[TOP TIP] The Linode Private Network/IP is not private at all

The Linode servers come with the ability to have an extra private IP address, so if you own multiple Linode servers on the same data centre, you can have them talk to each other via their private IP addresses. Fast reliable communication that happens away from the public internet and its private… but the word private is very loosely defined in this case.

Unfortunately, a private IP address gives EVERYONE on the same data centre access to your Linode server, not just your own servers.

The implications are very important. Many admins don't know this, thus they don't take extra steps to secure their servers, for example, a quick scan shows that many leave open access to SQL databases on port 3306. The same issue affected many recent hacks in Amazon's AWS services and unprotected S3 buckets, the admins failed to understand how accessible their servers are within the Amazon private network.

For the fun of it, I left open some HTTP/HTTPS ports to see what comes through the private network, here are some examples:

"HEAD / HTTP/1.1"
"GET /sftp-config.json HTTP/1.1"
"GET /wp-login.php HTTP/1.1"

While they seem simple scans to detect Wordpress or badly configured software, this is only the tip of the iceberg, since the scans for SQL databases is a lot more scary because they can quickly detect badly configured databases with no root password.

What is interesting, is that many of those scans also come via public internet interfaces, for example:

li276-166.members.linode.com - - [] "HEAD /wp-login.php HTTP/1.1"
li1447-246.members.linode.com - - [] "GET /sftp-config.json HTTP/1.1"

If you are using CentOS, it is easy to use firewalld to define rules for the private interface, the most secure thing to do, is to limit access based on IP address, something easy to maintain with Ansible.

16 Replies

If the OP is correct, this sounds like a serous security issue. Is there no answer to this person's clam?

Really? Is anyone seeing this?

admin
moderator

Linode always recommended that you appropriately firewall private IP addresses because they are accessible by your neighbors.

Although, I just read through their current docs for adding private IPs and that doesn't seem to be mentioned anymore.

@Jake - Private IPs in the same DC can communicate over the private network.

The purpose of private IPs is to connect Linodes you might have in the same DC, or to set up Linodes behind a NodeBalancer, for example.

Unfortunately, a private IP address gives EVERYONE on the same data centre access to your Linode server, not just your own servers.

To prevent this from occurring, you can setup firewall rules for your server. We have a few guides that can assist you with this option.

https://www.linode.com/docs/platform/manager/remote-access/#adding-private-ip-addresses
https://www.linode.com/docs/security/firewalls/control-network-traffic-with-iptables/
https://www.linode.com/docs/security/firewalls/configure-firewall-with-ufw/
https://www.linode.com/docs/security/firewalls/introduction-to-firewalld-on-centos/

@BlueHound - Thanks for pointing that out. I've passed this on to our Docs team to see if this is something we can get added back in.

@jcardillo Just googled myself here, because I suspected that this was the case. The big question is, though: if I do SSL termination on the NodeBalancer, will the whole DC (or at least some of my neighbours) be able to listen in on the traffic between the NodeBalancer and my instances?

Also, from the documentation it wasn't clear (or I missed) that the private IP can be used with the NodeBalancer (but that's not a big deal).

I would like to bump atleta_gbt's question. Any response to this?

Linode Staff

As mentioned in the initial post, it is important to make sure your firewall is appropriately configured to protect against attacks on your private network. However, Linode filters traffic based on MAC and IP addresses, and Linode users cannot see other people's traffic. This includes your traffic between your NodeBalancer and your backend nodes. You might find our blog post about the private IP network to be helpful - there are some comments there that address this scenario :)

Hi!
Any modification about this topic?
I am try to connect to a vm with database service from another in the same dc, no fw rules. I can't access.
I try telnet to database and I found the error: No route to host.

I use nmap to try discovery open ports in my vm with database and only 22 is listen, but in local machine netsat say that is open.

Any help?

Thanks

Hi!
Any modification about this topic?
I am try to connect to a vm with database service from another in the same dc, no fw rules. I can't access.
I try telnet to database and I found the error: No route to host.

I use nmap to try discovery open ports in my vm with database and only 22 is listen, but in local machine netsat say that is open.

Any help?

Thanks

RESOLVED

You could use IPSec to secure the traffic on the private DC network address:

https://strongswan.org

-- sw

P.S. You never assume any communication channel is private.

https://www.zerotier.com/ Works too, i have used it for years now.

While you can never assume, there is a difference between trusting Linode and trusting everyone on the same network.

Host-to-host solutions are hard to manage (at least without something like Consul).

Zerotier looks like a good fit, I'll see how independent it can be made from their infrastructure. (I saw you can install some component that helps with peer discovery, but as far as I can understand, even then you'll have to be able to reach their services. Which means if they go down, you probably can't join new instances to the network.)

FWIW, Linode will (hopefully this year) be starting a beta for private VLANs which, as I understand it, addresses this issue.

Although as @stevewi said, you should still not assume this is truly private and put safeguards in place.

I believe this is akin to DigitalOcean’s newly launched VPC feature.

Wait so Linode actually allow customers to probe other customers' stuff for vulns? Is it not enough that like half of china is probing 24/7, now we have to worry about local attacks as well? :(

Curious what the status on the vlan solution. I'm a bit appalled this is possible at all.

So, a linode user can just port scan the entire 192.168.0.0/16 B block with no repercussions? How on earth is this acceptable?

And software filtering doesn't really pass any reasonable security test, yes it might work, but this would fail PCI even just by the fact it's possible.

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct