The Gandi Agent running on port 842 within each machine is running against all interfaces. Is there any security in place to stop attacks from internet against this port number?
Can this service be removed from xinetd with out affecting the Xen/Gandi Environment or can the ip addressing with Xinetd be tightened up?
Thanks
I've been told a few weeks ago that those python scripts can be removed if you will maintain your installation manually. So I removed inetd altogether, including those Gandi scripts. You can also disable DHCP after copying the information of your last lease (ip, gateway, ns, etc) into the right place: /etc/network/interfaces in Debian, probably something similar in Ubuntu. Be sure to double-check, because if you make a mistake there your machine won't come back online.
My observations are based on the Ubuntu manual install. From what I could find, it seems that the Gandi Agent uses a pair of ssl keys for interaction with the Gandi server. That would indicate that it's probably not totally unsecure. Still, there doesn't seem to be any harm done disabling it if the install is used manually. Disabling/removing inetd will disable the agent. However, I wouldn't disable the DHCP client like the previous poster suggested because that's a sure way of loosing contact with the system if something goes wrong or Gandi decides to make some IP pool changes. The Gandi script that updates files after a dhcp response can be disabled by removing the symlink /etc/dhcp3/dhclient-exit-hooks.d/hostname. The data disk mount script is in /etc/rc.local (lines with udevtrigger and grep) in case you want to move mounting the disk(s) to /etc/fstab.
It was Gandi support that told me DHCP could be disabled; your IP is supposed to be linked to your virtual server – even when it moves, they said. I didn't feel like running dhclient in a subnet with other (user) servers, and putting in a firewall rule that only allows the Gandi DHCP server is also risky in case the server's IP changes without you noticing. I guess Gandi needs some more documentation on what to do and what not to do. Mutta kiitos mielipiteestäsi. ;)
Last modified: 15 May 2008 at 21:27 by John G. (Gandi)
This work
is licensed under a
Creative Commons
Attribution-Noncommercial-Share Alike 3.0 Unported License.
