What's new Cloud Manager Nov 28:
Ports 8023 and 49000 are no longer open on Cloud Volumes ONTAP systems in Azure for both single node systems and HA pairs.
Looks like it's fixed now...
On Tue, Nov 30, 2021, 16:39 Scott Eno via Toasters toasters@teaparty.net wrote:
---------- Forwarded message ---------- From: Scott Eno cse@hey.com To: Toasters toasters@teaparty.net Cc: Bcc: Date: Tue, 30 Nov 2021 10:35:37 -0500 Subject: wide open telnet on azure cluster interconnects Hi,
After running port scans we found that our Azure Cloud Volume ONTAP HA pairs are accessible via passwordless telnet over the cluster interfaces which normally would be on a private network connected to a cluster switch, or node-to-node in switchless config.
These CVO HA pairs were built with Cloud Manager and it **should** have set up those interfaces to a private network instead of using the subnet provided to it for all the other accessible interfaces.
No question here, just for everyone's info and discussion.
If one telnet's to the IP of a cluster interconnect, port 8023, it drops you into the nodeshell with no authentication. I can't find an option to disable telnet and not sure if I should. Would anything break? I don't know. I figure the quickest solution is to set a deny for port 8023 on the NSG for the resource group, or worst case, try to figure out how to re-ip the cluster interconnects to a 169.. private network.
---------- Forwarded message ---------- From: Scott Eno via Toasters toasters@teaparty.net To: Toasters toasters@teaparty.net Cc: Bcc: Date: Tue, 30 Nov 2021 15:35:42 GMT Subject: _______________________________________________ Toasters mailing list Toasters@teaparty.net https://www.teaparty.net/mailman/listinfo/toasters
Thank you sir! Good to know this won't be a concern going forward.
On December 2, 2021, Sebastian Goetze spgoetze@gmail.com wrote:
What's new Cloud Manager Nov 28:
Ports 8023 and 49000 are no longer open on Cloud Volumes ONTAP systems in Azure for both single node systems and HA pairs.
Looks like it's fixed now...
On Tue, Nov 30, 2021, 16:39 Scott Eno via Toasters <toasters@teaparty.net mailto:toasters@teaparty.net> wrote:
---------- Forwarded message ---------- From: Scott Eno <cse@hey.com mailto:cse@hey.com> To: Toasters <toasters@teaparty.net mailto:toasters@teaparty.net> Cc: Bcc: Date: Tue, 30 Nov 2021 10:35:37 -0500 Subject: wide open telnet on azure cluster interconnects Hi,
After running port scans we found that our Azure Cloud Volume ONTAP HA pairs are accessible via passwordless telnet over the cluster interfaces which normally would be on a private network connected to a cluster switch, or node-to-node in switchless config.
These CVO HA pairs were built with Cloud Manager and it **should** have set up those interfaces to a private network instead of using the subnet provided to it for all the other accessible interfaces.
No question here, just for everyone's info and discussion.
If one telnet's to the IP of a cluster interconnect, port 8023, it drops you into the nodeshell with no authentication. I can't find an option to disable telnet and not sure if I should. Would anything break? I don't know. I figure the quickest solution is to set a deny for port 8023 on the NSG for the resource group, or worst case, try to figure out how to re-ip the cluster interconnects to a 169.. private network.
---------- Forwarded message ---------- From: Scott Eno via Toasters <toasters@teaparty.net mailto:toasters@teaparty.net> To: Toasters <toasters@teaparty.net mailto:toasters@teaparty.net> Cc: Bcc: Date: Tue, 30 Nov 2021 15:35:42 GMT Subject: _______________________________________________ Toasters mailing list Toasters@teaparty.net mailto:Toasters@teaparty.net https://www.teaparty.net/mailman/listinfo/toasters
-
Scott Eno -
Sebastian P. Goetze