Event Information

Meaning

  • The event “Detect crypto miners using the Stratum protocol” indicates that there is suspicious activity related to cryptocurrency mining using the Stratum protocol within the Kubernetes cluster.
  • The Stratum protocol is commonly used by mining software to communicate with mining pools, and its presence in the cluster suggests that unauthorized mining activities may be taking place.
  • This event could be a potential security concern as unauthorized mining can consume significant computing resources, impact performance, and potentially violate compliance standards.

To investigate and mitigate this event in a Kubernetes cluster:

  1. Identify the affected pod(s) by checking the pod name and namespace mentioned in the event. Use the following command to list all pods in the cluster: 
    kubectl get pods --all-namespaces
  2. Inspect the logs of the suspicious pod(s) to gather more information about the detected Stratum protocol activity. Use the following command to view the logs of a specific pod: 
    kubectl logs <pod_name> -n <namespace>
  3. Take appropriate actions based on the findings, such as terminating the suspicious pod(s), investigating the source of the unauthorized mining software, and implementing security measures to prevent future occurrences.

Remediation

  1. Create a Kubernetes Deployment manifest file to deploy a Python script that monitors and terminates any pods using the Stratum protocol:
apiVersion: apps/v1
kind: Deployment
metadata:
  name: stratum-monitor
spec:
  replicas: 1
  selector:
    matchLabels:
      app: stratum-monitor
  template:
    metadata:
      labels:
        app: stratum-monitor
    spec:
      containers:
      - name: stratum-monitor
        image: python:3
        command: ["python", "-u"]
        args: ["stratum_monitor.py"]
  1. Create a Python script named stratum_monitor.py that uses the Kubernetes Python API to monitor and terminate pods using the Stratum protocol:
from kubernetes import client, config

def main():
    config.load_kube_config()
    v1 = client.CoreV1Api()

    while True:
        pods = v1.list_pod_for_all_namespaces().items
        for pod in pods:
            if "stratum" in pod.metadata.name.lower():
                v1.delete_namespaced_pod(pod.metadata.name, pod.metadata.namespace)

if __name__ == "__main__":
    main()
  1. Apply the Deployment manifest file using the kubectl apply command:
kubectl apply -f stratum-monitor-deployment.yaml

Note: Make sure to have the Kubernetes Python API (kubernetes package) installed in the Python environment where the stratum_monitor.py script will be executed.