cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Veritas.com
Support

Disabling vnetd service

Go to solution
Dothebartman
Level 2

‎01-10-2021 06:40 PM

Hi all.

The backup or recovery process wouldn't start when I disabled vnetd while keeping pbx only.
Is it possible to disable vnetd service, which is vulnerable to security, and get backups?

Thanks in advance.

Sungryol

0 Kudos
1 ACCEPTED SOLUTION

Accepted Solutions

Go to solution
davidmoline
Level 6
Employee
In response to Dothebartman

‎01-11-2021 01:02 PM

Other than reviewing the log information I suspect not. Here is an extract from the vnetd log for the satrt of a backup

07:51:17.066 [1814.1814] <2> vnet_pbxAcceptSocket_ex: Accepted sock[17] from 10.240.100.52:51201
07:51:17.067 [2632418.2632418] <2> ProcessRequests: delaying version exchange until after proxy for sock_id 4
07:51:17.068 [2632418.2632418] <2> daemon_proxy_proto: Preparing to do daemon protocol for (10.240.100.14:1556 <- 10.240.100.52:51201)
07:51:17.068 [1814.1814] <2> vnet_pbxAcceptSocket_ex: Accepted sock[17] from 10.240.100.52:51202
07:51:17.069 [2632419.2632419] <2> ProcessRequests: delaying version exchange until after proxy for sock_id 3
07:51:17.069 [2632419.2632419] <2> daemon_proxy_proto: Preparing to do daemon protocol for (10.240.100.14:1556 <- 10.240.100.52:51202)

You;ll notice that the connection comes in on the PBX port (as expected) and connects to vnetd via a socket. As such I do not think you will ever see network traffic using the vnetd port - even locally). 

Your best bet will be to enable vnetd logging and review the logs. Also the vnetd proxy logs may also provide additional information, see this article on  examining these logs - Viewing the vnetd proxy log files 

View solution in original post

4 REPLIES 4

Go to solution
davidmoline
Level 6
Employee

‎01-10-2021 07:45 PM - edited ‎01-10-2021 07:52 PM

Simple answer - NO

Longer answer - the PBX service is simply the conduit that NetBackup uses to communicate between hosts. The bpcd, vnetd and other services depending on the host type are still very much used by NetBackup - it's just that those connection all happens locally (i.e. the pbx connection is the only external one). 

Using PBX reduces the required port footprint of NetBackup to basically a single port (1556). You should be able to use a host firewall to restrict external access to the vnetd port as long as it can be reached from the localhost (I may be wrong about this - so if someone else knows better please advise). 

Final question - what is the concern around vnetd - where are you seeing that it is a security vulnerability? One of the aims in recent years has been for NetBackup to tighten up on security (including things like secure comms etc). I'd be curious why you think vnetd is a problem.

Go to solution
Dothebartman
Level 2
In response to davidmoline

‎01-10-2021 09:08 PM

Thank you for your quick reply.
And sorry for posting the wrong information.
The vulnerability thing, It turned out to be Chinese whispers. Sorry again for being an assistant to it.

Another question :)
I mirrored the vnetd(13724) port but no connection to be seen.
Of course, PBX(1556) was traceable.
Is there any way to trace the vnetd port activities?

Sincerely,

0 Kudos

Go to solution
davidmoline
Level 6
Employee
In response to Dothebartman

‎01-11-2021 01:02 PM

Other than reviewing the log information I suspect not. Here is an extract from the vnetd log for the satrt of a backup

07:51:17.066 [1814.1814] <2> vnet_pbxAcceptSocket_ex: Accepted sock[17] from 10.240.100.52:51201
07:51:17.067 [2632418.2632418] <2> ProcessRequests: delaying version exchange until after proxy for sock_id 4
07:51:17.068 [2632418.2632418] <2> daemon_proxy_proto: Preparing to do daemon protocol for (10.240.100.14:1556 <- 10.240.100.52:51201)
07:51:17.068 [1814.1814] <2> vnet_pbxAcceptSocket_ex: Accepted sock[17] from 10.240.100.52:51202
07:51:17.069 [2632419.2632419] <2> ProcessRequests: delaying version exchange until after proxy for sock_id 3
07:51:17.069 [2632419.2632419] <2> daemon_proxy_proto: Preparing to do daemon protocol for (10.240.100.14:1556 <- 10.240.100.52:51202)

You;ll notice that the connection comes in on the PBX port (as expected) and connects to vnetd via a socket. As such I do not think you will ever see network traffic using the vnetd port - even locally). 

Your best bet will be to enable vnetd logging and review the logs. Also the vnetd proxy logs may also provide additional information, see this article on  examining these logs - Viewing the vnetd proxy log files 

Go to solution
Dothebartman
Level 2
In response to davidmoline

‎01-11-2021 10:53 PM

Detailed and precise!

Thanks a lot.

You were a BIG help to me.

0 Kudos