On 8/6/2017 1:09 PM, lemonni...@ulrar.net wrote:
Are your gluster nodes physically isolated on their own network/switch?
Nope, impossible to do for us
ok, yes, that makes it much harder to secure.
You should add VLANS, and/or overlay networks and/or Mac Address
filtering/locking/security which raises the bar quite a bit for hackers.
Perhaps your provider can help you with that.
Then there is the Gluster Auth stuff, which is cert based as I recall.
Unfortunately, I don't have any experience with it as we have relied on
unique seperate physical networks for our clusters.
Hackers (and us) can't even get to our Gluster boxes except via IP/KVM
or the client itself.
I'm now curious as to what you find and am thinking we should be looking
at the Gluster Auth protocols as well.
In other words can an outsider access them directly without having to
compromise a NFS client machine first?
Yes, but we don't have any NFS client, only libgfapi.
I added a bunch of iptables rules to prevent that from happening, if
they did use NFS which I am unsure of. If they used something else to
access the volume though, who knows .. It hasn't been re-hacked since so
that's a good sign.
Well if you aren't using it, then turn NFS off. I think NFS is turned
off by default in the new versions anyway in favor of NFS-Ganesha.
But the original question remains, did they get into just the Gluster
boxes or are they in the Client already?
Unless they rooted the boxes and cleaned the logs, there should be some
traces of activity in the various system and gluster logs. The various
root kit checker programs may find something (chkrootkit)
Gluster-users mailing list