[Opensim-users] Grid Security

James Stallings II james.stallings at gmail.com
Mon Oct 8 12:15:24 UTC 2012 

To summarize:

- No SQL server needs to be accessible over the network except in the event
of a 'special case' (e.g., an externally-hosted web front end).
- No other ports but 8002 in a standard or default ROBUST configuration
need be accessible to the viewer-based end user.
- The keys were removed by consensus because they provided *no* security.

Joshua:
Use the similar settings in the OpenSim.ini file, the one's in the
Region.ini file should be removed.


Cheers
James/Hiro
http://SimHost.com


On Mon, Oct 8, 2012 at 3:01 AM, Joshua Rubeck <jrubeck1989 at gmail.com> wrote:

> Thanks for the info guys, that was very helpful. One of the other things
> we were having issues with is the MaxPrims setting in the region INI files.
> Clearly this setting is available, however it does not appear to work. I am
> sure on my grids this is not an issue after all OpenSimulator is usually
> used to eliminate many of the restrictions SL has. However for us we are
> trying to follow the same style of region and prims counts as SL for the
> sole reason that it appears to be more cost effective in terms of
> resources. I mean we can have more regions on Server A if each region is
> limited to 15k prim, where as Server B can only host a few safely without
> thos limitations. Any idea how to make sure the software enforces the max
> prim limitations?
>
>
> On Sun, Oct 7, 2012 at 10:12 PM, Tom Haines <hainest at gmail.com> wrote:
>
>> Blocking port 8003 on the firewall to block unauthorized regions doesn't
>> work if you have an external organization that hosts a region server that
>> connects to your grid and has OpenSim users both NATing to the same IP
>> address. And situations like this tend to pop up for political, and not
>> technical reasons, which means there is little recourse for the grid
>> operator.
>>
>> I've considered SSH tunneling for the 8003 connection, but have not had a
>> chance to experiment.
>>
>> And to confirm, there is no communication directly between viewer and SQL
>> server. The database will, and should be run unexposed to the end user.
>>
>>
>> On Sunday, October 7, 2012, wrote:
>>
>>> Further to this i understand there should be no reason for a normal
>>> viewer
>>> to talk directly to the SQL server. It is all done via the simulator.
>>>
>>> As such it would be feasible to set your SQL server to only allow your
>>> OpenSim users to authenticate from servers you run (usually by IP or
>>> FQDN). There should always be a focus on security but I would imagine all
>>> these factors would make it at least very difficult for someone to
>>> casually connect a simulator to your grid even without additional
>>> authentication in OpenSim.
>>>
>>>
>>>
>>> > unless there have been profound recent changes in the OS services
>>> > connectors structure that i've failed to notice (which is QUITE
>>> > possible), all end-user accessibility is handled by port 8002 and the
>>> > rest (connection services) is governed by port 8003 (in a standard
>>> > ROBUST based grid setup).  therefore, placing :8003 behind your
>>> firewall
>>> > (thus preventing 'unauthorized' outside users from attaching to your
>>> > grid services) should not interfere with public/open access via viewers
>>> > on :8002 which would remain outside the firewall.  afaik, this is the
>>> > only reliable and in my experience completely effective solution to the
>>> > problem.
>>> >
>>> > i also believe the security key function was removed by concensus as it
>>> > didn't provide any hardcore security.
>>> >
>>> > hope this helps and is remotely correct in it's technical assumptions -
>>> > or at least follows the path your concerns and argument were headed...
>>> >
>>> > - core
>>> >
>>> > On 10/7/2012 11:50 AM, Tom Haines wrote:
>>> >> I disagree that this should not be considered a concern. Under this
>>> >> security model, anyone with the information to connect to the grid as
>>> >> a user has enough information to connect a region to the grid.
>>> >>
>>> >> I am concerned with this as an operator of an educational grid. We
>>> >> offer our services to students and educators with the understanding
>>> >> that we can limit the objectionable content they would be exposed to
>>> >> in SL or other public OpenSim grids. Obviously if anyone can connect
>>> >> their own regions without authorization from the grid operators, our
