| |
|
 |
|
 |
|
|
|
| |
|
|
xen-users
Re: [Xen-users] (securing dom0 - firewall rules. was: ) Re: Live Migrati
There needs to be either some documentation about how to secure your xen
host, or the default configuration needs to be changed to be far "less
permissive" :-) and documentation added about how to relax the security.
Even being able to bind xferd to a specific IP address (e.g. 10.0.0.1)
would be a start (not "secure" but I'd rather have to deal with "only" the
clients of a big co-lo (or if you're lucky, your own lan) instead of the
whole internet)...
Here's a start... This isn't rock solid, but it is a million times better
than being wide open. It blocks the xen (http and event) and xfrd ports,
the console ports for doms numbered 1 to 99. Increase 9699 if you cycle
through a lot of domUs. It is Linux/bash specific, and assumes you have
iptables enabled on the dom0. I have also used the REJECT target, but you
could use DENY if REJECT wasn't enabled in your kernel compile.
And of course, all of this might be obsolete for xen 3
#!/bin/bash
FW=/sbin/iptables
# accept any traffic that comes in the loopback interface
# this should cover ALL legit traffic to 127.0.0.1
$FW -A INPUT -i lo --jump ACCEPT
# hhm, this should deny remaining traffic to 127.0.0.1
# that should block traffic where outside systems have routed
# 127.0.0.1 to us.
$FW -A INPUT -p TCP -d 127.0.0.1 --jump REJECT
# add explicit rules here to allow access
# $FW -A INPUT -p TCP -s OPENIP --dport OPENPORT --jump REJECT
#block everything else
for port in 8000 8001 8002 ; do
$FW -A INPUT -p TCP --dport $port --jump REJECT
done
console=9600
while [ $console -lt 9699 ] ; do
$FW -A INPUT -p TCP --dport $console --jump REJECT
let console=$console+1
done
On my 2.0.7 boxes it looks like the xen http interface is on ports
8000 and maybe 8001 (but those are bound to 127.0.0.1) and xfrd is on 8002
- the first two seem to be specified in /etc/xen/xend-config.sxp (hhmm,
8002 seems to be in xfrd.h, used by a compiled C program xfrd, it can be
specified as a command line option though...)
# Port xend should use for the HTTP interface.
(xend-port 8000)
# Port xend should use for the event interface.
(xend-event-port 8001)
and for consoles the following seem relevent:
(console-port-base 9600)
(console-address 'localhost')
however, my port 8000 and 8001 daemons are _also_ bound to
localhost...
[root@xen2 /etc/xen]# netstat -atn | grep LIST
tcp 0 0 127.0.0.1:8000 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:8001 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:8002 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:9605 0.0.0.0:* LISTEN
(9605 being a console port)
[root@xen2 /etc/xen]# xm list
Name Id Mem(MB) CPU State Time(s) Console
Domain-0 0 123 0 r---- 21371.7
audio 5 255 1 -b--- 199561.7 9605
Anyhow, the above seems like a pretty lousy start, but if it
inspires someone to improve on it, then great!
Note: I suggested earlier that disabling xfrd was probably just a change
to the startup scripts. That doesn't seem to be correct. It appears to be
started from the main xend python script... and that only seems to take
stop/start/restart options. (I'm not python literate.)
-Tom
_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users
|
|
|
| |
|
Home