Description of problem: The current default configuration set by director for SSH access opens SSH for all the remote subnets: +++ [root@overcloud-controller-0 ~]# iptables -S | grep -i ssh -A INPUT -p tcp -m multiport --dports 22 -m state --state NEW -m comment --comment "003 accept ssh ipv4" -j ACCEPT [root@overcloud-controller-0 ~]# iptables -t filter -vnL | grep -i ssh 1 60 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 22 state NEW /* 003 accept ssh ipv4 */ [root@overcloud-controller-0 ~]# netstat -tnpl | grep -i ssh tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 5268/sshd tcp6 0 0 :::22 :::* LISTEN 5268/sshd +++ This leaves the nodes vulnerable to brute force attacks. The allowed remote subnets should be restricted to required subnets only like provisioning and internal_api subnets. Do we currently have a way to achieve this in a already running environment ? It is a known fact that iptable rules can be modified with tripleo templates; however we are unsure as to which subnets should be left open for ssh access. Some guidance is required here for restrict the SSH access without breaking the current functionality. Version-Release number of selected component (if applicable): [root@undercloud13 ~]# rpm -qa | grep -i tripleo-heat openstack-tripleo-heat-templates-8.0.7-21.el7ost.noarch [root@undercloud13 ~]# rpm -qa | grep -i puppet-tripleo puppet-tripleo-8.3.6-7.el7ost.noarch [root@undercloud13 ~]# How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: SSH is open to all remote subnets Expected results: SSH access on the overcloud nodes should be open only to the required subnets Additional info:
Hello, sooo.. we did some changes in Master/OSP-15 about that open SSH a while back: https://review.openstack.org/#/c/631784/ It adds a new parameter allowing to open SSH to the world or not. Please note it might cut legitimate accesses, and would probably need some custom rules. This an be done by injecting rules in hiera: tripleo::sshd::firewall_rules: 'Accept sshd from XXX subnet': proto: tcp dport: 22 source: 'XXX' Just a small remark: iirc, there isn't any password for the users created by tripleo, meaning a brute force is nearly impossible (ppl have to generate the right SSH private key instead of password). Would the change I pointed be sufficient for your case? If so, we will investigate the backporting of that new patch, since it was made against master. Cheers, C.
Hello Cedric, Thanks for getting back. Our request is that we should have the ability to limit the SSH access to specific required subnets only. If adding the above parameter addresses that requirement; then with the right set of supporting documentation to provide the correct advice on the subject matter should be enough. Regards, Punit
Hello, I'm starting the LP creation as well as upstream backports. External trackers will be updated accordingly. Cheers, C.
According to our records, this should be resolved by openstack-tripleo-heat-templates-8.3.1-54.el7ost. This build is available now.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2019:2624
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 1000 days