about OpenSim GRID security.

classic Classic list List threaded Threaded
21 messages Options
12
Reply | Threaded
Open this post in threaded view
|

about OpenSim GRID security.

Luisillo Contepomi
We are now in the 0.8 version.. I think the time to talk about
security has come.

This days we can read about a Ddos over Aviworlds
http://www.hypergridbusiness.com/2014/05/aviworlds-shuts-down-again-after-attack/

Anyone know what kind of attack was? over what ports or services? Was
really a Ddos?

I think it would be very interesting for all us to open a serious
debate on the safety of our regions. We must start to talk about
OpenSimulator security.

Regards
Luisillo
_______________________________________________
Opensim-users mailing list
[hidden email]
http://opensimulator.org/cgi-bin/mailman/listinfo/opensim-users
Reply | Threaded
Open this post in threaded view
|

Re: about OpenSim GRID security.

R.Gunther
DDos have nothing todo with ports or services. DDos is very hard to defend.
You just get so much traffic that the server / services get overloaded
and stop working correctly.
Only way to defend against Dos is sofar i knows blocking IP (ranges)
with the risk you block customers to.

On 2014-05-31 11:28, Luisillo Contepomi wrote:

> We are now in the 0.8 version.. I think the time to talk about
> security has come.
>
> This days we can read about a Ddos over Aviworlds
> http://www.hypergridbusiness.com/2014/05/aviworlds-shuts-down-again-after-attack/
>
> Anyone know what kind of attack was? over what ports or services? Was
> really a Ddos?
>
> I think it would be very interesting for all us to open a serious
> debate on the safety of our regions. We must start to talk about
> OpenSimulator security.
>
> Regards
> Luisillo
> _______________________________________________
> Opensim-users mailing list
> [hidden email]
> http://opensimulator.org/cgi-bin/mailman/listinfo/opensim-users
>

_______________________________________________
Opensim-users mailing list
[hidden email]
http://opensimulator.org/cgi-bin/mailman/listinfo/opensim-users
Reply | Threaded
Open this post in threaded view
|

Re: about OpenSim GRID security.

Klaus-E. Klingner
In reply to this post by Luisillo Contepomi
Just about this topic I wrote a blog two years ago:

http://blog.silverday.de/2012/04/for-the-world-is-hollow-and-the-grid-is-open-thoughts-about-opensim-security/

Regards,

Klaus

On 31.05.2014 11:28, Luisillo Contepomi wrote:

> We are now in the 0.8 version.. I think the time to talk about
> security has come.
>
> This days we can read about a Ddos over Aviworlds
> http://www.hypergridbusiness.com/2014/05/aviworlds-shuts-down-again-after-attack/
>
> Anyone know what kind of attack was? over what ports or services? Was
> really a Ddos?
>
> I think it would be very interesting for all us to open a serious
> debate on the safety of our regions. We must start to talk about
> OpenSimulator security.
>
> Regards
> Luisillo
> _______________________________________________
> Opensim-users mailing list
> [hidden email]
> http://opensimulator.org/cgi-bin/mailman/listinfo/opensim-users
_______________________________________________
Opensim-users mailing list
[hidden email]
http://opensimulator.org/cgi-bin/mailman/listinfo/opensim-users
Reply | Threaded
Open this post in threaded view
|

Re: about OpenSim GRID security.

Luisillo Contepomi
In reply to this post by R.Gunther
Thank you R.Gunter,
I know what is a Ddos. Normally are doit over a service. Then over
this port. (Email, web, ftp, sshd....). Some times over more than one
service then over more than one port.

