NI Linux Real-Time Discussions

cancel
Showing results for 
Search instead for 
Did you mean: 

Improve security access by removing web server and closing ports 80/443

Hi all!

 

For security reasons, my goal is to remove :

  • remove web server, user "webserv" and close ports 80/443
  • remove "lv-frontpanel" and close 3079
  • remove "ni-visa-remote" and close port 3537

I don't need any update or file access thanks WebDAV.

 

If I try to remove this packages in any order:

admin@xx:~# sudo opkg list-installed |grep -i ni-web
ni-webdav-system-webserver-support - 20.0.0.49152-0+f0 - Provides a module for the NI System Web Server to act as a WebDAV server
ni-webserver-libs - 22.3.0.49295-0+f143 - Installs the libraries and modules for hosting web servers
ni-webservices-webserver-support - 22.3.0.49295-0+f143 - Hosts NI and LabVIEW web services

I have an error like this:

admin@xx:~# sudo opkg remove ni-webserver-libs
* Solver encountered 2 problem(s):
* Problem 1/2:
*   - package ni-system-webserver-22.3.0.49298-0+f146.cortexa9-vfpv3 requires ni-webserver-libs >= 14.0.0, but none of the providers can be installed
*   - conflicting requests
*   - problem with installed package ni-system-webserver-22.3.0.49298-0+f146.cortexa9-vfpv3
* 
* Solution 1:
*   - do not ask to deinstall ni-webserver-libs


* Solution 2:
*   - do not ask to deinstall ni-webserver-libs

 

Thanks for your help!

0 Kudos
Message 1 of 5
(284 Views)

Have you tried removing these components through MAX first?

 

Certainly the VISA server and the web server should be possible to remove there. I don't have access to one right not to verify this but I would make sure the following items are removed there:

 

* NI VISA Server

* Web based configuration and monitoring

* NI Application Web Server

* WebDAV server

 

The names may not match exactly until I get to the office and can connect to a target. There may be an entry for the remote panels as well but I don't recall that one so much.

James Mc
========
CLA and cRIO Fanatic
My writings on LabVIEW Development are at devs.wiresmithtech.com
0 Kudos
Message 2 of 5
(272 Views)

I had a quick test in the office and it looks like on Linux you can't remove the webdav server so I was wrong with that, apologies.

 

VISA should still be removable though.

 

Hopefully someone who knows the packages better may be able to offer advice there. My guess is that NI will consider them required.

 

Another option may just be to put a firewall in front of what can't be removed. iptables should be available for this.

 

If you want to go really deep you can look at the openembedded sources at https://github.com/ni/nilrt/tree/nilrt/master/kirkstone/sources which will show where some of these items are introduced but I think the web-server ones are linked to a proprietary repo somewhere - I've not attempted this in a while

James Mc
========
CLA and cRIO Fanatic
My writings on LabVIEW Development are at devs.wiresmithtech.com
0 Kudos
Message 3 of 5
(257 Views)

FYI, if you are using a TSN enabled cRIO or cDAQ chassis you will not be able to shut down the web services that run on port 80. 

 

NI uses the web server in a lower level of the DAQmx driver to obtain a sync source domain necessary to start the DAQmx task.

 

If you do not have this web port open at least on the localhost you will see error -209836 when trying to start the task.

 

The solution (work around) that I have employed in my applications that use the TSN enabled chassis is to use the iptables filter (Linux RT) to reject any traffic coming in to port 80 over the eth0 physical interface. I leave the localhost and loopback open and the NI System Web Services running on the target. 

 

I am not sure how that will work in a windows environment if you have a tethered cDAQ chassis.

 

Unfortunately if you do filter the port 80, there are certain things you will be unable to do via MAX or the LabVIEW project.

 

 

Steven Howell
Controls and Instrumentation Engineer
Jacobs Technologies
NASA Johnson Space Center
0 Kudos
Message 4 of 5
(225 Views)

Thanks for all replies and sorry for the delay, I was in holidays.

 

I will try to use MAX to disable some applications.

I'm not using TSN but I will use somes iptables filter as you said.

 

Regards

0 Kudos
Message 5 of 5
(178 Views)