[TOP TIP] The Linode Private Network/IP is not private at all

The Linode servers come with the ability to have an extra private IP address, so if you own multiple Linode servers on the same data centre, you can have them talk to each other via their private IP addresses. Fast reliable communication that happens away from the public internet and its private… but the word private is very loosely defined in this case.

Unfortunately, a private IP address gives EVERYONE on the same data centre access to your Linode server, not just your own servers.

The implications are very important. Many admins don't know this, thus they don't take extra steps to secure their servers, for example, a quick scan shows that many leave open access to SQL databases on port 3306. The same issue affected many recent hacks in Amazon's AWS services and unprotected S3 buckets, the admins failed to understand how accessible their servers are within the Amazon private network.

For the fun of it, I left open some HTTP/HTTPS ports to see what comes through the private network, here are some examples:

"HEAD / HTTP/1.1"
"GET /sftp-config.json HTTP/1.1"
"GET /wp-login.php HTTP/1.1"

While they seem simple scans to detect Wordpress or badly configured software, this is only the tip of the iceberg, since the scans for SQL databases is a lot more scary because they can quickly detect badly configured databases with no root password.

What is interesting, is that many of those scans also come via public internet interfaces, for example:

li276-166.members.linode.com - - [] "HEAD /wp-login.php HTTP/1.1"
li1447-246.members.linode.com - - [] "GET /sftp-config.json HTTP/1.1"

If you are using CentOS, it is easy to use firewalld to define rules for the private interface, the most secure thing to do, is to limit access based on IP address, something easy to maintain with Ansible.

6 Replies

If the OP is correct, this sounds like a serous security issue. Is there no answer to this person's clam?

Really? Is anyone seeing this?

admin
moderator

Linode always recommended that you appropriately firewall private IP addresses because they are accessible by your neighbors.

Although, I just read through their current docs for adding private IPs and that doesn't seem to be mentioned anymore.

@Jake - Private IPs in the same DC can communicate over the private network.

The purpose of private IPs is to connect Linodes you might have in the same DC, or to set up Linodes behind a NodeBalancer, for example.

Unfortunately, a private IP address gives EVERYONE on the same data centre access to your Linode server, not just your own servers.

To prevent this from occurring, you can setup firewall rules for your server. We have a few guides that can assist you with this option.

https://www.linode.com/docs/platform/manager/remote-access/#adding-private-ip-addresses
https://www.linode.com/docs/security/firewalls/control-network-traffic-with-iptables/
https://www.linode.com/docs/security/firewalls/configure-firewall-with-ufw/
https://www.linode.com/docs/security/firewalls/introduction-to-firewalld-on-centos/

@BlueHound - Thanks for pointing that out. I've passed this on to our Docs team to see if this is something we can get added back in.

@jcardillo Just googled myself here, because I suspected that this was the case. The big question is, though: if I do SSL termination on the NodeBalancer, will the whole DC (or at least some of my neighbours) be able to listen in on the traffic between the NodeBalancer and my instances?

Also, from the documentation it wasn't clear (or I missed) that the private IP can be used with the NodeBalancer (but that's not a big deal).

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct