We allow connections to 8002 port in the admin network for
incoming connections from distributed serialization workers.
Distributed serialization workers should be installed and run
on slave and bootstrap nodes.
Change-Id: Idae764bde0b0dd482e6b08d69a97cd5d0717547d
Implements: blueprint distributed-serialization
To block a SSH brute force attack, we just need to slow down the
flow of requests. We can do this by rate-limiting requests to SSH
with iptables. The benefit of using iptables to block SSH attacks
is you don’t need any added software so we can easily support this
solution.
This change will block an IP if it attempts more than 3 connections
per minute (60 seconds) to SSH. These parameters are configurable.
Also, this protection would be enabled only if an empty ssh_network
(set to 0.0.0.0/0 which means world-wide open) is provided.
All SSH brute-force attempts blocked only on non-admin interface,
because automated Fuel deployment via fuel-devops or fuel-virtualbox
scripts are doing many connections during the installation process.
All SSH brute-force connections are logged by default.
DocImpact
Depends-On: I06161e8d819e40bc5827b3fda7f614c0ea5d4fd3
Change-Id: I0f452c8b0a808789aa4c2cd85d1d00556b210a39
Closes-Bug: #1540073
Signed-off-by: Maksim Malchuk <mmalchuk@mirantis.com>
Restore accidentally removed forwarding back but move it outside the
firewall module.
Passing port to firewall is deprecated and will be removed, so change
all rules to use dport instead.
Firewall rules with jump attribute should contain explicit protocol
declaration.
Change-Id: I750f334667966299a26c305126445524de73ff2c
Closes-Bug: #1568891
Partial-Bug: #1524750
Signed-off-by: Maksim Malchuk <mmalchuk@mirantis.com>
It was observed that on Fuel master node the default firewall INPUT
policy is set to 'ACCEPT' rather than to 'DROP'.
This leads to exposure of unnecessary services over a potentially
untrusted networks.
This patch updates default firewall INPUT policy to 'DROP'. Also it adds
user-defined chains which are not purged (and thus preserved between
iptables.pp applications).
Change-Id: Ia9ab6d019be81aebcf5eaba25336e6f19b2c6a1a
Partial-Bug: #1524750
Depends-On: I57e9f58c6bad32b23b179499f0514edf5357bd31
Signed-off-by: Maksim Malchuk <mmalchuk@mirantis.com>
* Bind SSH service on the all interfaces by default
* Restrict SSH access only on ssh_network from the fuelmenu
Change-Id: I3c5f7e931669d9d28f59d9f64b4d407b2f37215e
Depends-on: I2d1149a7596d596f581b7628de7089ac375772f6
Depends-on: I6518923c089a0f602566394bc4502a57c4306eb7
Depends-on: I9609003d892875b0bbe00d24fe8365edb1f3c57e
Closes-Bug: #1557190
This module is a fork of nailgun puppet module with
some simplifications that make it easier to use and
maintain. Fuel master node is to be deployed using
kind of task based procedure when {task}.pp
are used one by one
Implements blueprint: get-rid-docker-containers
Change-Id: I0139cad1c2ebb0cc846c8bca560533b0ac6489cf
Andreas Jaeger