>>> >> ability to offer this service is compromised.
>>> >>
>>> >> I know there were pass keys used in the past to authenticate regions,
>>> >> but I believe this functionality has been removed. I haven't seen
>>> >> anything on the website regarding this. I've read before that
>>> >> firewalls are the best defense, but this is untenable, since our usage
>>> >> requirements demand controlled access by region operators, but open
>>> >> access to end users from heterogeneous network environments.
>>> >>
>>> >> Could someone weigh in with the official line on this?
>>> >>
>>> >> On Sunday, October 7, 2012, Fleep Tuque wrote:
>>> >>
>>> >>     Hi Josh,
>>> >>
>>> >>     As far as I know, in order to connect a region to your grid,
>>> >>     someone would need to know all the connection details and unless
>>> >>     you provide that information, I'm not sure how anyone would know
>>> >>     how to or be able to connect to your grid.  FleepGrid has been
>>> >>     running for nearly 2 years and I've never seen any attempts to
>>> >>     connect a rogue region as far as I know, so I'm not sure it's much
>>> >>     of a concern.
>>> >>
>>> >>     I'll let someone with more knowledge of the possible configuration
>>> >>     options address any .ini settings that you might be able to use to
>>> >>     disable region connections, but if this is a security issue or
>>> >>     problem, it's the first I've heard of it.
>>> >>
>>> >>     Sincerely,
>>> >>
>>> >>     - Chris/Fleep
>>> >>
>>> >>     Chris M. Collins (SL/OS: Fleep Tuque)
>>> >>     Center for Simulations & Virtual Environments Research (UCSIM)
>>> >>     UCIT Instructional & Research Computing
>>> >>     University of Cincinnati
>>> >>     406A Zimmer Hall
>>> >>     315 College Drive
>>> >>     PO BOX 210088
>>> >>     Cincinnati, OH 45221-0088
>>> >>     chris.collins at uc.edu <javascript:_e({}, 'cvml',
>>> >>     'chris.collins at uc.edu');>
>>> >>     (513) 556-3018
>>> >>
>>> >>     http://ucsim.uc.edu
>>> >>
>>> >>     On Sun, Oct 7, 2012 at 9:52 AM, Joshua Rubeck
>>> >>     <jrubeck1989 at gmail.com <javascript:_e({}, 'cvml',
>>> >>     'jrubeck1989 at gmail.com');>> wrote:
>>> >>
>>> >>         Okay so here is a question for everyone. Myself and a few
>>> >>         others are setting up a grid for public use, but we do not
>>> >>         want other people to be able to connect their regions on a
>>> >>         home based computer to our grid. One of my friends remembers
>>> >>         that there used to be a setting that would prevent an
>>> >>         opensimulator instance from connectiong to robust without
>>> >>         authentication but I cannot find that in the configuration
>>> >>         files. Is there a configuration that allows us to run a public
>>> >>         grid without other people being able to connect their regions
>>> >>         to our gird.
>>> >>         _______________________________________________
>>> >>         Opensim-users mailing list
>>> >>         Opensim-users at lists.berlios.de <javascript:_e({}, 'cvml',
>>> >>         'Opensim-users at lists.berlios.de');>
>>> >>         https://lists.berlios.de/mailman/listinfo/opensim-users
>>> >>
>>> >>
>>> >>
>>> >>
>>> >> _______________________________________________
>>> >> Opensim-users mailing list
>>> >> Opensim-users at lists.berlios.de
>>> >> https://lists.berlios.de/mailman/listinfo/opensim-users
>>> >
>>> > _______________________________________________
>>> > Opensim-users mailing list
>>> > Opensim-users at lists.berlios.de
>>> > https://lists.berlios.de/mailman/listinfo/opensim-users
>>>
>>>
>>> _______________________________________________
>>> Opensim-users mailing list
>>> Opensim-users at lists.berlios.de
>>> https://lists.berlios.de/mailman/listinfo/opensim-users
>>>
>>
>> _______________________________________________
>> Opensim-users mailing list
>> Opensim-users at lists.berlios.de
>> https://lists.berlios.de/mailman/listinfo/opensim-users
>>
>
>
> _______________________________________________
> Opensim-users mailing list
> Opensim-users at lists.berlios.de
> https://lists.berlios.de/mailman/listinfo/opensim-users
>



-- 
===================================
http://simhost.com
http://twitter.com/jstallings2
http://www.linkedin.com/pub/5/770/a49
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://opensimulator.org/pipermail/opensim-users/attachments/20121008/65511433/attachment.html>

More information about the Opensim-users mailing list