Comments (10)
from gluster-kubernetes.
@humblec thanks for the quick reply. Is there any environment variable to turn SSH off, or should I run some command in each container of the daemonset?
from gluster-kubernetes.
I see this is a bit of an old ticket, but a client of mine just got hit with bandwidth overages of $900
I wasn't aware of the following:
- another copy of sshd was running and open to the internet on port 2222 for no reason
- that sshd_config allowed for passwords (really)
- that password was easy enough to be brute forced in a relatively quick manner by this botnet.
This was thankfully only a lab/dev cluster, and I'm not upset with any of you guys, more at the host for failing to mention anything about this, they surely knew about it.
So I had a node with an infected container containing a botnet called BillGates. And of course this is lovely because we know this container usually runs as a daemonset, in hostnetwork, privileged mode.
Is there anything I can help contribute to make this a more minimal image? Is SystemD really necessary in a container(is that a hard requirement for lvm or something)? And maybe ssh should not be on by default for kubernetes since it's not even necessary.
I saved alot of information and the binaries/exported container from the infection if anyone wants to review it but it's pretty simple it bruteforced the root password of the glusterfs container running sshd and setup shop in /etc/init.d. If you would like any of it, just let me know
from gluster-kubernetes.
@joeblackwaslike @webwurst the password had already disabled in gluster container and the images were rebuilt some time back. May be they havent pulled the latest images.
from gluster-kubernetes.
@mcapuccini Sorry this has sat silent so long. Did you manage to find a suitable solution?
from gluster-kubernetes.
@jarrpa I ended up making my own containers, but I'd be happy to switch to the official one if there is a way to turn of ssh when I start the container
from gluster-kubernetes.
@mcapuccini I think building a different container would be the only reasonable way to do this. Thought just thinking off the top of my head: If there was a startup script that called init
instead of calling init
directly, we could detect an environment variable that would allow us to disable sshd... however, then the container is still telling Docker that it's listening on port 2222 (via EXPOSE) wouldn't it?
from gluster-kubernetes.
@mcapuccini hopefully soon. We are revisiting gluster/gluster-containers#18
from gluster-kubernetes.
I heard of another case like this. But there the hoster took down the node after it got infected..
from gluster-kubernetes.
While we have at least reached an update, the reoslution of this issue lies in https://github.com/gluster/gluster-containers . Closing this issue.
from gluster-kubernetes.
Related Issues (20)
- Error: Failed to allocate new volume: No space HOT 2
- Unable to access db HOT 1
- missing required field "selector" in io.k8s.api.apps.v1.DeploymentSpec HOT 1
- Unable to deploy on Ubuntu 18.04 -> pods not found. HOT 6
- Request to structure the README to include more projects
- 401 with latest heketi:dev image HOT 1
- probe failed
- glusterFS pod deploy failing
- PVC in pending status-no other error HOT 2
- Mount failed:E [glusterfsd.c:795:gf_remember_backup_volfile_server] 0-glusterfs: failed to set volfile server: File exists HOT 5
- Pod devices for topology get stuck, if pods are restarted.
- vagrant - failed to install glusterfs-client
- is this project still ALIVE? HOT 9
- Which gluster node are my pods/pvc talking to?
- Error waiting for job 'heketi-storage-copy-job' to complete HOT 4
- Kubernetes DaemonSet extensions/v1beta1 deprecated
- speed up deploying gluster
- heketi deployment has CrashLoopBackOff state, I am using ./gk-deploy script
- glusterfs on kubernetes stock on Error waiting for job 'heketi-storage-copy-job' to complete. stage
- About GlusterFs containers support geographic replication
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from gluster-kubernetes.