Bug 1704592

Summary: Restrict SSH access access to specific remote subnets
Product: Red Hat OpenStack Reporter: Cédric Jeanneret <cjeanner>
Component: openstack-tripleo-heat-templatesAssignee: Cédric Jeanneret <cjeanner>
Status: CLOSED ERRATA QA Contact: Sasha Smolyak <ssmolyak>
Severity: medium Docs Contact:
Priority: medium    
Version: 14.0 (Rocky)CC: mburns
Target Milestone: zstreamKeywords: Triaged, ZStream
Target Release: 14.0 (Rocky)   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: openstack-tripleo-heat-templates-9.3.1-0.20190513171736.9995be9.el7ost Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-07-02 20:08:28 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1704594    

Description Cédric Jeanneret 2019-04-30 07:34:33 UTC 
This bug was initially created as a copy of Bug #1694471

I am copying this bug because: 

Need dedicated bug on osp-14 for backport.


Description of problem:

The current default configuration set by director for SSH access opens SSH for all the remote subnets:

+++
[root@overcloud-controller-0 ~]# iptables -S | grep -i ssh
-A INPUT -p tcp -m multiport --dports 22 -m state --state NEW -m comment --comment "003 accept ssh ipv4" -j ACCEPT
[root@overcloud-controller-0 ~]# iptables -t filter -vnL | grep -i ssh
    1    60 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            multiport dports 22 state NEW /* 003 accept ssh ipv4 */
[root@overcloud-controller-0 ~]# netstat -tnpl | grep -i ssh
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      5268/sshd           
tcp6       0      0 :::22                   :::*                    LISTEN      5268/sshd           
+++

This leaves the nodes vulnerable to brute force attacks. The allowed remote subnets should be restricted to required subnets only like provisioning and internal_api subnets. 

Do we currently have a way to achieve this in a already running environment ?

It is a known fact that iptable rules can be modified with tripleo templates; however we are unsure as to which subnets should be left open for ssh access. 

Some guidance is required here for restrict the SSH access without breaking the current functionality.

Version-Release number of selected component (if applicable):
[root@undercloud13 ~]# rpm -qa | grep -i tripleo-heat
openstack-tripleo-heat-templates-8.0.7-21.el7ost.noarch
[root@undercloud13 ~]# rpm -qa | grep -i puppet-tripleo
puppet-tripleo-8.3.6-7.el7ost.noarch
[root@undercloud13 ~]# 


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:
SSH is open to all remote subnets

Expected results:
SSH access on the overcloud nodes should be open only to the required subnets 

Additional info:
Comment 5 errata-xmlrpc 2019-07-02 20:08:28 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:1672