A little script for help to detect login failed or force brute over
your robust sending a alert email .
------------------------------------------------
#!/bin/bash

string="Login failed for"

tail -n 0 -F /home/opensim/robust.log | \
while read LINE
do
echo "$LINE" | grep -q $string
if [ $? = 0 ]
then
echo -e "$string found in robust.log on  $HOSTNAME" | mail -s "Alguien
intenta acceder a $(hostname)" [hidden email]
fi
done

----------------------------------------------
Must be running in a screen or with nohub

nohup ./scriptnombre.sh 0<&- &>/dev/null &

Regards,
Luisillo







2014-05-31 12:25 GMT+02:00 R.Gunther <[hidden email]>:

> DDos have nothing todo with ports or services. DDos is very hard to defend.
> You just get so much traffic that the server / services get overloaded and
> stop working correctly.
> Only way to defend against Dos is sofar i knows blocking IP (ranges) with
> the risk you block customers to.
>
>
> On 2014-05-31 11:28, Luisillo Contepomi wrote:
>>
>> We are now in the 0.8 version.. I think the time to talk about
>> security has come.
>>
>> This days we can read about a Ddos over Aviworlds
>>
>> http://www.hypergridbusiness.com/2014/05/aviworlds-shuts-down-again-after-attack/
>>
>> Anyone know what kind of attack was? over what ports or services? Was
>> really a Ddos?
>>
>> I think it would be very interesting for all us to open a serious
>> debate on the safety of our regions. We must start to talk about
>> OpenSimulator security.
>>
>> Regards
>> Luisillo
>> _______________________________________________
>> Opensim-users mailing list
>> [hidden email]
>> http://opensimulator.org/cgi-bin/mailman/listinfo/opensim-users
>>
>
> _______________________________________________
> Opensim-users mailing list
> [hidden email]
> http://opensimulator.org/cgi-bin/mailman/listinfo/opensim-users
_______________________________________________
Opensim-users mailing list
[hidden email]
http://opensimulator.org/cgi-bin/mailman/listinfo/opensim-users
Reply | Threaded
Open this post in threaded view
|

Re: about OpenSim GRID security.

Luisillo Contepomi
In reply to this post by Klaus-E. Klingner
Thank you Klaus for the link,

"For a blacklist to work we need something like a trusted Grid-list, a
white list of grids that can be trusted to do at least basic user
checks. I am awawre that this would in a way close the currently open
hg philosophy, but it is in my opinion the only way."

Is a option. Some as a "Opensim Trusted Users database" sharing
trusted user information but... may be will generate problems with the
privacy rights or may be not if the user is noticed about this before
the registration.





2014-05-31 13:03 GMT+02:00 Klaus-E. Klingner <[hidden email]>:

> Just about this topic I wrote a blog two years ago:
>
> http://blog.silverday.de/2012/04/for-the-world-is-hollow-and-the-grid-is-open-thoughts-about-opensim-security/
>
> Regards,
>
> Klaus
>
>
> On 31.05.2014 11:28, Luisillo Contepomi wrote:
>>
>> We are now in the 0.8 version.. I think the time to talk about
>> security has come.
>>
>> This days we can read about a Ddos over Aviworlds
>>
>> http://www.hypergridbusiness.com/2014/05/aviworlds-shuts-down-again-after-attack/
>>
>> Anyone know what kind of attack was? over what ports or services? Was
>> really a Ddos?
>>
>> I think it would be very interesting for all us to open a serious
>> debate on the safety of our regions. We must start to talk about
>> OpenSimulator security.
>>
>> Regards
>> Luisillo
>> _______________________________________________
>> Opensim-users mailing list
>> [hidden email]
>> http://opensimulator.org/cgi-bin/mailman/listinfo/opensim-users
>
> _______________________________________________
> Opensim-users mailing list
> [hidden email]
> http://opensimulator.org/cgi-bin/mailman/listinfo/opensim-users
_______________________________________________
Opensim-users mailing list
[hidden email]
http://opensimulator.org/cgi-bin/mailman/listinfo/opensim-users
Reply | Threaded
Open this post in threaded view
|

Re: about OpenSim GRID security.

M.E. Verhagen
I think it is very hard to do something against so called attacks. 

A griever would simply register at a trusted grid and do its evil. 
So I do not think a trusted grid would bring anything perhaps some violation of privacy rights.

The only way to do something about it is to stop those grievers c.q. hackers somehow.

_______________________________________________
Opensim-users mailing list
[hidden email]
http://opensimulator.org/cgi-bin/mailman/listinfo/opensim-users
Reply | Threaded
Open this post in threaded view
|

Re: about OpenSim GRID security.

