Tech Info 068: Server security / Sharing HELIOS volumes over the Internet

HELIOS Tech Info #068

Mon, 21 Jul 2003

Server security / Sharing HELIOS volumes over the Internet

HELIOS products include many different services which can be accessed very easily for Intranet usage. For using the HELIOS services on the Intranet as well as on the Internet, additional security considerations must be taken into account, e.g. you don't like somebody launching OPI layout image creation by issuing commands on the “opisrv” telnet port. Another problem is that not all volumes should be available for Internet users. You don't like unauthorized Internet users printing to your server printer queues. Making the main server accessible from the Internet bears a major problem: due to the variety of different services running on the server it is possible that there is still a way for hackers to find some services which they can use to break into your system. If you need a 100% warranty that your system is secure you probably need to decide to run a local Intranet only, and have no gateway services to or from the Internet.

Following are the HELIOS TCP/IP ports used by the different product modules:

Port        Protoc. Where   Function
110         TCP     Server  EtherShare POP 3 E-Mail server
137         UDP     Server  Name Binding WINS
138         UDP     Server  PCShare Browsing
139         TCP     Server  PCShare SMB/CIFS
427         UDP     Server  HELIOS Base SLP server
445         TCP     Server  PCShare SMB/CIFS
515         TCP     Server  BSD Remote LPR
548         TCP     Server  AFP Server
2000        UDP     Server  PCShare native DOS/Win 3.x
2001        TCP     Server  EtherShare Mail server
2001        UDP     Server  PCShare native DOS/Win 3.x
2002        TCP     Server  ImageServer event listener port
2003        TCP     Server  PCShare telnet service port
2004        TCP     Server  EtherShare Admin
2005        TCP     Client  Create PDF Server
2006        TCP     Server  Reserved for future HELIOS Admin
2007        TCP     Server  EtherShare print spooler (papsrv)
2011-2014   TCP     Client  Printing PCShare native DOS printsrv
2021-2023   TCP     Client  Printing PCShare native DOS printsrv
2222        UDP     Server  EtherShare RPC
2223        UDP     Server  PCShare RPC
In addition to this, UNIX includes many services, NFS, telnet, ftp, rlogin, etc. A simple way to verify which services are active is the netstat -a | grep -i listen command. This article will focus only on the options of HELIOS services. One option to bring some services into the Internet is to use two network adapters, one for the Intranet and a second for the Internet, e.g.:
Interface address
le0       172.16.0.1      Intranet network
le1       193.141.98.37   Internet network

Please note:

UNIX IP routing / forwarding is not required and should be turned off between these two networks.
How to disable all HELIOS services for connections from the Internet?
The best solution is to turn all HELIOS services off for the Internet 193.141.98.x network by using the HELIOS IP access list feature, which can be managed from EtherShare or PCShare Admin as well as by using a UNIX text editor.
A sample configuration of “HELIOSDIR/var/conf/ipaccess” is:
allow 172.16.0.0/255.255.0.0      #Intranet Network
deny 0.0.0.0/0
This will basically deny all access from the Internet with the exception of the 172.16 network, which can use the HELIOS services.
How to enable the EtherShare AFP Server for Internet connections?
One sample configuration is to allow Internet access for one AFP Server volume but deny it for all other volumes. First it is required to allow the “afpsrv” process to accept connections from the Internet.
This can be done by specifying an “afpsrv” public access list by setting the following preference: 
# prefvalue -k Programs/afpsrv/ipaccess -t str ipaccess.public
The “afpsrv” will then use the “ipaccess.public” list instead of the ipaccess default list. However, all other services will still use the default “HELIOSDIR/var/conf/ipaccess” list, which allows only Intranet connections.
A sample configuration of “HELIOSDIR/var/conf/ipaccess.public” is:
allow 172.16.0.0/255.255.0.0       #Intranet Network
allow 193.141.98.37/255.255.255.0  #Internet Network
deny 0.0.0.0/0
This means that the “afpsrv” services will be accessible from Internet clients as well as from Intranet clients.
How to setup TCP/IP access permissions for each AFP Server volume?
A new access list named “ipaccess.private” will only allow Intranet connections.
A sample configuration of “HELIOSDIR/var/conf/ipaccess.private” is:
allow 172.16.0.0/255.255.0.0       #Intranet Network
deny 0.0.0.0/0
The next task is to set a special ip-access preference for each “afpsrv” volume.
Let's assume that we have three volumes; the “webtransfer” volume is to be publicly accessible, all other volumes should be private:
1. /pub/www/webtransfer
2. /data1/production
3. /data2/sales
Enable the “afpsrv” access for the “webtransfer” volume via: 
# prefvalue -k Volumes//pub/www/webtransfer/IPAccess -t str ipaccess.public
Disable the “afpsrv” access for the volumes “production” and “sales” via: 
# prefvalue -k Volumes//data1/production/IPAcess -t str ipaccess.private
# prefvalue -k Volumes//data2/sales/IPAcess -t str ipaccess.private
All three volumes are assigned EtherShare's volume preference “IPAccess”. This can be verified by logging on from the Intranet and Internet network. Only the permitted volume, in accordance to the IP access list, should be available.

Please note:

The quoting of the directory separator “/” is required for the UNIX volume path name preference.

Some additional Q&A concerning IP access in HELIOS products:

Q:

 

How to enable guest login for the “afpsrv”?

A:

prefvalue -k Programs/afpsrv/guestid -t str nobody

Q:

 

What is the difference between the “ipaccess” and “IPAccess” preference?

A:

“ipaccess” is for all server processes, e.g. “pcshare”, “afpsrv”, “opisrv”, “slpsrv”, etc. whereas “IPAccess” is a per-volume preference. For details see HELIOS Base 1.1 manual, section 4.5.3

Q:

 

Is the per-volume “IPAccess” preference available for EtherShare and PCShare?

A:

At present only for EtherShare; PCShare will support it with a future update or version.

Q:

 

Can I have auditing for the “webtransfer” volume?

A:

Yes. The “server.acct file” will show all logins. Another option is to turn on the “xferlog” preference to log I/O file activity. For details see HELIOS Base 1.1 manual, section 7.1. Use this option with care since it causes considerable load on the server and should not be used on production servers.

Q:

 

Can I publish a Macintosh printer queue on the Internet?

A:

Yes. Use our TCP/IP printer drivers for remote Mac OS 9 or Mac OS X clients, publish the printer queue via TCP on a custom port, e.g.:

name: mylaser:8000

will publish it on port 8000. Enable the port on your Internet firewall to be forwarded to port 8000 to the server.

Q:

 

Can I use the IP access for the Remote LPR protocol?

A:

Yes. By default the “lpd” uses the “HELIOSDIR/var/conf/ipaccess” file. For details see HELIOS Base 1.1 manual, section 10.7