Linux Administration

Network Ports

2 min read

TCP Ports which CloudShark uses

CloudShark’s listening ports are TCP 80 and 443. If you wish to lock down access to CloudShark for only certain IP address ranges, the system is a standard Linux kernel with iptables filtering.

CloudShark provides HTTP and HTTPS access by default. The HTTPS certificate is self-signed since there is no way to provide a signed certificate in the default distribution. This will allow users to connect over an encrypted channel, but without the benefits of identity verification. You can replace the self-signed certificates with your own on the HTTPS page.

During the installation of CloudShark, a firewall entry is added dynamically to allow access to the CloudShark IP address for HTTP/HTTPS, and also a specific entry to allow access to the special localhost interface to ensure a service called memcached is available for use.

Memcached

Memcached can be configured to accept connections on only the loopback interface. If your firewall already has a default policy of deny, this setting should not have any additional effect. Security conscious administrators may wish to lock this service down at the program level, as well. After installing CloudShark edit the memcached configuration file, /etc/sysconfig/memcached and change the OPTIONS line to only listen on the loopback interface. CloudShark also does not use memcached over UDP so this can be disabled as well:

PORT="11211"
USER="memcached"
MAXCONN="1024"
CACHESIZE="64"
OPTIONS="-l localhost -U 0"

After editing this file run this command to restart memcached for this change to take effect:

service memcached restart

Updated March 3rd, 2018

This memcached configuration was updated to disable memcached over UDP. Allowing this could lead to memcached being used in a DDoS attack as described in this post.

SQL Server

The SQL server that is installed with CloudShark by default listens for connections on all interface. Administrators may wish to lock this down to only allow connections over a local socket by adding the line skip-networking to the [mysqld] section of the /etc/my.cnf configuration file:

[mysqld]
datadir=/var/lib/mysql
skip-networking
socket=/var/lib/mysql/mysql.sock

After making changes to this file restart the SQL server by running service mysqld restart on CentOS 6 or systemctl restart mariadb on CentOS 7 as root to make the changes take effect.

Redis

TraceFrame