PanLex: Security

Access control

AWS instances

Current PanLex servers are Amazon AWS EC2 instances. As noted in the documentation on creation of a database instance, the main administrative user of an instance can obtain exclusive SSH access to it by configuring it with a key pair, storing locally the pair’s private key as instructed, and editing the local SSH configuration file as required.

Additional administrative users of an instance require the following additional operations for access:

1. Add a user with sudo adduser --disabled-password nnnnn, where “nnnnn” is replaced with the login name of the new user.
2. Provide the requested information about the user.
3. Create an SSH directory in the home directory of the new user with sudo mkdir ~nnnnn/.ssh and make the new user its owner and group.
4. Get a public key from the new user.
5. Copy the public key into a file named “authorized_keys” within the ~nnnnn/.ssh directory and make the new user that file’s owner and group.
6. Remove all group and world privileges from both the ~nnnnn/.ssh directory and the “authorized_keys” file.

Obsolete systems

Access to PanLex services offered by the former server at uf.utilika.org was regulated by firewalls, which permited certain kinds of access and blocked others.

The uf.utilika.org firewall was configured with the “iptables” utility. PanLex staff could examine the configuration with the “sudo iptables -L” command and save a restorable version of it with the command “sudo iptables-save”. The standard restorable configuration (before our customizations) was:

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [82365031:276163790374]
:Firewall-1-INPUT - [0:0]
:SSH-Ext-INPUT - [0:0]
-A INPUT -j SSH-Ext-INPUT 
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -m mac --mac-source 00:22:BD:4B:EF:44 -j DROP 
-A INPUT -p tcp -m state --state NEW -m tcp --dport 123 -m mac --mac-source 00:22:BD:4B:EF:44 -j DROP 
-A INPUT -p udp -m state --state NEW -m udp --dport 123 -m mac --mac-source 00:22:BD:4B:EF:44 -j DROP 
-A INPUT -p udp -m state --state NEW -m udp --dport 514 -m mac --mac-source 00:22:BD:4B:EF:44 -j DROP 
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -m mac --mac-source 00:22:BD:4B:EF:43 -j DROP 
-A INPUT -p tcp -m state --state NEW -m tcp --dport 123 -m mac --mac-source 00:22:BD:4B:EF:43 -j DROP 
-A INPUT -p udp -m state --state NEW -m udp --dport 123 -m mac --mac-source 00:22:BD:4B:EF:43 -j DROP 
-A INPUT -p udp -m state --state NEW -m udp --dport 514 -m mac --mac-source 00:22:BD:4B:EF:43 -j DROP 
-A INPUT -j Firewall-1-INPUT 
-A FORWARD -j Firewall-1-INPUT 
-A Firewall-1-INPUT -i lo -j ACCEPT 
-A Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT 
-A Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT 
-A Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT 
-A Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT 
-A Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 123 -j ACCEPT 
-A Firewall-1-INPUT -p udp -m state --state NEW -m udp --dport 123 -j ACCEPT 
-A Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT 
-A Firewall-1-INPUT -p udp -m state --state NEW -m udp --dport 514 -j ACCEPT 
-A Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 993 -j ACCEPT 
-A Firewall-1-INPUT -p udp -m state --state NEW -m udp --dport 993 -j ACCEPT 
-A Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 5432 -j ACCEPT 
-A Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 7531 -j ACCEPT 
-A Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited 
-A SSH-Ext-INPUT -s 139.18.2.158 -d 70.36.157.216 -p tcp -m tcp --dport 22 -j ACCEPT 
-A SSH-Ext-INPUT -s 85.25.35.91 -d 70.36.157.216 -p tcp -m tcp --dport 22 -j ACCEPT 
-A SSH-Ext-INPUT -s 70.36.157.219 -d 70.36.157.216 -p tcp -m tcp --dport 22 -j ACCEPT 
-A SSH-Ext-INPUT -s 76.126.137.228 -d 70.36.157.216 -p tcp -m tcp --dport 22 -j ACCEPT 
COMMIT

The configuration could be displayed more intuitively with the “sudo iptables -L” command, as:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
SSH-Ext-INPUT  all  --  anywhere             anywhere            
DROP       tcp  --  anywhere             anywhere            state NEW tcp dpt:ssh MAC 00:22:BD:4B:EF:44 
DROP       tcp  --  anywhere             anywhere            state NEW tcp dpt:ntp MAC 00:22:BD:4B:EF:44 
DROP       udp  --  anywhere             anywhere            state NEW udp dpt:ntp MAC 00:22:BD:4B:EF:44 
DROP       udp  --  anywhere             anywhere            state NEW udp dpt:syslog MAC 00:22:BD:4B:EF:44 
DROP       tcp  --  anywhere             anywhere            state NEW tcp dpt:ssh MAC 00:22:BD:4B:EF:43 
DROP       tcp  --  anywhere             anywhere            state NEW tcp dpt:ntp MAC 00:22:BD:4B:EF:43 
DROP       udp  --  anywhere             anywhere            state NEW udp dpt:ntp MAC 00:22:BD:4B:EF:43 
DROP       udp  --  anywhere             anywhere            state NEW udp dpt:syslog MAC 00:22:BD:4B:EF:43 
Firewall-1-INPUT  all  --  anywhere             anywhere            

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
Firewall-1-INPUT  all  --  anywhere             anywhere            

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain Firewall-1-INPUT (2 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     icmp --  anywhere             anywhere            icmp any 
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED 
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ssh 
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:smtp 
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:http 
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ntp 
ACCEPT     udp  --  anywhere             anywhere            state NEW udp dpt:ntp 
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:https 
ACCEPT     udp  --  anywhere             anywhere            state NEW udp dpt:syslog 
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:imaps 
ACCEPT     udp  --  anywhere             anywhere            state NEW udp dpt:imaps 
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:postgres 
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:7531 
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited 

Chain SSH-Ext-INPUT (1 references)
target     prot opt source               destination         
ACCEPT     tcp  --  139.18.2.158         uf.utilika.org      tcp dpt:ssh 
ACCEPT     tcp  --  euve18987.vserver.de  uf.utilika.org      tcp dpt:ssh 
ACCEPT     tcp  --  ego.utilika.org      uf.utilika.org      tcp dpt:ssh 
ACCEPT     tcp  --  c-76-126-137-228.hsd1.ca.comcast.net  uf.utilika.org      tcp dpt:ssh

Our customizations made the firewall:

• Accept incoming new connections to the SSH port (22) from particular IP addresses used by partners and from any host within the same local area network, but otherwise to drop new incoming connections to the SSH port.
• Accept incoming new connections of particular other kinds from inside the local area network.
• Accept incoming new connections of particular other kinds from anywhere.
• Accept related and established connections from anywhere.

The rejection of incoming new connections from outside the local area network was performed by the statements ending with MAC 00:22:BD:4B:EF:44. This was the source Ethernet address of packets arriving from outside, according to the sud tcpdump -ec n command (where “n” is replaced with the count of packets to be captured.

We implemented a utility permitting an authorized person at an outside IP address to enable SSH connections from that address. It was implemented as a website form named “Manager action form” on the “Contact” page that, if correctly completed, caused execution of a script that created a file containing the user’s current IP address. A periodic “cron” process owned by the root user checked for that file and, if it existed, modified the “iptables” configuration to permit SSH connections from there. An alternative implementation using the “iptables” “string” module with the “kmp” algorithm, intended to match a post-login server command suffixed to the “ssh” command string, did not work.