WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xen-users

Re: [Xen-users] (securing dom0 - firewall rules. was: ) Re: Live Migrati

To: xen-users@xxxxxxxxxxxxxxxxxxx
Subject: Re: [Xen-users] (securing dom0 - firewall rules. was: ) Re: Live Migration Config
From: Tom Brown <tbrown@xxxxxxxxxxxxx>
Date: Sun, 30 Oct 2005 10:05:23 -0800 (PST)
Delivery-date: Sun, 30 Oct 2005 18:03:24 +0000
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
In-reply-to: <43643730.50407@xxxxxxxxxxx>
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx
There needs to be either some documentation about how to secure your xen
host, or the default configuration needs to be changed to be far "less
permissive" :-) and documentation added about how to relax the security.

Even being able to bind xferd to a specific IP address (e.g. 10.0.0.1)
would be a start (not "secure" but I'd rather have to deal with "only" the
clients of a big co-lo (or if you're lucky, your own lan) instead of the
whole internet)...

Here's a start... This isn't rock solid, but it is a million times better
than being wide open. It blocks the xen (http and event) and xfrd ports,
the console ports for doms numbered 1 to 99. Increase 9699 if you cycle
through a lot of domUs. It is Linux/bash specific, and assumes you have
iptables enabled on the dom0. I have also used the REJECT target, but you
could use DENY if REJECT wasn't enabled in your kernel compile.

And of course, all of this might be obsolete for xen 3

   #!/bin/bash

   FW=/sbin/iptables
   # accept any traffic that comes in the loopback interface
   # this should cover ALL legit traffic to 127.0.0.1
   $FW -A INPUT -i lo --jump ACCEPT

   # hhm, this should deny remaining traffic to 127.0.0.1
   # that should block traffic where outside systems have routed
   # 127.0.0.1 to us.
   $FW -A INPUT -p TCP -d 127.0.0.1 --jump REJECT

   # add explicit rules here to allow access
   # $FW -A INPUT -p TCP -s OPENIP --dport OPENPORT --jump REJECT

   #block everything else
   for port in 8000 8001 8002 ; do
      $FW -A INPUT -p TCP --dport $port --jump REJECT
   done

   console=9600
   while [ $console -lt 9699 ] ; do
      $FW -A INPUT -p TCP --dport $console --jump REJECT
      let console=$console+1
   done


On my 2.0.7 boxes it looks like the xen http interface is on ports
8000 and maybe 8001 (but those are bound to 127.0.0.1) and xfrd is on 8002
- the first two seem to be specified in /etc/xen/xend-config.sxp (hhmm,
8002 seems to be in xfrd.h, used by a compiled C program xfrd, it can be
specified as a command line option though...)

   # Port xend should use for the HTTP interface.
   (xend-port         8000)
   # Port xend should use for the event interface.
   (xend-event-port   8001)

and for consoles the following seem relevent:

   (console-port-base 9600)
   (console-address   'localhost')

however, my port 8000 and 8001 daemons are _also_ bound to
localhost...

   [root@xen2 /etc/xen]# netstat -atn | grep LIST
   tcp        0      0 127.0.0.1:8000              0.0.0.0:* LISTEN
   tcp        0      0 127.0.0.1:8001              0.0.0.0:* LISTEN
   tcp        0      0 0.0.0.0:8002                0.0.0.0:* LISTEN
   tcp        0      0 127.0.0.1:9605              0.0.0.0:* LISTEN

(9605 being a console port)

   [root@xen2 /etc/xen]# xm list
   Name              Id  Mem(MB)  CPU  State  Time(s)  Console
   Domain-0           0      123    0  r----  21371.7
   audio              5      255    1  -b---  199561.7    9605

Anyhow, the above seems like a pretty lousy start, but if it
inspires someone to improve on it, then great!

Note: I suggested earlier that disabling xfrd was probably just a change
to the startup scripts. That doesn't seem to be correct. It appears to be
started from the main xend python script... and that only seems to take
stop/start/restart options. (I'm not python literate.)

-Tom



_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users

<Prev in Thread] Current Thread [Next in Thread>