Re: Controlling memcached access with ufw

[Simon Males]

On Thu, Aug 25, 2011 at 2:04 AM, Clint Byrum  wrote:
> Excerpts from Simon Males's message of Wed Aug 24 06:53:29 -0700 2011:
>> (read: 'Securing' memcached)
>>
>> I hope to cluster memcached. The network is untrusted and I must
>> restrict the allowed clients. So this is my first attempt at
>> firewalling.
>>
>> I've switched the ufw's DEFAULT_INPUT_POLICY to ACCEPT as there is no
>> current firewall. Next I added two clients which have explicit access
>> to port 11212 followed by a catch all DENY to 11212.
>>
>> # ufw status verbose
>> Status: active
>> Logging: on (low)
>> Default: allow (incoming), allow (outgoing)
>> New profiles: skip
>>
>> To                         Action      From
>> --                         --      
>> 11212                      ALLOW IN    192.168.1.102
>> 11212                      ALLOW IN    192.168.1.103
>> 11212                      DENY IN     Anywhere
>> 11212                      DENY IN     Anywhere (v6)
>>
>> Does this sound like a decent attempt at locking down memcached?
>>
>> Additionally with the above rules, could I create an application
>> profile? Ideally there will be multiple memcached servers, and I would
>> like to version control the profile.
>>
>
> This should indeed limit access to memcached to those two IP's. You
> don't say whether its UDP or TCP ports (memcached uses either).

I did notice that memcached uses either, and I thought that by not
specifying a protocol it would filter both?

> If its really untrusted, you might also look at using memcached's built
> in SASL support to require the clients to authenticate.
>
> http://code.google.com/p/memcached/wiki/SASLHowto

I'm aware of SASL it's just it's not compiled in by default. Custom
compiling is a last resort (I don't know how to manage/maintain it).

> An even simpler way to go is to just setup a VPN so that you are not
> subject to the dangers of an untrusted network. Even with SASL and
> firewalling, somebody can man-in-the-middle those "trusted" IPs and use
> your memcached all they want.

I was originally going to post a question about Ubuntu to Ubuntu VPNs.
Though setting up a few firewall rules with ufw seems simpler.

Additionally I'm not a networking guy and setting up new IPs and the
like is a little daunting to me. Same goes again: I don't know how to
managed that.

A VPN is the ultimate solution, so I'm happy to be pointed in the
direction of server to server VPNs.

Cheers.

-- 
Simon Males

-- 
ubuntu-server mailing list
ubuntu-server@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server
More info: https://wiki.ubuntu.com/ServerTeam

Re: ServerGuide reviewers needed

[Paul Graydon]

On 8/24/2011 6:57 AM, Clint Byrum wrote:

Excerpts from Ahmed Kamal's message of Wed Aug 24 06:07:06 -0700 2011:

Thanks again for everyone who volunteered .. can't wait to see those
merge proposals :)

This brings up one question for me. I don't know that I'll have much time
to scour the documentation, but I do allocate 4 hours of every month to
patch piloting in Ubuntu. Will these merge proposals show up somewhere
that I can sponsor?

https://code.launchpad.net/~ubuntu-core-doc/serverguide/oneiric 



My merge request from Monday was processed nice and quickly (but 
admittedly wasn't the biggest of changes.  Looks like we have a nice big 
one from Stefan awaiting for the networking section.


Paul

--
ubuntu-server mailing list
ubuntu-server@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server
More info: https://wiki.ubuntu.com/ServerTeam

Re: ServerGuide reviewers needed

[Clint Byrum]

Excerpts from Ahmed Kamal's message of Wed Aug 24 06:07:06 -0700 2011:
> Thanks again for everyone who volunteered .. can't wait to see those 
> merge proposals :)

This brings up one question for me. I don't know that I'll have much time
to scour the documentation, but I do allocate 4 hours of every month to
patch piloting in Ubuntu. Will these merge proposals show up somewhere
that I can sponsor?

-- 
ubuntu-server mailing list
ubuntu-server@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server
More info: https://wiki.ubuntu.com/ServerTeam

Re: Controlling memcached access with ufw

[Clint Byrum]

Excerpts from Simon Males's message of Wed Aug 24 06:53:29 -0700 2011:
> (read: 'Securing' memcached)
> 
> I hope to cluster memcached. The network is untrusted and I must
> restrict the allowed clients. So this is my first attempt at
> firewalling.
> 
> I've switched the ufw's DEFAULT_INPUT_POLICY to ACCEPT as there is no
> current firewall. Next I added two clients which have explicit access
> to port 11212 followed by a catch all DENY to 11212.
> 
> # ufw status verbose
> Status: active
> Logging: on (low)
> Default: allow (incoming), allow (outgoing)
> New profiles: skip
> 
> To Action  From
> -- --  
> 11212  ALLOW IN192.168.1.102
> 11212  ALLOW IN192.168.1.103
> 11212  DENY IN Anywhere
> 11212  DENY IN Anywhere (v6)
> 
> Does this sound like a decent attempt at locking down memcached?
> 
> Additionally with the above rules, could I create an application
> profile? Ideally there will be multiple memcached servers, and I would
> like to version control the profile.
> 

This should indeed limit access to memcached to those two IP's. You
don't say whether its UDP or TCP ports (memcached uses either).

