1953307 – Entering incorrect credentials while selecting a migration network causes DDOS conditions for ESXi servers

Bug 1953307 - Entering incorrect credentials while selecting a migration network causes DDOS conditions for ESXi servers

Summary: Entering incorrect credentials while selecting a migration network causes DDO...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Migration Toolkit for Virtualization
Classification:	Red Hat
Component:	General
Sub Component:
Version:	2.0.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	urgent
Severity:	high
Target Milestone:	---
Target Release:	2.0.0
Assignee:	Jeff Ortel
QA Contact:	Tzahi Ashkenazi
Docs Contact:	Avital Pinnick
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2021-04-25 10:49 UTC by Tzahi Ashkenazi
Modified:	2021-06-10 17:11 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2021-06-10 17:11:47 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
ddos (98.57 KB, image/png) 2021-04-25 10:49 UTC, Tzahi Ashkenazi	no flags	Details
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHEA-2021:2381	0	None	None	None	2021-06-10 17:11:57 UTC

Description Tzahi Ashkenazi 2021-04-25 10:49:32 UTC

Created attachment 1775181 [details]
ddos

providing wrong credentials on  "Select migration network"  causing to endless DDOS login attacks on the ESXi servers 

from the ESXi server  pam util : 
[root@f01-h03-000-r640:~]  pam_tally2  --user root
Login           Failures Latest failure     From
root                1203  05/25/21  10:10:42    unknown   

From the ESXi server from the host log : 
2021-04-25T10:26:00.306Z verbose hostd[2101273] [Originator@6876 sub=Solo.Vmomi] Arg password:
2021-04-25T10:26:07.037Z warning hostd[2100964] [Originator@6876 sub=Default opID=2d27bddf] Rejected password for user root from 10.1.37.217
2021-04-25T10:26:10.039Z verbose hostd[2101271] [Originator@6876 sub=Solo.Vmomi] Arg password:
2021-04-25T10:26:19.426Z warning hostd[2101270] [Originator@6876 sub=Default opID=2d27bded] Rejected password for user root from 10.1.37.217
2021-04-25T10:26:24.429Z verbose hostd[2100746] [Originator@6876 sub=Solo.Vmomi] Arg password:
2021-04-25T10:26:31.864Z warning hostd[2101276] [Originator@6876 sub=Default opID=2d27be03] Rejected password for user root from 10.1.37.217
2021-04-25T10:26:34.866Z verbose hostd[2101179] [Originator@6876 sub=Solo.Vmomi] Arg password:
2021-04-25T10:26:42.702Z warning hostd[2101279] [Originator@6876 sub=Default opID=2d27be0c] Rejected password for user root from 10.1.37.217
2021-04-25T10:26:46.703Z verbose hostd[2100873] [Originator@6876 sub=Solo.Vmomi] Arg password:
2021-04-25T10:26:56.530Z warning hostd[2101270] [Originator@6876 sub=Default opID=2d27be18] Rejected password for user root from 10.1.37.217
2021-04-25T10:27:01.532Z verbose hostd[2100964] [Originator@6876 sub=Solo.Vmomi] Arg password:
2021-04-25T10:27:09.502Z warning hostd[2101274] [Originator@6876 sub=Default opID=2d27be23] Rejected password for user root from 10.1.37.217
2021-04-25T10:27:14.504Z verbose hostd[2101276] [Originator@6876 sub=Solo.Vmomi] Arg password:
2021-04-25T10:27:25.007Z warning hostd[2101273] [Originator@6876 sub=Default opID=2d27be38] Rejected password for user root from 10.1.37.217
2021-04-25T10:27:29.009Z verbose hostd[2100873] [Originator@6876 sub=Solo.Vmomi] Arg password:
2021-04-25T10:27:37.979Z warning hostd[2100620] [Originator@6876 sub=Default opID=2d27be46] Rejected password for user root from 10.1.37.217
2021-04-25T10:27:42.981Z verbose hostd[2101274] [Originator@6876 sub=Solo.Vmomi] Arg password:
2021-04-25T10:27:51.020Z warning hostd[2101276] [Originator@6876 sub=Default opID=2d27be53] Rejected password for user root from 10.1.37.217
2021-04-25T10:27:54.021Z verbose hostd[2100873] [Originator@6876 sub=Solo.Vmomi] Arg password:
2021-04-25T10:28:02.839Z warning hostd[2100620] [Originator@6876 sub=Default opID=2d27be5e] Rejected password for user root from 10.1.37.217
2021-04-25T10:28:05.841Z verbose hostd[2101179] [Originator@6876 sub=Solo.Vmomi] Arg password:
2021-04-25T10:28:14.974Z warning hostd[2101276] [Originator@6876 sub=Default opID=2d27be68] Rejected password for user root from 10.1.37.217
2021-04-25T10:28:19.976Z verbose hostd[2101271] [Originator@6876 sub=Solo.Vmomi] Arg password:
2021-04-25T10:28:29.321Z warning hostd[2101274] [Originator@6876 sub=Default opID=2d27be86] Rejected password for user root from 10.1.37.217