Trinity
So far the one greifer every one talks about just uses public rez privs The key to defeating him is to stop leaving your land wide open with public rez tuned on. The fact people do isnt the fault of opensim but is a case of operator error. If you wish to leave your security wide open like that you need to be prepared to take what comes with it. its like taking the front door off your house and expecting no one to just walk in and make them selves feel at home. you night not mind the good people that come in but for every few good ones there’s gonna be a bad one.


Trinity


On Sat, May 31, 2014 at 10:10 AM, M.E. Verhagen <[hidden email]> wrote:
I think it is very hard to do something against so called attacks. 

A griever would simply register at a trusted grid and do its evil. 
So I do not think a trusted grid would bring anything perhaps some violation of privacy rights.

The only way to do something about it is to stop those grievers c.q. hackers somehow.

_______________________________________________
Opensim-users mailing list
[hidden email]
http://opensimulator.org/cgi-bin/mailman/listinfo/opensim-users



_______________________________________________
Opensim-users mailing list
[hidden email]
http://opensimulator.org/cgi-bin/mailman/listinfo/opensim-users
Reply | Threaded
Open this post in threaded view
|

Re: about OpenSim GRID security.

M.E. Verhagen
Leaving scripting for everyone on is also  interesting opening for grievers or hackers.
Actualy having chat enabled can be an opportunity for those &^#$%#


_______________________________________________
Opensim-users mailing list
[hidden email]
http://opensimulator.org/cgi-bin/mailman/listinfo/opensim-users
Reply | Threaded
Open this post in threaded view
|

Re: about OpenSim GRID security.

Luisillo Contepomi
In reply to this post by Trinity
(I am happy to see you trinity! )

Luisillo

2014-05-31 19:29 GMT+02:00 Trinity <[hidden email]>:

> So far the one greifer every one talks about just uses public rez privs The
> key to defeating him is to stop leaving your land wide open with public rez
> tuned on. The fact people do isnt the fault of opensim but is a case of
> operator error. If you wish to leave your security wide open like that you
> need to be prepared to take what comes with it. its like taking the front
> door off your house and expecting no one to just walk in and make them
> selves feel at home. you night not mind the good people that come in but for
> every few good ones there's gonna be a bad one.
>
>
> Trinity
>
>
> On Sat, May 31, 2014 at 10:10 AM, M.E. Verhagen <[hidden email]> wrote:
>>
>> I think it is very hard to do something against so called attacks.
>>
>> A griever would simply register at a trusted grid and do its evil.
>> So I do not think a trusted grid would bring anything perhaps some
>> violation of privacy rights.
>>
>> The only way to do something about it is to stop those grievers c.q.
>> hackers somehow.
>>
>> _______________________________________________
>> Opensim-users mailing list
>> [hidden email]
>> http://opensimulator.org/cgi-bin/mailman/listinfo/opensim-users
>>
>
>
> _______________________________________________
> Opensim-users mailing list
> [hidden email]
> http://opensimulator.org/cgi-bin/mailman/listinfo/opensim-users
>
_______________________________________________
Opensim-users mailing list
[hidden email]
http://opensimulator.org/cgi-bin/mailman/listinfo/opensim-users
Reply | Threaded
Open this post in threaded view
|

Re: about OpenSim GRID security.

Luisillo Contepomi
In reply to this post by M.E. Verhagen
Yes, my mistake

This topic must be in a grid  administrator list.
Excuseme for open a too technical topic in a user-list.
Regards,
Luisillo

2014-05-31 19:50 GMT+02:00 M.E. Verhagen <[hidden email]>:

> Leaving scripting for everyone on is also  interesting opening for grievers
> or hackers.
> Actualy having chat enabled can be an opportunity for those &^#$%#
>
>
> _______________________________________________
> Opensim-users mailing list
> [hidden email]
> http://opensimulator.org/cgi-bin/mailman/listinfo/opensim-users
>
_______________________________________________
Opensim-users mailing list
[hidden email]
http://opensimulator.org/cgi-bin/mailman/listinfo/opensim-users
Reply | Threaded
Open this post in threaded view
|

Re: about OpenSim GRID security.