If its really untrusted, you might also look at using memcached's built
in SASL support to require the clients to authenticate.

http://code.google.com/p/memcached/wiki/SASLHowto

An even simpler way to go is to just setup a VPN so that you are not
subject to the dangers of an untrusted network. Even with SASL and
firewalling, somebody can man-in-the-middle those "trusted" IPs and use
your memcached all they want.

-- 
ubuntu-server mailing list
ubuntu-server@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server
More info: https://wiki.ubuntu.com/ServerTeam

Controlling memcached access with ufw

[Simon Males]

(read: 'Securing' memcached)

I hope to cluster memcached. The network is untrusted and I must
restrict the allowed clients. So this is my first attempt at
firewalling.

I've switched the ufw's DEFAULT_INPUT_POLICY to ACCEPT as there is no
current firewall. Next I added two clients which have explicit access
to port 11212 followed by a catch all DENY to 11212.

# ufw status verbose
Status: active
Logging: on (low)
Default: allow (incoming), allow (outgoing)
New profiles: skip

To Action  From
-- --  
11212  ALLOW IN192.168.1.102
11212  ALLOW IN192.168.1.103
11212  DENY IN Anywhere
11212  DENY IN Anywhere (v6)

Does this sound like a decent attempt at locking down memcached?

Additionally with the above rules, could I create an application
profile? Ideally there will be multiple memcached servers, and I would
like to version control the profile.

-- 
Simon Males

-- 
ubuntu-server mailing list
ubuntu-server@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server
More info: https://wiki.ubuntu.com/ServerTeam

Re: ServerGuide reviewers needed

[Ahmed Kamal]

On 08/22/2011 09:09 PM, Scott Kitterman wrote:

On Monday, August 22, 2011 02:51:31 PM Paul wrote:

On 08/22/2011 04:00 AM, Scott Kitterman wrote:

On Monday, August 22, 2011 08:21:35 AM Ahmed Kamal wrote:

On 08/21/2011 09:31 PM, Paul Graydon wrote:

On 08/17/2011 06:33 AM, Ahmed Kamal wrote:

Hi folks,

As you know Adam the maintainer of the serverguide had stepped down.
I'm trying to assemble a team of server oriented folks who are
interested in reviewing the Ubuntu server guide (making sure all the
info inside is fresh and accurate), this is only part of it, the team
would also work on creating a fresh chapter on UbuntuCloud
(openstack+orchestra+Ensemble).

If you are interested, please raise your hand

Cheers

Hi Ahmed,

Is there a general idea of what level we ought to be aiming the
documentation at?  There is a bunch of things that could be added to
the MySQL section, for example, without turning it into a full on
MySQL Guide (unless that's what we're aiming at?).  Currently it's
focussed along the lines of 'this is how you install it, start it and
a couple of minor tweaks'.  It could be filled out with brief
discussion of the different storage engines provided by the packages,
their strengths and weaknesses etc.  The approach seems to vary
between different sections of the documentation, and even within the
same chapter.  It would seem in general that the database section is
woefully lacking in detail compared to other chapters.

Paul

Hi everyone,

So I got two questions that I'd like to answer publicly

1- What is our deadline
2- What is the depth needed for the review

My answer is

1- I'm no docs expert, but I checked and Oneiric "documentation string
freeze" is Sep 15th. Allowing for 10 days for merge proposal
discussions, we would have only *two weeks* starting today (22Aug-5Sep)
to get all the content you would like to review in a "ready to merge"
state from your perspective. As you can see this is not a lot of time,
so your prompt help is needed

Documentation string freeze is for documentation shipped in the archive.
A few release cycles ago we removed the ubuntu-serverguide package and
the guide is provided via help.ubuntu.com now, so we should have more
time.  That doesn't mean people shouldn't start working now, but it's
not yet critical.

So I should be okay for making some major changes to the chapter?  If
we're focussed on short term there are just a few small changes to make
that I could do in about 5 minutes at lunchtime and commit.  I should be
able to get the MySQL section sorted in greater detail within about a
week, maybe two at the outside.  Postgresql will take me longer as I'm
unfamiliar with it, but it's been something I've been meaning to learn
(however if someone else wants to run with it, let me know.)

I think the first priority should still be to verify the current content is
correct for 11.10/Oneiric and to address bugs the people have filed.  We do
have time for more than that however.

It's difficult to find a correct balance between "Here's how to do it in a good,
reliable way that works on Ubuntu, but it's only suitable for very narrow use
cases" and "Oops, just replicated the upstream documentation and confused new
people."

I think some thoughts on different storage engines, why one might pick different
ones, and how to get each going on Ubuntu would be useful with pointers to
upstream documentation on the details of each.

I always like it when someone comes into #ubuntu-server and asks for help,
"I've been try to X based on random internet HOWTO Y and it doesn't work", I
point them at the server guide and say "Do it this way and let me know if you
have problems" and they either don't come back or come back to say "That
worked, thanks".  If you're into MySQL, you probably have a better idea of
what X is than I do and you should just go tackle it.

Scott K


Thanks Scott, well put

And just to re-iterate, now that we're not bound by the doc string 
freeze, we do have a little more time (a little over 6 weeks) till 
Oneiric is released. So kindly use the time to review/update the docs, 
and to add any missing important information (to me that would be second 
priority however). Use your best judgment whether or not a piece of info 
should go to the serverguide


Thanks again for everyone who volunteered .. can't wait to see those 
merge proposals :)


--
ubuntu-server mailing list
ubuntu-server@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server
More info: https://wiki.ubuntu.com/ServerTeam