[Gluster-users] Volume hacked

[wk]

On 8/6/2017 1:09 PM, lemonnierk at ulrar.net wrote:
>
>> Are your gluster nodes physically isolated on their own network/switch?
> Nope, impossible to do for us

ok, yes, that makes it much harder to secure.

You should add VLANS, and/or overlay networks and/or Mac Address 
filtering/locking/security which raises the bar quite a bit for hackers. 
Perhaps your provider can help you with that.

Then there is the Gluster Auth stuff, which is cert based as I recall. 
Unfortunately, I don't have any experience with it as we have relied on 
unique seperate physical networks for our clusters.
Hackers (and us) can't even get to our Gluster boxes except via IP/KVM 
or the client itself.

I'm now curious as to what you find and am thinking we should be looking 
at the Gluster Auth protocols as well.


>> In other words can an outsider access them directly without having to
>> compromise a NFS client machine first?
>>
> Yes, but we don't have any NFS client, only libgfapi.
> I added a bunch of iptables rules to prevent that from happening, if
> they did use NFS which I am unsure of. If they used something else to
> access the volume though, who knows .. It hasn't been re-hacked since so
> that's a good sign.

Well if you aren't using it, then turn NFS off. I think NFS is turned 
off by default in the new versions anyway in favor of NFS-Ganesha.

But the original question remains, did they get into just the Gluster 
boxes or are they in the Client already?

Unless they rooted the boxes and cleaned the logs, there should be some 
traces of activity in the various system and gluster logs. The various 
root kit checker programs may find something (chkrootkit)

-bill

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.gluster.org/pipermail/gluster-users/attachments/20170806/25261f39/attachment.html>