Shaun T. Erickson
Oh, is there some Opensim-admins mailing list that I've never heard of?
If there is, or something like it, I'd like to get on it.

-ste

On 5/31/14, 2:17 PM, Luisillo Contepomi wrote:
> Yes, my mistake
>
> This topic must be in a grid  administrator list.
> Excuseme for open a too technical topic in a user-list.
> Regards,
>

_______________________________________________
Opensim-users mailing list
[hidden email]
http://opensimulator.org/cgi-bin/mailman/listinfo/opensim-users
Reply | Threaded
Open this post in threaded view
|

Re: about OpenSim GRID security.

Luisillo Contepomi
I dont know if exist or not this list but I think it would be very interesting.
OpenSimulator is a "Alpha" declarated by developers but  I think that
the project has enough maturity to start thinking seriously about
security.
Regards,
Luisillo

2014-05-31 21:33 GMT+02:00 Shaun T. Erickson <[hidden email]>:

> Oh, is there some Opensim-admins mailing list that I've never heard of? If
> there is, or something like it, I'd like to get on it.
>
> -ste
>
>
> On 5/31/14, 2:17 PM, Luisillo Contepomi wrote:
>>
>> Yes, my mistake
>>
>> This topic must be in a grid  administrator list.
>> Excuseme for open a too technical topic in a user-list.
>> Regards,
>>
>
> _______________________________________________
> Opensim-users mailing list
> [hidden email]
> http://opensimulator.org/cgi-bin/mailman/listinfo/opensim-users
_______________________________________________
Opensim-users mailing list
[hidden email]
http://opensimulator.org/cgi-bin/mailman/listinfo/opensim-users
Reply | Threaded
Open this post in threaded view
|

Re: about OpenSim GRID security.

Shaun T. Erickson
A good firewall config will handle much of it.

-ste

On 6/1/14, 6:29 AM, Luisillo Contepomi wrote:
> I dont know if exist or not this list but I think it would be very interesting.
> OpenSimulator is a "Alpha" declarated by developers but  I think that
> the project has enough maturity to start thinking seriously about
> security.
>

_______________________________________________
Opensim-users mailing list
[hidden email]
http://opensimulator.org/cgi-bin/mailman/listinfo/opensim-users
Reply | Threaded
Open this post in threaded view
|

Re: about OpenSim GRID security.

David Saunders-2
GRid Security? 

Well there is a lacking of  it. I been working on a ways to prevent grids/Simulators to connect to our network.  Its built around allowing sims to authenticate with a configuration server that will open the door for them to connect to the grid services.  But I not found a list of ports that need to open for clients to use,  and been testing a list simulator ports to splite the services from the client to a public set of ports and the simulator a set of private port that can be open when they connect. 

 This would be easy if we did not allow trusted remote simulators to connect.

When I asked about security lasst I was given you keep the ports a secret and only give them out to people you trust.   

A locked door is moor sure the a unlocked door behind a bush.

David.


On Sun, Jun 1, 2014 at 10:16 AM, Shaun T. Erickson <[hidden email]> wrote:
A good firewall config will handle much of it.

-ste


On 6/1/14, 6:29 AM, Luisillo Contepomi wrote:
I dont know if exist or not this list but I think it would be very interesting.
OpenSimulator is a "Alpha" declarated by developers but  I think that
the project has enough maturity to start thinking seriously about
security.


_______________________________________________
Opensim-users mailing list
[hidden email]
http://opensimulator.org/cgi-bin/mailman/listinfo/opensim-users


_______________________________________________
Opensim-users mailing list
[hidden email]
http://opensimulator.org/cgi-bin/mailman/listinfo/opensim-users
Reply | Threaded
Open this post in threaded view
|

Re: about OpenSim GRID security.

Diva Canto
Not sure if this will make it to 0.8, but I recently added HTTP authentication to all robust-bound connectors of internal grid services. HTTP authentication is not hard security, but it makes it much harder for unauthorized accesses to the grid services. (I, too, run a grid with simulators in different data centers.)

On 6/2/2014 4:16 PM, David Saunders wrote:
GRid Security? 

