How to prevent moxi listening at an unauthorized port?


#1

Some fellows at the the security part told us that we have got a unauthorized port issue about couchbase.
We found it’s moxi which listens at an unauthorized port.

[root@~]# ps -ef | grep moxi
496      24117 15002  0 Dec03 ?        00:00:09 /opt/couchbase/bin/moxi -Z port_listen=11211,default_bucket_name=default,downstream_max=1024,downstream_conn_max=4,connect_max_errors=5,connect_retry_interval=30000,connect_timeout=400,auth_timeout=100,cycle=200,downstream_conn_queue_timeout=200,downstream_timeout=5000,wait_queue_timeout=200 -z url=http://127.0.0.1:8091/pools/default/saslBucketsStreaming -p 0 -Y y -O stderr 
root     46098 16100  0 14:52 pts/0    00:00:00 grep moxi
[root@~]# netstat -antup | grep moxi
tcp        0      0 0.0.0.0:11211               0.0.0.0:*                   LISTEN      24117/moxi          
tcp        0      0 0.0.0.0:53685               0.0.0.0:*                   LISTEN      24117/moxi          
tcp        0      0 127.0.0.1:31128             127.0.0.1:8091              ESTABLISHED 24117/moxi          
tcp        0      0 :::11211                    :::*                        LISTEN      24117/moxi          
tcp        0      0 :::48249                    :::*                        LISTEN      24117/moxi          
[root@~]# echo stats | nc 10.49.58.25 53685 
STAT pid 24117
STAT uptime 228643
STAT time 1544079176
STAT version
STAT pointer_size 64
STAT rusage_user 6.916948
STAT rusage_system 2.284652
STAT curr_connections 4
STAT total_connections 18
STAT connection_structures 6

[root@~]# telnet 10.49.58.25 53685
Trying 10.49.58.25...
Connected to 10.49.58.25.
Escape character is '^]'.
set shuffle 0 900 9
memcached
STORED
get shuffle
VALUE shuffle 0 9
memcached
END
^]
telnet> Connection closed.

I have read some docs about moxi, such as http://docs.couchbase.com/moxi-manual-1.8/#following-a-request-through-moxi, but still have no idea about the workaround to pervent moxi listening at the unauthorized port.

Can I get some inspirations? Any help would be appreciated.


#2

Hi sfxu,
Thanks for using our product. I have a question. What Couchbase server you are using?
From Couchbase server 5.x, we do not use moxi port (11211) any more as in this page
https://docs.couchbase.com/server/5.0/install/install-ports.html
If you still have any question, drop me a line at thuan at couchbase dot com
Thanks


#3

Hi thuan,
It’s mainly about Couchbase server 4.x and lower versions.

[root@~]# rpm -qa | grep couchbase
couchbase-server-community-4.1.0-5005.x86_64
[root@~]# lsb_release -a
LSB Version:    :base-4.0-amd64:base-4.0-noarch:core-4.0-amd64:core-4.0-noarch:graphics-4.0-amd64:graphics-4.0-noarch:printing-4.0-amd64:printing-4.0-noarch
Distributor ID: CentOS
Description:    CentOS release 6.7 (Final)
Release:        6.7
Codename:       Final

We have a diversity of Couchbase server versions running, ranging from Couchabse server 2.x , 3.x , 4.x to 5.x,
but 4.x is still the majority.
I’ve got the knowledge that moxi is deprecated in 5.x from No service on port 11211 with Couchbase Server 5.x.
Thanks.


#4

Simplest option is to upgrade to a newer version which has removed moxi. Otherwise if you can’t do that I’d just firewall the port off.


#5

Thank you.
And I will have a try with iptables.
But why does gateway moxi listen at a random port which is unauthorized besides port 11211?