From the controller pod on the inventory container : 
[GIN] 2021/04/25 - 10:29:53 | 200 |    1.346637ms |      10.128.2.1 | GET      "/providers/vsphere/5189cc20-f5b3-453c-972a-920d70e11b68"
[GIN] 2021/04/25 - 10:29:53 | 200 |    1.100031ms |      10.128.2.1 | GET      "/providers/vsphere/5189cc20-f5b3-453c-972a-920d70e11b68/hosts/host-681"
[GIN] 2021/04/25 - 10:29:53 | 200 |    1.244774ms |      10.128.2.1 | GET      "/providers/vsphere/5189cc20-f5b3-453c-972a-920d70e11b68"
[GIN] 2021/04/25 - 10:29:53 | 200 |    1.079063ms |      10.128.2.1 | GET      "/providers/vsphere/5189cc20-f5b3-453c-972a-920d70e11b68/hosts/host-681"
[GIN] 2021/04/25 - 10:29:55 | 200 |      923.62µs |   192.168.208.1 | GET      "/providers/vsphere/5189cc20-f5b3-453c-972a-920d70e11b68/hosts?detail=true"
[GIN] 2021/04/25 - 10:29:55 | 200 |      1.9609ms |   192.168.208.1 | GET      "/providers?detail=true"
[GIN] 2021/04/25 - 10:30:00 | 200 |     878.036µs |   192.168.208.1 | GET      "/providers/vsphere/5189cc20-f5b3-453c-972a-920d70e11b68/hosts?detail=true"
[GIN] 2021/04/25 - 10:30:00 | 200 |    2.207918ms |   192.168.208.1 | GET      "/providers?detail=true"
[GIN] 2021/04/25 - 10:30:03 | 200 |    1.227149ms |      10.128.2.1 | GET      "/providers/vsphere/5189cc20-f5b3-453c-972a-920d70e11b68"
[GIN] 2021/04/25 - 10:30:03 | 200 |    1.029803ms |      10.128.2.1 | GET      "/providers/vsphere/5189cc20-f5b3-453c-972a-920d70e11b68/hosts/host-681"
[GIN] 2021/04/25 - 10:30:03 | 200 |     1.19739ms |      10.128.2.1 | GET      "/providers/vsphere/5189cc20-f5b3-453c-972a-920d70e11b68"
[GIN] 2021/04/25 - 10:30:03 | 200 |     977.672µs |      10.128.2.1 | GET      "/providers/vsphere/5189cc20-f5b3-453c-972a-920d70e11b68/hosts/host-681"
[GIN] 2021/04/25 - 10:30:05 | 200 |     878.735µs |   192.168.208.1 | GET      "/providers/vsphere/5189cc20-f5b3-453c-972a-920d70e11b68/hosts?detail=true"
[GIN] 2021/04/25 - 10:30:05 | 200 |    2.209821ms |   192.168.208.1 | GET      "/providers?detail=true"
[GIN] 2021/04/25 - 10:30:11 | 200 |     872.443µs |   192.168.208.1 | GET      "/providers/vsphere/5189cc20-f5b3-453c-972a-920d70e11b68/hosts?detail=true"
[GIN] 2021/04/25 - 10:30:11 | 200 |     2.61714ms |   192.168.208.1 | GET      "/providers?detail=true"
[GIN] 2021/04/25 - 10:30:13 | 200 |    1.368995ms |      10.128.2.1 | GET      "/providers/vsphere/5189cc20-f5b3-453c-972a-920d70e11b68"
[GIN] 2021/04/25 - 10:30:13 | 200 |      980.28µs |      10.128.2.1 | GET      "/providers/vsphere/5189cc20-f5b3-453c-972a-920d70e11b68/hosts/host-681"
[GIN] 2021/04/25 - 10:30:13 | 200 |    1.296882ms |      10.128.2.1 | GET      "/providers/vsphere/5189cc20-f5b3-453c-972a-920d70e11b68"
[GIN] 2021/04/25 - 10:30:13 | 200 |    9.088538ms |      10.128.2.1 | GET      "/providers/vsphere/5189cc20-f5b3-453c-972a-920d70e11b68/hosts/host-681"
[GIN] 2021/04/25 - 10:30:16 | 200 |     947.674µs |   192.168.208.1 | GET      "/providers/vsphere/5189cc20-f5b3-453c-972a-920d70e11b68/hosts?detail=true"
[GIN] 2021/04/25 - 10:30:16 | 200 |    2.007876ms |   192.168.208.1 | GET      "/providers?detail=true"
[GIN] 2021/04/25 - 10:30:21 | 200 |     884.106µs |   192.168.208.1 | GET      "/providers/vsphere/5189cc20-f5b3-453c-972a-920d70e11b68/hosts?detail=true"
[GIN] 2021/04/25 - 10:30:21 | 200 |    1.819999ms |   192.168.208.1 | GET      "/providers?detail=true"
[GIN] 2021/04/25 - 10:30:21 | 200 |    1.040994ms |      10.128.2.1 | GET      "/providers/vsphere/5189cc20-f5b3-453c-972a-920d70e11b68"
[GIN] 2021/04/25 - 10:30:21 | 200 |     898.969µs |      10.128.2.1 | GET      "/providers/vsphere/5189cc20-f5b3-453c-972a-920d70e11b68/hosts/host-681"
[GIN] 2021/04/25 - 10:30:21 | 200 |    1.193478ms |      10.128.2.1 | GET      "/providers/vsphere/5189cc20-f5b3-453c-972a-920d70e11b68"
[GIN] 2021/04/25 - 10:30:21 | 200 |     927.792µs |      10.128.2.1 | GET      "/providers/vsphere/5189cc20-f5b3-453c-972a-920d70e11b68/hosts/host-681

