r----  21371.7
   audio              5      255    1  -b---  199561.7    9605

Anyhow, the above seems like a pretty lousy start, but if it
inspires someone to improve on it, then great!

Note: I suggested earlier that disabling xfrd was probably just a change
to the startup scripts. That doesn't seem to be correct. It appears to be
started from the main xend python script... and that only seems to take
stop/start/restart options. (I'm not python literate.)

-Tom



_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.