openstack
/
fuel-library
Code Issues Proposed changes

SSH brute force protection for cluster 

This commit implements the same feature used for the Fuel master node
[0] with rate-limiting requests to SSH with iptables. The protection
used only when enabled and only for the not provided [1] networks.

[0] I0f452c8b0a808789aa4c2cd85d1d00556b210a39
[1] I34c9907d781b81253ed6942c67b16f8480de3bb5

DocImpact
Closes-Bug: #1563721
Depends-On: I7bbd96fb43fcd6030621671d0056f56324f50956
Change-Id: Id053e61ae16d126126dfb94cb4d9358dd7126d52
Co-Authored-By: Alex Schultz <aschultz@mirantis.com>
Signed-off-by: Maksim Malchuk <mmalchuk@mirantis.com>
This commit is contained in:
Maksim Malchuk 2016-07-18 23:55:49 +03:00
parent 83b43202d1
commit 71991fae2c
2 changed files with 61 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

47
deployment/puppet/osnailyfacter/manifests/firewall/firewall.pp
View File

@ -54,6 +54,8 @@ class osnailyfacter::firewall::firewall {
$pcsd_port = 2224 $pcsd_port = 2224
$rsync_port = 873 $rsync_port = 873
$ssh_port = 22 $ssh_port = 22
$ssh_rseconds = 60
$ssh_rhitcount = 4
$swift_account_port = 6002 $swift_account_port = 6002
$swift_container_port = 6001 $swift_container_port = 6001
$swift_object_port = 6000 $swift_object_port = 6000
@ -124,6 +126,51 @@ class osnailyfacter::firewall::firewall {
source_nets => $ssh_networks, source_nets => $ssh_networks,
} }
$brute_force_protection = $ssh_hash['brute_force_protection'] ? {
true => 'present',
default => 'absent',
}
firewall { '021 ssh: new pipe for a sessions':
ensure => $brute_force_protection,
proto => 'tcp',
dport => $ssh_port,
state => 'NEW',
recent => 'set',
}
firewall { '022 ssh: more than allowed attempts logged':
ensure => $brute_force_protection,
proto => 'tcp',
dport => $ssh_port,
state => 'NEW',
recent => 'update',
rseconds => $ssh_rseconds,
rhitcount => $ssh_rhitcount,
jump => 'LOG',
log_prefix => 'iptables SSH brute-force: ',
log_level => '7',
}
firewall { '023 ssh: block more than allowed attempts':
ensure => $brute_force_protection,
proto => 'tcp',
dport => $ssh_port,
state => 'NEW',
recent => 'update',
rseconds => $ssh_rseconds,
rhitcount => $ssh_rhitcount,
action => 'drop',
}
firewall { '024 ssh: accept allowed new session':
ensure => $brute_force_protection,
proto => 'tcp',
dport => $ssh_port,
state => 'NEW',
action => 'accept',
}
openstack::firewall::multi_net {'109 iscsi': openstack::firewall::multi_net {'109 iscsi':
port => $iscsi_port, port => $iscsi_port,
proto => 'tcp', proto => 'tcp',

14
tests/noop/spec/hosts/firewall/firewall_spec.rb
View File

@ -61,6 +61,14 @@ describe manifest do
ssh_hash = Noop.hiera_hash 'ssh', {} ssh_hash = Noop.hiera_hash 'ssh', {}
let(:ssh_brute_force) do
if ssh_hash['brute_force_protection']
'present'
else
'absent'
end
end
it 'should accept connections to the SSH service only from specified networks' do it 'should accept connections to the SSH service only from specified networks' do
if ssh_hash['security_enabled'] if ssh_hash['security_enabled']
@ -75,6 +83,12 @@ describe manifest do
'action' => 'accept', 'action' => 'accept',
'source_nets' => ssh_networks, 'source_nets' => ssh_networks,
) )
should contain_firewall('021 ssh: new pipe for a sessions').with_ensure(ssh_brute_force)
should contain_firewall('022 ssh: more than allowed attempts logged').with_ensure(ssh_brute_force)
should contain_firewall('023 ssh: block more than allowed attempts').with_ensure(ssh_brute_force)
should contain_firewall('024 ssh: accept allowed new session').with_ensure(ssh_brute_force)
end end
if Noop.puppet_function 'member', roles, 'primary-controller' or Noop.puppet_function 'member', roles, 'controller' if Noop.puppet_function 'member', roles, 'primary-controller' or Noop.puppet_function 'member', roles, 'controller'