So we have our linode manager locked down to only 4 ips that can access the manager.

Using the Android app, I can access the manager from an ip not on our list.

- got an updated list of linodes (bought more today that I know wouldn't have been cahced)

- was able to issue a reboot command on a node.

might have been a fluke - but I was able to order a reboot...

Host Job Queue (more)
Success
System Boot - My PV-GRUB el5-xen
Entered: 9 minutes 22 seconds ago - Took: 6 seconds
Success
System Shutdown
Entered: 9 minutes 22 seconds ago - Took: 29 seconds

Then couple minutes later, the app was denied due to authentication.

tried it from 3G , so for sure the IP was never authorized.

I was able to shut down a node.

This behavior might be intentional.

Mobile devices tend to change IP addresses quite often. If you had to whitelist your dynamically assigned IP every time your phone picked up another station's signal, the mobile app would be very annoying to use.

I don't think its intentional, it eventually gets blocked , but only after someone who found your phone deleted your node.

Its probably running through a proxy that is whitelisted by linode. Only ask for authentication after a transaction.

I also doubt its intentional - why have a deny list on the manager if the mobile app just bypasses it? security wise, having a mobile device accessing the manager makes it even harder to stop than someone from a fixed IP....

Pretty sure the Android app (which was written by someone not-Linode) uses the API, and the IP-based whitelisting only applies to the dashboard web interface.

_________________

/* TODO: need to add signature to posts */

It's definitely written by someone not-linode (who posts here), it definitely uses the API. I'm pretty sure you're correct that the IP whitelist applies only to the dashboard.

Yes -- only the dashboard.

_________________
/ Peter

the app does get blocked after a couple minutes (just FYI)...