Sign in / up

back to article Cluster-f*ck! Etcd DBs spaff passwords, cloud keys to world by default

Software called etcd, used for storing data across clusters of containers, has a problem – it does not implement authentication by default and so poses a security risk if deployed without further fiddling. It's also rather widely used because it comes with Kubernetes, the popular container orchestration software. Giovanni …

COMMENTS

Post your comment
House rules Send corrections
Add to 'My topics' unstar *
  1. Karlis 1

    Awesome software?

    "As we learned from the MongoDB experience this is a huge footgun that can be easily removed [from] otherwise awesome software."

    I hope he isn't implying that MongoDB is such. etcd arguably is quite good (raft!), but mongrel...

    2 1 Reply
  2. Anonymous Coward
    Anonymous Coward

    Just like Microsoft SQL2000 from nearly 20 years ago

    Blank 'sa' SQL admin password by default.

    Those who don't learn the lessons of history are doomed to repeat them.

    3 0 Reply
  3. Warm Braw

    The etcd community provides multiple guides on proper security

    People only read the documentation when something doesn't work. If it isn't secure by default, it isn't secure.

    12 0 Reply
    1. Alister
      Reply Icon

      Re: The etcd community provides multiple guides on proper security

      If it isn't secure by default, it isn't secure.

      ...and if it is secure by default, thousands of idiot developers will consciously and deliberately turn off the defaults anyway... See Amazon EC3 containers.

      10 0 Reply
  4. remainer_01

    Instant dismissal checklist:

    Any of the following is considered gross misconduct, and grounds for instant dismissal. Tick as appropriate:

    - Exposed internal service to Internet? [X]

    - Failed to properly secure service? [X]

    - Failed to properly secure sensitive information? [X]

    The large gentleman over there will see you out. We will prepare your personal belongings for collection at the reception by tomorrow morning, together with your final paycheck.

    5 0 Reply
  5. teknopaul

    exposed by default

    Seems cloud providers are slightly to blame here to me.

    My two providers spin up new vms with interfaces on the internet accessible via any protocol by default. They email you ssh details for each new vm.

    By default a new vms interface should be off the Internet accessible via some gateway for config. Individual ip ports should be opened to the Internet by request/api call.

    That is even how a home router works.

    0 0 Reply
    1. Alister
      Reply Icon

      Re: exposed by default

      I suggest you change your cloud provider.

      Neither AWS nor Azure allow open ports to a new VM, you have to configure a security policy to allow traffic.

      4 0 Reply
  6. Pascal

    mhmm...

    "it seems as if people may not be using etcd's security capabilities and leaving the ports open, which can be a problem with every database"

    Yeah but... CAN IT really? Does EVERY database really come with ports open by default that allow access with zero credentials "unless you enable some feature"?

    I'm sure we can collectively come up with at least one or two that don't quite work like that...

    1 0 Reply

POST COMMENT House rules

Not a member of The Register? Create a new account here.

Forgotten password ?

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like