| Linode Forum https://forum.linode.com/ |
|
| How secure is the backend (private) network? https://forum.linode.com/viewtopic.php?f=19&t=3408 |
Page 1 of 1 |
| Author: | basilisk [ Sun Jul 27, 2008 3:46 pm ] |
| Post subject: | How secure is the backend (private) network? |
Hi there - I've read some posts about this topic, but not getting completely clear on this: Is my linode's backend network connection visible to other linodes on the backend network? I.e. could a rogue linode user scan all 192.168.x.x backend IPs for open ports, memcache daemons, MySQL servers with no root password etc. and potentially wreak havoc? If so, can I configure iptables to prevent that? Thanks for your input, Markus |
|
| Author: | mwalling [ Sun Jul 27, 2008 8:16 pm ] |
| Post subject: | Re: How secure is the backend (private) network? |
basilisk wrote: Is my linode's backend network connection visible to other linodes on the backend network? I.e. could a rogue linode user scan all 192.168.x.x backend IPs for open ports, memcache daemons, MySQL servers with no root password etc. and potentially wreak havoc? Yes, just like they could with your public address. basilisk wrote: If so, can I configure iptables to prevent that?
Yes, just like you can with your public interface. |
|
| Author: | basilisk [ Sun Jul 27, 2008 9:21 pm ] |
| Post subject: | |
Thanks - so I'd then be wondering how other users handle that in practice, as things look a bit different on the backend than on the public interface, for example memcached has no built-in password protection, and you can't tunnel it as that would slow it down quite significantly. So would IP filtering be the method of choice there, or are there other options? Filtering by specific IPs would of course require that whenever I add/remove nodes to my cluster that I add/remove rules from every other node's ip tables. Or can I get an IP range and then filter by mask? |
|
| Author: | Borealid [ Sun Jul 27, 2008 11:24 pm ] |
| Post subject: | |
You could use IPSec with AH and a "require" policy. If you've got the time and the expertise. Or any other VPN solution, if you don't mind the overhead of encryption you don't need. |
|
| Author: | MrRx7 [ Mon Jul 28, 2008 4:50 am ] |
| Post subject: | |
a start would be to deny all traffic from the internal nic but your own friendly ip, then move onto content filters/rules A VPN tunnels is a ok idea, but mildly overkill. |
|
| Author: | mwalling [ Mon Jul 28, 2008 8:50 am ] |
| Post subject: | |
The bridges on the hosts filter traffic to only allow your node to see traffic intended for it (to prevent you from going promiscuous). |
|
| Page 1 of 1 | All times are UTC-04:00 |
| Powered by phpBB® Forum Software © phpBB Group http://www.phpbb.com/ |
|