4

CentOS 6.x

An IT team member would like run iperf3 on a publicly accessible server for the purpose of running on-demand connectivity checks from anywhere (no restrictions on remote source IP).

Does this present any major security concerns? The server itself is isolated from the rest of the network and I've noticed that other people are hosting public iperf servers... but I'm still cautious.

Assuming it's somewhat "safe", are there specific configurations we should implement? For example, run iperf3 under a separate service account or run iperf on a non-standard port?

Mike B
  • 11,570
  • 42
  • 106
  • 165
  • I think you should ask more questions about *exactly* where the needs of this request come from. Define "on-demand connectivity checks". This feels like a garish oversimplification of a more complex problem. – Matthew Ife Mar 10 '14 at 21:24

2 Answers2

4

Yes, this is reasonably safe. People do this all the time, and they tend to be people who are sensitive to network security issues.

iperf3 is a rewrite of the original iperf software and has received more scrutiny then the original package, and iperf3 was created at a time when network security really does matter. The iperf3 developers do fix bugs and I believe Fedora/EPEL just released a 3.x update a month ago.

That said, all software has bugs and public servers will get attacked from time to time. Standard security practices should be used on your iperf server. Patch, firewall, consider firewalling off unnecessary ports from public networks, network monitoring, etc. I used the packages from EPEL because I know they have been tested by the EPEL community.

Try to avoid running network daemons as root. On CentOS 6 I believe that the RPM creates an iperf user and listens on a non-privileged ports. You could try running this service in a chrooted jail, or a Linux or docker container if you are feeling particularly adventurous.

Disclaimer: iperf3 is maintained by my colleagues at ESnet / Lawrence Berkeley National Laboratory. I can assure you these folks are very security minded. Computer defense is very necessary at the National Laboratories.

Stefan Lasiewski
  • 22,949
  • 38
  • 129
  • 184
1
  • Have you made sure there is no sensitive data on that server?
  • Are you 100% certain it has absolutely zero access to the rest of your servers?

If yes to both, then it's ok.

Vasili Syrakis
  • 4,435
  • 3
  • 21
  • 29