|
We are looking into Slony as the replication system for a
small number of machines (<30) spread across multiple locations. Some
of the locations are co-location racks within ISPs so we are rather concerned
about security. Our working assumption is that at some point at least one
of the machines will become completely compromised and a malicious user will
gain full root access to it. We can happily “write off” that
machine (i.e. power it off remotely) and continue to operate without it in the
cluster until we are able to rebuild it, but the concern is that the malicious user
may be able to corrupt databases on other machines having compromised just that
one machine in the network. As I understand it, all slon daemons run with full
super-user privileges and the utility “slonik” is able to
re-structure the entire replication system from any node within the
network. This raises the possible scenario: There are 4 nodes in the network – a master node and 3
slave nodes. A malicious user manages to compromise a slave node. This user then runs slonik on the compromised node to
restructure the network so that the compromised slave node is now the master
and the old master and slave nodes now replicate from the compromised node. This user then deletes/corrupts the data on the compromised
node and this data is then propagated to all the other nodes in the network. At this point, what started off as an isolated incident on
one remote machine has escalated to one which has taken down our entire system
and will require a lot of time and effort to restore. Can anyone comment/clarify whether the above understanding
is correct, and also what preventative measures may be taken. Comments
such as “Don’t allow your boxes to get root-ed!” are not
hugely helpful, however, unless the author of the comment can provide a method
of prevention that is 100% guaranteed… Thanks in advance, Roger |
_______________________________________________ Slony1-general mailing list [email protected] http://gborg.postgresql.org/mailman/listinfo/slony1-general
