Forum Discussion

Dothebartman's avatar
4 years ago

Disabling vnetd service

Hi all.

The backup or recovery process wouldn't start when I disabled vnetd while keeping pbx only.
Is it possible to disable vnetd service, which is vulnerable to security, and get backups?

Thanks in advance.

Sungryol

  • davidmoline's avatar
    davidmoline
    4 years ago

    Other than reviewing the log information I suspect not. Here is an extract from the vnetd log for the satrt of a backup

    07:51:17.066 [1814.1814] <2> vnet_pbxAcceptSocket_ex: Accepted sock[17] from 10.240.100.52:51201
    07:51:17.067 [2632418.2632418] <2> ProcessRequests: delaying version exchange until after proxy for sock_id 4
    07:51:17.068 [2632418.2632418] <2> daemon_proxy_proto: Preparing to do daemon protocol for (10.240.100.14:1556 <- 10.240.100.52:51201)
    07:51:17.068 [1814.1814] <2> vnet_pbxAcceptSocket_ex: Accepted sock[17] from 10.240.100.52:51202
    07:51:17.069 [2632419.2632419] <2> ProcessRequests: delaying version exchange until after proxy for sock_id 3
    07:51:17.069 [2632419.2632419] <2> daemon_proxy_proto: Preparing to do daemon protocol for (10.240.100.14:1556 <- 10.240.100.52:51202)

    You;ll notice that the connection comes in on the PBX port (as expected) and connects to vnetd via a socket. As such I do not think you will ever see network traffic using the vnetd port - even locally). 

    Your best bet will be to enable vnetd logging and review the logs. Also the vnetd proxy logs may also provide additional information, see this article on  examining these logs - Viewing the vnetd proxy log files 

  • Simple answer - NO

    Longer answer - the PBX service is simply the conduit that NetBackup uses to communicate between hosts. The bpcd, vnetd and other services depending on the host type are still very much used by NetBackup - it's just that those connection all happens locally (i.e. the pbx connection is the only external one). 

    Using PBX reduces the required port footprint of NetBackup to basically a single port (1556). You should be able to use a host firewall to restrict external access to the vnetd port as long as it can be reached from the localhost (I may be wrong about this - so if someone else knows better please advise). 

    Final question - what is the concern around vnetd - where are you seeing that it is a security vulnerability? One of the aims in recent years has been for NetBackup to tighten up on security (including things like secure comms etc). I'd be curious why you think vnetd is a problem.

    • Dothebartman's avatar
      Dothebartman
      Level 2

      Thank you for your quick reply.
      And sorry for posting the wrong information.
      The vulnerability thing, It turned out to be Chinese whispers. Sorry again for being an assistant to it.

      Another question :)
      I mirrored the vnetd(13724) port but no connection to be seen.
      Of course, PBX(1556) was traceable.
      Is there any way to trace the vnetd port activities?

      Sincerely,

      • davidmoline's avatar
        davidmoline
        Level 6

        Other than reviewing the log information I suspect not. Here is an extract from the vnetd log for the satrt of a backup

        07:51:17.066 [1814.1814] <2> vnet_pbxAcceptSocket_ex: Accepted sock[17] from 10.240.100.52:51201
        07:51:17.067 [2632418.2632418] <2> ProcessRequests: delaying version exchange until after proxy for sock_id 4
        07:51:17.068 [2632418.2632418] <2> daemon_proxy_proto: Preparing to do daemon protocol for (10.240.100.14:1556 <- 10.240.100.52:51201)
        07:51:17.068 [1814.1814] <2> vnet_pbxAcceptSocket_ex: Accepted sock[17] from 10.240.100.52:51202
        07:51:17.069 [2632419.2632419] <2> ProcessRequests: delaying version exchange until after proxy for sock_id 3
        07:51:17.069 [2632419.2632419] <2> daemon_proxy_proto: Preparing to do daemon protocol for (10.240.100.14:1556 <- 10.240.100.52:51202)

        You;ll notice that the connection comes in on the PBX port (as expected) and connects to vnetd via a socket. As such I do not think you will ever see network traffic using the vnetd port - even locally). 

        Your best bet will be to enable vnetd logging and review the logs. Also the vnetd proxy logs may also provide additional information, see this article on  examining these logs - Viewing the vnetd proxy log files