Fwd: [ceph-users] Inherent insecurity of OSD daemons when using only a "public network"

Willem Jan Withagen <wjw@xxxxxxxxxxx> · Fri, 13 Jan 2017 09:32:29 +0100

Hi,

This is an observation on the user-list.
And I do agree with it whole hartedly.

And it stems from the first binding where 0.0.0.0 is used to bind.
>From the top of my head somewhere in msg/async. It starts out with
0.0.0.0 but on rebinds it binds to an actual ipnr.

If the idea here is that we need to bind to either private/public IP, I
can look into that.

--WjW

-------- Forwarded Message --------
Subject: [ceph-users] Inherent insecurity of OSD daemons when using only
a "public network"
Date: Fri, 13 Jan 2017 17:07:13 +0900
From: Christian Balzer <chibi@xxxxxxx>
Organization: FusionGOL
To: ceph-users <ceph-users@xxxxxxxxxxxxxx>

Hello,

Something I came across a while agao, but the recent discussion here
jolted my memory.

If you have a cluster configured with just a "public network" and that
network being in RFC space like 10.0.0.0/8, you'd think you'd be "safe",
wouldn't you?

Alas you're not:
---
root@ceph-01:~# netstat -atn |grep LIST |grep 68
tcp        0      0 0.0.0.0:6813            0.0.0.0:*
LISTEN     tcp        0      0 0.0.0.0:6814            0.0.0.0:*
      LISTEN     tcp        0      0 10.0.0.11:6815          0.0.0.0:*
            LISTEN     tcp        0      0 10.0.0.11:6800
0.0.0.0:*               LISTEN     tcp        0      0 0.0.0.0:6801
      0.0.0.0:*               LISTEN     tcp        0      0
0.0.0.0:6802            0.0.0.0:*               LISTEN     etc..
---

Something that people most certainly would NOT expect to be the default
behavior.

Solution, define a complete redundant "cluster network" that's identical
to the public one and voila:
---
root@ceph-02:~# netstat -atn |grep LIST |grep 68
tcp        0      0 10.0.0.12:6816          0.0.0.0:*
LISTEN     tcp        0      0 10.0.0.12:6817          0.0.0.0:*
      LISTEN     tcp        0      0 10.0.0.12:6818          0.0.0.0:*
            LISTEN     etc.
---

I'd call that a security bug, simply because any other daemon on the
planet will bloody bind to the IP it's been told to in its respective
configuration.

The above is with Hammer, any version.

Christian
-- 
Christian Balzer        Network/Systems Engineer
chibi@xxxxxxx   	Global OnLine Japan/Rakuten Communications
http://www.gol.com/
_______________________________________________
ceph-users mailing list
ceph-users@xxxxxxxxxxxxxx
http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
--
To unsubscribe from this list: send the line "unsubscribe ceph-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html