Well there is a lacking of  it. I been working on a ways to prevent grids/Simulators to connect to our network.  Its built around allowing sims to authenticate with a configuration server that will open the door for them to connect to the grid services.  But I not found a list of ports that need to open for clients to use,  and been testing a list simulator ports to splite the services from the client to a public set of ports and the simulator a set of private port that can be open when they connect. 

 This would be easy if we did not allow trusted remote simulators to connect.

When I asked about security lasst I was given you keep the ports a secret and only give them out to people you trust.   

A locked door is moor sure the a unlocked door behind a bush.

David.


On Sun, Jun 1, 2014 at 10:16 AM, Shaun T. Erickson <[hidden email]> wrote:
A good firewall config will handle much of it.

-ste


On 6/1/14, 6:29 AM, Luisillo Contepomi wrote:
I dont know if exist or not this list but I think it would be very interesting.
OpenSimulator is a "Alpha" declarated by developers but  I think that
the project has enough maturity to start thinking seriously about
security.


_______________________________________________
Opensim-users mailing list
[hidden email]
http://opensimulator.org/cgi-bin/mailman/listinfo/opensim-users



_______________________________________________
Opensim-users mailing list
[hidden email]
http://opensimulator.org/cgi-bin/mailman/listinfo/opensim-users


_______________________________________________
Opensim-users mailing list
[hidden email]
http://opensimulator.org/cgi-bin/mailman/listinfo/opensim-users
Reply | Threaded
Open this post in threaded view
|

Re: about OpenSim GRID security.

Dahlia Trimble
If you run a grid across multiple data centers and you don't want to expose the services externally you could have the regions access the services via a VPN. I believe LL does this with SL, or they did at one time when they first started using multiple data centers.


On Mon, Jun 2, 2014 at 4:24 PM, Diva Canto <[hidden email]> wrote:
Not sure if this will make it to 0.8, but I recently added HTTP authentication to all robust-bound connectors of internal grid services. HTTP authentication is not hard security, but it makes it much harder for unauthorized accesses to the grid services. (I, too, run a grid with simulators in different data centers.)


On 6/2/2014 4:16 PM, David Saunders wrote:
GRid Security? 

Well there is a lacking of  it. I been working on a ways to prevent grids/Simulators to connect to our network.  Its built around allowing sims to authenticate with a configuration server that will open the door for them to connect to the grid services.  But I not found a list of ports that need to open for clients to use,  and been testing a list simulator ports to splite the services from the client to a public set of ports and the simulator a set of private port that can be open when they connect. 

 This would be easy if we did not allow trusted remote simulators to connect.

When I asked about security lasst I was given you keep the ports a secret and only give them out to people you trust.   

A locked door is moor sure the a unlocked door behind a bush.

David.


On Sun, Jun 1, 2014 at 10:16 AM, Shaun T. Erickson <[hidden email]> wrote:
A good firewall config will handle much of it.

-ste


On 6/1/14, 6:29 AM, Luisillo Contepomi wrote:
I dont know if exist or not this list but I think it would be very interesting.
OpenSimulator is a "Alpha" declarated by developers but  I think that
the project has enough maturity to start thinking seriously about
security.


_______________________________________________
Opensim-users mailing list
[hidden email]
http://opensimulator.org/cgi-bin/mailman/listinfo/opensim-users



_______________________________________________
Opensim-users mailing list
[hidden email]
http://opensimulator.org/cgi-bin/mailman/listinfo/opensim-users


_______________________________________________
Opensim-users mailing list
[hidden email]
http://opensimulator.org/cgi-bin/mailman/listinfo/opensim-users



_______________________________________________
Opensim-users mailing list
[hidden email]
http://opensimulator.org/cgi-bin/mailman/listinfo/opensim-users
Reply | Threaded
Open this post in threaded view
|

Re: about OpenSim GRID security.

Shaun T. Erickson
You could just as easily do it over an ssh tunnel, too.

-ste

On 6/3/14, 12:31 AM, Dahlia Trimble wrote:
> If you run a grid across multiple data centers and you don't want to
> expose the services externally you could have the regions access the
> services via a VPN. I believe LL does this with SL, or they did at one
> time when they first started using multiple data centers.

