On 8/6/2017 1:09 PM, lemonni...@ulrar.net wrote:

Are your gluster nodes physically isolated on their own network/switch?
Nope, impossible to do for us

ok, yes, that makes it much harder to secure.

You should add VLANS, and/or overlay networks and/or Mac Address filtering/locking/security which raises the bar quite a bit for hackers. Perhaps your provider can help you with that.

Then there is the Gluster Auth stuff, which is cert based as I recall. Unfortunately, I don't have any experience with it as we have relied on unique seperate physical networks for our clusters. Hackers (and us) can't even get to our Gluster boxes except via IP/KVM or the client itself.

I'm now curious as to what you find and am thinking we should be looking at the Gluster Auth protocols as well.

In other words can an outsider access them directly without having to
compromise a NFS client machine first?

Yes, but we don't have any NFS client, only libgfapi.
I added a bunch of iptables rules to prevent that from happening, if
they did use NFS which I am unsure of. If they used something else to
access the volume though, who knows .. It hasn't been re-hacked since so
that's a good sign.

Well if you aren't using it, then turn NFS off. I think NFS is turned off by default in the new versions anyway in favor of NFS-Ganesha.

But the original question remains, did they get into just the Gluster boxes or are they in the Client already?

Unless they rooted the boxes and cleaned the logs, there should be some traces of activity in the various system and gluster logs. The various root kit checker programs may find something (chkrootkit)


Gluster-users mailing list

Reply via email to