On Mon, Aug 7, 2017 at 2:17 PM, <lemonnierk@xxxxxxxxx> wrote:
On Mon, Aug 07, 2017 at 10:40:08AM +0200, Arman Khalatyan wrote:
> Interesting problem...
> Did you considered an insider job?( comes to mind http://verelox.com
> <https://t.co/dt1c78VRxA> recent troubles)
I would be really really surprised, we are only 5 / 6 with access and as
far as I know no one has a problem with the company.
The last person to leave did so last year, and we revoked everything (I
hope). And I can't think of a reason they'd leave the website of a
hungarian company in there, we contacted them and they think it's one
of their ex-employee trying to cause them problems.
I think we were just unlucky, but I'd really love to confirm how they
did it
For any filesystem access through GlusterFS, a successful handshake at the server-side is mandatory.
You should have the log of the clients connected to these server machines in brick logs (mostly at /var/log/glusterfs/bricks/*.log), check them for any external IP.
Gluster doesn't provide any extra protection right now, other than what is provided by POSIX standard (ie, user access control). So, if user is 'root' in his machine, and there is no_root_squash option, then technically he can delete all the files in the volume, if he can mount the volume. The major 'authentication' control provided are by IP based authentications.
At this time, if your volume didn't had more granular control on 'auth.allow' options, then we can check the log and try to understand which client caused this.
Regards,
Amar
>
> On Mon, Aug 7, 2017 at 3:30 AM, W Kern <wkmail@xxxxxxxxx> wrote:
>
> >
> >
> > On 8/6/2017 4:57 PM, lemonnierk@xxxxxxxxx wrote:
> >
> >
> > Gluster already uses a vlan, the problem is that there is no easy way
> > that I know of to tell gluster not to listen on an interface, and I
> > can't not have a public IP on the server. I really wish ther was a
> > simple "listen only on this IP/interface" option for this
> >
> >
> > What about this?
> >
> > transport.socket.bind-address
> >
> > I know the were some BZs on it with earlier Gluster Versions, so I assume its still there now.
> >
> > -bill
> >
> >
> >
> >
> > _______________________________________________
> > Gluster-users mailing list
> > Gluster-users@xxxxxxxxxxx
> > http://lists.gluster.org/mailman/listinfo/gluster-users
> >
> _______________________________________________
> Gluster-users mailing list
> Gluster-users@xxxxxxxxxxx
> http://lists.gluster.org/mailman/listinfo/gluster-users
_______________________________________________
Gluster-users mailing list
Gluster-users@xxxxxxxxxxx
http://lists.gluster.org/mailman/listinfo/gluster-users
--
Amar Tumballi (amarts)
_______________________________________________ Gluster-users mailing list Gluster-users@xxxxxxxxxxx http://lists.gluster.org/mailman/listinfo/gluster-users
