Whishlist: add (iptables?) firewall for security reasons!

[Laxity]

Hi,

I currently manage two DSS servers located at a data center. They both have one network card connected directly to the internet for remote configuration.

I do not have any problem with the DSS having a lot of ports open towards our storage network, but having over 2000 open ports to the internet gives me quite a headache..
For example: I use the FTP service, but I dont need it to be seen over the internet. (nmap said its a ProFTPD, which had quite some security issues over the last years)

I use SMB, but I dont think everyone who scans the hosts should see whats the name of my workgroup.

and so on

I only need port 443 (http-SSL) to be open to the outside world for configuration.
I would be happy if I could filter the 4097 other ports currently being seen as "open" to a nessus scan.

As I do not have a hardware firewall in front of the NICs to the internet of the DSS boxes I was wondering why there is no possibility to set up a simple iptables firewall on the servers as they are running Linux anyway.
Unfortunately there is no way to SSH into the DSS servers (so I could set it up myself) I hereby add this to my wishlist :-)

Here you can find a nessus scan result of one of the boxes:
http://streikt.net/dss.html

It sais it is possible to connect as "guest" to SMB.
I tried it, and this is true. OK you cannot connect to any of the shared folders as I set them o be only readable by authenticated users but you can see their names.. thats not nice..

[Laxity]

The Nessus scan also sais:

Here is the export list of host1.censored.com :
/Xen 192.168.1.230
/backupcider 192.168.1.235
/backupcider 192.168.1.230

This is "really"! nothing that should be seen to the outside world!

[Laxity]

my next scan was even worse:

http://streikt.net/dss1.html

[To-M]

Thanks for the scan, engineers will look into this. What version are you running?

[Laxity]

Hi To-M

great, I really hope this will be added to the roadlist with priority.

My DSS servers are running:
Version: 5.0.DB49000000.3278

[Laxity]

I just went trough the second report I posted step by step and I noticed that Nessus reported the ports 6666 and 6667 to be webservers. These ports are usually used by IRC.

On port 6666 the webserver of the areca raid card is listening (although the card has its own onboard NIC so this is not needed by everyone).
On port 6667 you can configure some settings (without authentification(!) such as E-Mail alerts, SNMP traps and some general stuff (nothing that could harm the system but could be great for information gathering by people wanting to check your business - maybe some competitor is interested in how moch storage you have?)

And I do not see any switch to turn this off on the open-E GUI?! I would because as I said, the areca controllers I use have their own NIC for management..

Now I am thinking about disabling the NIC to the internet (I could re-enable it on the console when I need it using IPMI, right?).

Regards
Laxity

[Laxity]

I just checked. Unfortunately I cannot disable the NIC, the software sais it would first have to disable iSCSI failover. I dont get why, as this NIC is not used for iSCSI failover but well..

Looks like I will have to do som NATing or finally pay for a hardware firewall

[To-M]

Check if the NIC has the AUX enabled for it.

[To-M]

Engineers can make a small update to disable the SMB, we place the no guest access as an option. You may need to place a firewall for the other ports.

[Laxity]

Engineers can make a small update to disable the SMB, we place the no guest access as an option. You may need to place a firewall for the other ports.

Hi Todd,

I think this is a good start.
FYI: I had failover disabled completely when I wanted to disable the NIC, it still said it would disable failover?

And yes, I will rent a "shared" firewall which the guys at the datacenter offer.

Thanks (as always) for your nice support!

Philipp