TCP Ports which CloudShark uses
CloudShark’s listening ports are TCP 80 and 443. If you wish to lock down access to CloudShark for only certain IP address ranges, the system is a standard Linux kernel with iptables filtering.
CloudShark provides HTTP and HTTPS access by default. The HTTPS certificate is self-signed since there is no way to provide a signed certificate in the default distribution. This will allow users to connect over an encrypted channel, but without the benefits of identity verification. You can replace the self-signed certificates with your own on the HTTPS page.
During the installation of CloudShark, a firewall entry is added dynamically to allow access to the CloudShark IP address for HTTP/HTTPS, and also a specific entry to allow access to the special localhost interface to ensure a service called memcached is available for use.
Memcached can be configured to accept connections on only the loopback
interface. If your firewall already has a default policy of deny, this setting
should not have any additional effect. Security conscious administrators may wish to
lock this service down at the program level, as well. After installing CloudShark edit the memcached
/etc/sysconfig/memcached and change the
to only listen on the loopback interface. CloudShark also does not use
memcached over UDP so this can be disabled as well:
PORT="11211" USER="memcached" MAXCONN="1024" CACHESIZE="64" OPTIONS="-l localhost -U 0"
After editing this file run this command to restart memcached for this change to take effect:
service memcached restart
Updated March 3rd, 2018
This memcached configuration was updated to disable memcached over UDP. Allowing this could lead to memcached being used in a DDoS attack as described in this post.
The SQL server that is installed with CloudShark by default listens for
connections on all interface. Administrators may wish to lock this down to only
allow connections over a local socket by adding the line
[mysqld] section of the
/etc/my.cnf configuration file:
[mysqld] datadir=/var/lib/mysql skip-networking socket=/var/lib/mysql/mysql.sock
After making changes to this file restart the SQL server by running
mysqld restart on CentOS 6 or
systemctl restart mariadb on CentOS 7 as root
to make the changes take effect.