Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Solved Go to solution

Dr.who virus in my YARN? how to resolve it using firewalld?

Labels:
avatar
author-rank Mondi
Rising Star

Created ‎06-03-2020 03:02 AM

Dr.who is running on my CDH 6.3, I've seen its crontab also using YARN user:

 

Screen Shot 2020-06-03 at 5.57.08 PM.png

 

Screen Shot 2020-06-03 at 5.58.56 PM.png

I've already remove the files of this and I want to implement some restrictions using firewalld,

 

how can I block this virus on running on my YARN 8088? do I need to block the 8088 port in all nodes? and what IP addresses do I need to insert for whitelisting? below is my current rules in firewalld:

 

public
target: default
icmp-block-inversion: no
interfaces:
sources:
services: dhcpv6-client ssh
ports: 8042/tcp 7191/tcp 2181/tcp 3181/tcp 4181/tcp 9010/tcp 8044/tcp 8041/tcp 8040/tcp 8091/tcp 9091/tcp 9995/tcp 9994/tcp 7184/tcp 7185/tcp 8084/tcp 8087/tcp 9087/tcp 9999/tcp 9998/tcp 9867/tcp 9866/tcp 9864/tcp 9865/tcp
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
rule family="ipv4" source address="195.3.146.118" reject

 

Appreciate your help on this! thanks!

2,461 Views
0 Kudos
2 ACCEPTED SOLUTIONS

avatar
Bender author-rank
Moderator

Created on ‎06-03-2020 07:23 AM - edited ‎06-03-2020 07:32 AM

Hello @Mondi ,

 

thank you for sharing with us your concerns. I believe you were referring to the thread under [1].

 

dr.who is a username used for all unauthenticated users who submit job to YARN. You can be subject to malware attacks when your cluster is not secured and connected to the Internet. Please see [2] on this topic and how to remedy.

 

Please always secure your cluster [3]. Make sure you enable authentication for web consoles [4] (securing your UIs). Once enabled, secured web UI will require SPNEGO to be configured on the browser you are accessing it e.g. the YARN Web UI.

 

Please let us know if you need more information on this topic.

 

Thank you:
Ferenc

 

[1] https://community.cloudera.com/t5/Support-Questions/HDP-2-6-1-Virus-CrytalMiner-dr-who/m-p/197497/hi...

[2] https://blog.cloudera.com/protecting-hadoop-clusters-from-malware-attacks/

[3] https://docs.cloudera.com/documentation/enterprise/6/6.3/topics/security.html

[4] https://docs.cloudera.com/documentation/enterprise/6/6.3/topics/cm_sg_web_auth.html

Ferenc Erdelyi, Technical Solutions Manager

Was your question answered? Make sure to mark the answer as the accepted solution.
If you find a reply useful, say thanks by clicking on the thumbs up button.

Learn more about the Cloudera Community:

View solution in original post

2,437 Views

avatar
author-rank paras author-rank
Master Collaborator

Created ‎06-05-2020 06:58 AM

@Mondi 

 

You would still need to secure your cluster since any user can be impersonated in a non kerberised cluster.

Refer https://blog.cloudera.com/how-to-secure-internet-exposed-apache-hadoop/

for more details on securing your cluster.

View solution in original post

2,384 Views
0 Kudos
4 REPLIES 4

avatar
author-rank paras author-rank
Master Collaborator

Created ‎06-03-2020 07:02 AM

@Mondi 

 

You should set yarn acls to restrict user access on YARN. 

Please check if dr.who is part of yarn admin acl configurations in YARN. Remove the user in this case and set dedicated user and groups for yarn access

 

Refer https://docs.cloudera.com/documentation/enterprise/latest/topics/cm_mc_yarn_acl.html#concept_manage_...

 

Also refer 

https://community.cloudera.com/t5/Support-Questions/What-is-Dr-who-user-100s-of-yarn-jobs-are-gettin...

 

Hope this helps,

Paras

Was your question answered? Make sure to mark the answer as the accepted solution.
If you find a reply useful, say thanks by clicking on the thumbs up button.

2,442 Views
0 Kudos

avatar
author-rank Mondi
Rising Star

Created ‎06-03-2020 10:44 PM

Hi @paras do you think this is now somehow sufficient? only the know users are indicated on the Admin ACL, can dr.who no longer ran a job in my yarn? :Screen Shot 2020-06-04 at 1.42.13 PM.png

2,408 Views
0 Kudos

avatar
author-rank paras author-rank
Master Collaborator

Created ‎06-05-2020 06:58 AM

@Mondi 

 

You would still need to secure your cluster since any user can be impersonated in a non kerberised cluster.

Refer https://blog.cloudera.com/how-to-secure-internet-exposed-apache-hadoop/

for more details on securing your cluster.

2,385 Views
0 Kudos

avatar
Bender author-rank
Moderator

Created on ‎06-03-2020 07:23 AM - edited ‎06-03-2020 07:32 AM

Hello @Mondi ,

 

thank you for sharing with us your concerns. I believe you were referring to the thread under [1].

 

dr.who is a username used for all unauthenticated users who submit job to YARN. You can be subject to malware attacks when your cluster is not secured and connected to the Internet. Please see [2] on this topic and how to remedy.

 

Please always secure your cluster [3]. Make sure you enable authentication for web consoles [4] (securing your UIs). Once enabled, secured web UI will require SPNEGO to be configured on the browser you are accessing it e.g. the YARN Web UI.

 

Please let us know if you need more information on this topic.

 

Thank you:
Ferenc

 

[1] https://community.cloudera.com/t5/Support-Questions/HDP-2-6-1-Virus-CrytalMiner-dr-who/m-p/197497/hi...

[2] https://blog.cloudera.com/protecting-hadoop-clusters-from-malware-attacks/

[3] https://docs.cloudera.com/documentation/enterprise/6/6.3/topics/security.html

[4] https://docs.cloudera.com/documentation/enterprise/6/6.3/topics/cm_sg_web_auth.html

Ferenc Erdelyi, Technical Solutions Manager

Was your question answered? Make sure to mark the answer as the accepted solution.
If you find a reply useful, say thanks by clicking on the thumbs up button.

Learn more about the Cloudera Community:

2,438 Views
Announcements
What's New @ Cloudera
Cloudera Data Engineering 1.23: Access Spark from Your Favor...
What's New @ Cloudera
HBase REST server scaling support is Generally Available
What's New @ Cloudera
New CLI option in the update-database command
What's New @ Cloudera
New Action menu item in the Cloudera Operational Database UI
What's New @ Cloudera
Get the list of supported instance types in the Cloudera Ope...
View More Announcements