On Fri, Oct 3, 2008 at 09:27, Yu Fu <[EMAIL PROTECTED]> wrote: > Hi there, > > Today I found a strange host ns1.mdfd.or.charter.com appeared for a > while in one of the groups in our ganglia. Ganglia only recored its last > heartbeat time and no any other information about it. We never > configured this alien host in our ganglia at all. Is this a sign that > our ganglia was hacked? We are running 32-bit EL4 linux on our system, > the kernel version is 2.6.9-22. The ganglia packages versions are: > ganglia-gmetad-3.0.2-4, ganglia-gmond-3.0.2-4, ganglia-python-4.1-1, > ganglia-pylib-4.1-1 and ganglia-receptor-4.1-1.
More likely is that someone at charter.net is running ganglia, and mistakenly sent a multicast ganglia packet that somehow made it to one of your hosts. Ganglia is pretty open about whom it will accept packets from. While it was probably a mistake on the part of charter.net to send you traffic, you should probably also filter inbound traffic for your site. If you are monitoring traffic for an internal cluster of group of machines, your firewall/router should block inbound traffic. A blanket block for ports 8649, 8651 and 8652 on UDP and TCP should cover your bases. (Yes, you can be more precise about only blocking TCP on some ports, and only UDP on others, but it's easier to just block the port, regardless of protocol.) -- Jesse Becker GPG Fingerprint -- BD00 7AA4 4483 AFCC 82D0 2720 0083 0931 9A2B 06A2 ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ _______________________________________________ Ganglia-general mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/ganglia-general