_______________________________________________
Opensim-users mailing list
[hidden email]
http://opensimulator.org/cgi-bin/mailman/listinfo/opensim-users
Reply | Threaded
Open this post in threaded view
|

Re: about OpenSim GRID security.

Serendipity Seraph-2
In reply to this post by David Saunders-2

On 06/02/2014 04:16 PM, David Saunders wrote:

> GRid Security?
>
> Well there is a lacking of  it. I been working on a ways to prevent
> grids/Simulators to connect to our network.  Its built around allowing
> sims to authenticate with a configuration server that will open the
> door for them to connect to the grid services.  But I not found a list
> of ports that need to open for clients to use,  and been testing a
> list simulator ports to splite the services from the client to a
> public set of ports and the simulator a set of private port that can
> be open when they connect.

Why not do it at the server side with a whitelist?  If the requester is
not on the list then they get no service.  
>
>  This would be easy if we did not allow trusted remote simulators to
> connect.

What would be the point of grid services is trusted sims could not
connect?
>
> When I asked about security lasst I was given you keep the ports a
> secret and only give them out to people you trust.  

You could have one server process/virtual machine that listens on the
ports, does the whitelist and forwards legitimate requests to the actual
services.   Really this isn't an opensim question but a general securing
services question.   There are many different ways to do it including
firewall, VPN, whitelist, load balancer, gating service and so on.

- s

_______________________________________________
Opensim-users mailing list
[hidden email]
http://opensimulator.org/cgi-bin/mailman/listinfo/opensim-users
Reply | Threaded
Open this post in threaded view
|

Re: about OpenSim GRID security.

James Stallings II
Just a note on proper use of the word 'griever' vs the word 'griefer'. A 'griever' is someone who is in a state of grief; as in grieving for a loved one lost to the ravages of time or the brutality of an accident. A 'griefer' is someone who sows grief. In this context, 'griever' is misused, and 'griefer' is the right and proper term.


On Wed, Jun 4, 2014 at 5:38 PM, Seren Seraph <[hidden email]> wrote:

On 06/02/2014 04:16 PM, David Saunders wrote:
> GRid Security?
>
> Well there is a lacking of  it. I been working on a ways to prevent
> grids/Simulators to connect to our network.  Its built around allowing
> sims to authenticate with a configuration server that will open the
> door for them to connect to the grid services.  But I not found a list
> of ports that need to open for clients to use,  and been testing a
> list simulator ports to splite the services from the client to a
> public set of ports and the simulator a set of private port that can
> be open when they connect.

Why not do it at the server side with a whitelist?  If the requester is
not on the list then they get no service.
>
>  This would be easy if we did not allow trusted remote simulators to
> connect.

What would be the point of grid services is trusted sims could not
connect?
>
> When I asked about security lasst I was given you keep the ports a
> secret and only give them out to people you trust.

You could have one server process/virtual machine that listens on the
ports, does the whitelist and forwards legitimate requests to the actual
services.   Really this isn't an opensim question but a general securing
services question.   There are many different ways to do it including
firewall, VPN, whitelist, load balancer, gating service and so on.

- s

_______________________________________________
Opensim-users mailing list
[hidden email]
http://opensimulator.org/cgi-bin/mailman/listinfo/opensim-users



--

_______________________________________________
Opensim-users mailing list
[hidden email]
http://opensimulator.org/cgi-bin/mailman/listinfo/opensim-users
Reply | Threaded
Open this post in threaded view
|

Re: about OpenSim GRID security.

Shaun T. Erickson
You are both correct and a grammar nazi. :)

-ste

On 6/5/14, 3:45 PM, James Stallings II wrote:
> Just a note on proper use of the word 'griever' vs the word 'griefer'.
> A 'griever' is someone who is in a state of grief; as in grieving for
> a loved one lost to the ravages of time or the brutality of an
> accident. A 'griefer' is someone who sows grief. In this context,
> 'griever' is misused, and 'griefer' is the right and proper term.

_______________________________________________
Opensim-users mailing list
[hidden email]
http://opensimulator.org/cgi-bin/mailman/listinfo/opensim-users
12