How secure is the backend (private) network?
Is my linode's backend network connection visible to other linodes on the backend network? I.e. could a rogue linode user scan all 192.168.x.x backend IPs for open ports, memcache daemons, MySQL servers with no root password etc. and potentially wreak havoc?
If so, can I configure iptables to prevent that?
Thanks for your input,
Markus
5 Replies
@basilisk:
Is my linode's backend network connection visible to other linodes on the backend network? I.e. could a rogue linode user scan all 192.168.x.x backend IPs for open ports, memcache daemons, MySQL servers with no root password etc. and potentially wreak havoc?
Yes, just like they could with your public address.
@basilisk:
If so, can I configure iptables to prevent that?
Yes, just like you can with your public interface.
So would IP filtering be the method of choice there, or are there other options? Filtering by specific IPs would of course require that whenever I add/remove nodes to my cluster that I add/remove rules from every other node's ip tables. Or can I get an IP range and then filter by mask?
Or any other VPN solution, if you don't mind the overhead of encryption you don't need.
A VPN tunnels is a ok idea, but mildly overkill.