during the last weekend, the Failures counts reach to over 18000 which leads to locking the ssh for the root user on both ESXi servers 

in order to reset the ESXi Failures count run the following :

pam_tally2 --user root --reset

checking which host trying to access the server using the ip address from the hosd log : 

root@f02-h07-000-r640:~$ nslookup 10.1.37.217
217.37.1.10.in-addr.arpa	name = f02-h17-000-r640.rdu2.scalelab.redhat.com.

f02-h17-000-r640.rdu2.scalelab.redhat.com  is one of the worker nodes :
root@f02-h07-000-r640:~$ oc get nodes
NAME                                        STATUS   ROLES    AGE   VERSION
f02-h09-000-r640.rdu2.scalelab.redhat.com   Ready    master   40d   v1.20.0+ba45583
f02-h11-000-r640.rdu2.scalelab.redhat.com   Ready    master   40d   v1.20.0+ba45583
f02-h13-000-r640.rdu2.scalelab.redhat.com   Ready    master   40d   v1.20.0+ba45583
f02-h15-000-r640.rdu2.scalelab.redhat.com   Ready    worker   40d   v1.20.0+ba45583
f02-h17-000-r640.rdu2.scalelab.redhat.com   Ready    worker   40d   v1.20.0+ba45583
f02-h18-000-r640.rdu2.scalelab.redhat.com   Ready    worker   40d   v1.20.0+ba45583

Comment 1 Jeff Ortel 2021-04-27 19:39:06 UTC

Increased retry delay to 15 minutes per IMS.

https://github.com/konveyor/forklift-controller/pull/242

Comment 2 Fabien Dupont 2021-05-03 12:09:18 UTC

The fix should be part of build mtv-operator-bundle-container-2.0.0-4 / iib:72115.

Comment 3 Tzahi Ashkenazi 2021-05-10 14:06:49 UTC

tested on cloud38 with : 
MTV: 2.0.0.12
CNV: 2.6.2

I have tried 4 times using the wrong  credentials on the "Select migration network"

from both ESXi the counter is correct shows 4 times and during the time it doesn't increase  : 


[root@f01-h09-000-r640:~] pam_tally2  --user root
Login           Failures Latest failure     From
root                4    05/10/21 14:03:53  unknown


[root@f01-h03-000-r640:~]  pam_tally2  --user root
Login           Failures Latest failure     From
root                4    05/10/21 14:03:59  unknown

Comment 6 errata-xmlrpc 2021-06-10 17:11:47 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (MTV 2.0.0 images), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2021:2381

Note You need to log in before you can comment on or make changes to this bug.