PORT SCAN on Clustered environments

vangalli · 02-18-2014, 08:57 AM

Hi Linux Guru's,

I have a question here.

I have one Databases Server for example

THE DNS NAME: DATABASE.COMPANYNAME.COM

ACTIVE HOST: ACTIVE_HOST.COMPANYNAME.COM

PASSIVE HOST: PASSIVE_HOST.COMPANYNAME.COM

Now I want to add one New host NEWHOST.COMPANYNAME.COM to the INFRASTRUCTURE.

Requirement: I need to perform PORT Scan. So The easiest way is to execute the below command from the new host NEWHOST.COMPANYNAME.COM

telnet DATABASE.COMPANYNAME.COM 3306
telnet ACTIVE_HOST.COMPANYNAME.COM 3306

Both cases it will tell give SUCCESS.

Now I want to perform PORT Scan from NEWHOST.COMPANYNAME.COM to PASSIVE_HOST.COMPANYNAME.COM

If I execute the below command from the new host NEWHOST.COMPANYNAME.COM

telnet PASSIVE_HOST.COMPANYNAME.COM 3306

it will fail because MySQL is not running in PASSIVE_HOST.COMPANYNAME.COM

so we have an utility nc where I can make PASSIVE_HOST.COMPANYNAME.COM to listen to 3306 by issuing the below command:

nc -lk 3306 and if I run the below command from

the new host NEWHOST.COMPANYNAME.COM

telnet PASSIVE_HOST.COMPANYNAME.COM 3306

it will succeed.

The problem I am facing is I don't want to make my PASSIVE host to listen to 3306 PORT because the request will be rerouted to ACTIVE as well as PASSIVE by the DNS.

So considering the above scenario I wanted to understand if there is any possibility to scan or check if 3306 is open from NEWHOST.COMPANYNAME.COM to PASSIVE_HOST.COMPANYNAME.COM

Sorry for BIG explanation. I wanted to be more clear on my problem.

Your help is much appreciated

Regards,
RK

hurryi · 02-18-2014, 10:36 AM

Hello,

i am not much of a cluster expert but i will try my best

it would be really good to know what type of cluster software you using?

and to be honest the long description you gave describes not a problem but the method how it works
the active node probably has the virtual interface up where the application binds itself (i actually assume it binds to every interface as ACTIVE_HOST was also success )
i think DATABASE.COMPANYNAME.COM points to that VIP and if failover happens or you switch manually then it will be reachable on the other node

if you wanted to test the firewall without changing the active node, then gj you did it listening with netcat and trying to connect from NEWHOST to PASSIVE, the success indicates that the services/app(mssql) will be reachable once the other node is active

other then that i could only say change the mssql config on which ports you would like to bind, but that would effect all the cluster nodes and probably the clients who are not aware that not the default port is used and they would need to define that one (which they might have no idea without some portscanning)