[Gluster-users] Volume hacked

Amar Tumballi atumball at redhat.com
Mon Aug 7 10:59:27 UTC 2017 

On Mon, Aug 7, 2017 at 2:17 PM, <lemonnierk at ulrar.net> wrote:

> On Mon, Aug 07, 2017 at 10:40:08AM +0200, Arman Khalatyan wrote:
> > Interesting problem...
> > Did you considered an insider job?( comes to mind http://verelox.com
> > <https://t.co/dt1c78VRxA> recent troubles)
>
> I would be really really surprised, we are only 5 / 6 with access and as
> far as I know no one has a problem with the company.
> The last person to leave did so last year, and we revoked everything (I
> hope). And I can't think of a reason they'd leave the website of a
> hungarian company in there, we contacted them and they think it's one
> of their ex-employee trying to cause them problems.
> I think we were just unlucky, but I'd really love to confirm how they
> did it
>
>
For any filesystem access through GlusterFS, a successful handshake at the
server-side is mandatory.

You should have the log of the clients connected to these server machines
in brick logs (mostly at /var/log/glusterfs/bricks/*.log), check them for
any external IP.

Gluster doesn't provide any extra protection right now, other than what is
provided by POSIX standard (ie, user access control). So, if user is 'root'
in his machine, and there is no_root_squash option, then technically he can
delete all the files in the volume, if he can mount the volume. The major
'authentication' control provided are by IP based authentications.

At this time, if your volume didn't had more granular control on
'auth.allow' options, then we can check the log and try to understand which
client caused this.

Regards,
Amar


>
> > On Mon, Aug 7, 2017 at 3:30 AM, W Kern <wkmail at bneit.com> wrote:
> >
> > >
> > >
> > > On 8/6/2017 4:57 PM, lemonnierk at ulrar.net wrote:
> > >
> > >
> > > Gluster already uses a vlan, the problem is that there is no easy way
> > > that I know of to tell gluster not to listen on an interface, and I
> > > can't not have a public IP on the server. I really wish ther was a
> > > simple "listen only on this IP/interface" option for this
> > >
> > >
> > > What about this?
> > >
> > > transport.socket.bind-address
> > >
> > > I know the were some BZs on it with earlier Gluster Versions, so I
> assume its still there now.
> > >
> > > -bill
> > >
> > >
> > >
> > >
> > > _______________________________________________
> > > Gluster-users mailing list
> > > Gluster-users at gluster.org
> > > http://lists.gluster.org/mailman/listinfo/gluster-users
> > >
>
> > _______________________________________________
> > Gluster-users mailing list
> > Gluster-users at gluster.org
> > http://lists.gluster.org/mailman/listinfo/gluster-users
>
>
> _______________________________________________
> Gluster-users mailing list
> Gluster-users at gluster.org
> http://lists.gluster.org/mailman/listinfo/gluster-users
>



-- 
Amar Tumballi (amarts)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.gluster.org/pipermail/gluster-users/attachments/20170807/4055aaf7/attachment.html>

More information about the Gluster-users mailing list