android app bypasses ip security.
Using the Android app, I can access the manager from an ip not on our list.
got an updated list of linodes (bought more today that I know wouldn't have been cahced)
was able to issue a reboot command on a node.
8 Replies
Host Job Queue (more)
Success
System Boot - My PV-GRUB el5-xen
Entered: 9 minutes 22 seconds ago - Took: 6 seconds
Success
System Shutdown
Entered: 9 minutes 22 seconds ago - Took: 29 seconds
Then couple minutes later, the app was denied due to authentication.
I was able to shut down a node.
Mobile devices tend to change IP addresses quite often. If you had to whitelist your dynamically assigned IP every time your phone picked up another station's signal, the mobile app would be very annoying to use.
@hybinet:
This behavior might be intentional.
Mobile devices tend to change IP addresses quite often. If you had to whitelist your dynamically assigned IP every time your phone picked up another station's signal, the mobile app would be very annoying to use.
I don't think its intentional, it eventually gets blocked , but only after someone who found your phone deleted your node.
Its probably running through a proxy that is whitelisted by linode. Only ask for authentication after a transaction.
I also doubt its intentional - why have a deny list on the manager if the mobile app just bypasses it? security wise, having a mobile device accessing the manager makes it even harder to stop than someone from a fixed IP….
@hoopycat:
Pretty sure the Android app (which was written by someone not-Linode) uses the API, and the IP-based whitelisting only applies to the dashboard web interface.
It's definitely written by someone not-linode (who posts here), it definitely uses the API. I'm pretty sure you're correct that the IP whitelist applies only to the dashboard.
@glg:
I'm pretty sure you're correct that the IP whitelist applies only to the dashboard.
Yes – only the dashboard.