ssh brute force protection for Slave nodes

Bug #1563721 reported by Adam Heczko
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Fuel for OpenStack
Fix Committed
Wishlist
Maksim Malchuk
Mitaka
Won't Fix
Wishlist
Maksim Malchuk

Bug Description

Detailed bug description:
Currently there doesn't exist any mechanism preventing multiple SSH login attempts on Fuel (MOS) slave nodes.
This is especially important as in Fuel GUI there is an option to assign public IP address to slave compute nodes.
Another thing to consider is that we've merged a patch which synchronizes root password for all slave nodes what have security implications.

Expected results:
Apply SSH rate limiting for NEW connections, similarly to https://review.openstack.org/#/c/298846/
For compute nodes, apply rate limiting with the exception of appropriate IP subnetwork used to live migration by nova-compute process (user 'nova' need to spawn multiple SSH processess during KVM live migration).

Actual result:
Lack of sshd protection.

information type: Public → Public Security
description: updated
Revision history for this message
Bug Checker Bot (bug-checker) wrote : Autochecker

(This check performed automatically)
Please, make sure that bug description contains the following sections filled in with the appropriate data related to the bug you are describing:

version

steps to reproduce

For more detailed information on the contents of each of the listed sections see https://wiki.openstack.org/wiki/Fuel/How_to_contribute#Here_is_how_you_file_a_bug

tags: added: need-info
Changed in fuel:
status: New → Confirmed
tags: added: area-library team-bugfix
Dmitry Pyzhov (dpyzhov)
tags: added: feature
tags: removed: team-bugfix
tags: removed: need-info
Changed in fuel:
status: Confirmed → In Progress
no longer affects: fuel/newton
Changed in fuel:
status: In Progress → Confirmed
tags: added: feature-security
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to fuel-web (master)

Fix proposed to branch: master
Review: https://review.openstack.org/343872

Changed in fuel:
status: Confirmed → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to fuel-library (master)

Fix proposed to branch: master
Review: https://review.openstack.org/343925

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to fuel-web (master)

Reviewed: https://review.openstack.org/343872
Committed: https://git.openstack.org/cgit/openstack/fuel-web/commit/?id=0825f3e96cddb45d76259247fd325d68515e0c85
Submitter: Jenkins
Branch: master

commit 0825f3e96cddb45d76259247fd325d68515e0c85
Author: Maksim Malchuk <email address hidden>
Date: Mon Jul 18 22:15:51 2016 +0300

    Add the 'Brute force protection' checkbox to the UI

    DocImpact
    Partial-Bug: #1563721
    Change-Id: I7bbd96fb43fcd6030621671d0056f56324f50956
    Signed-off-by: Maksim Malchuk <email address hidden>

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to fuel-library (master)

Reviewed: https://review.openstack.org/343925
Committed: https://git.openstack.org/cgit/openstack/fuel-library/commit/?id=71991fae2cdd6e1cc695a9eaec7419b0bff0b542
Submitter: Jenkins
Branch: master

commit 71991fae2cdd6e1cc695a9eaec7419b0bff0b542
Author: Maksim Malchuk <email address hidden>
Date: Mon Jul 18 23:55:49 2016 +0300

    SSH brute force protection for cluster

    This commit implements the same feature used for the Fuel master node
    [0] with rate-limiting requests to SSH with iptables. The protection
    used only when enabled and only for the not provided [1] networks.

    [0] I0f452c8b0a808789aa4c2cd85d1d00556b210a39
    [1] I34c9907d781b81253ed6942c67b16f8480de3bb5

    DocImpact
    Closes-Bug: #1563721
    Depends-On: I7bbd96fb43fcd6030621671d0056f56324f50956
    Change-Id: Id053e61ae16d126126dfb94cb4d9358dd7126d52
    Co-Authored-By: Alex Schultz <email address hidden>
    Signed-off-by: Maksim Malchuk <email address hidden>

Changed in fuel:
status: In Progress → Fix Committed
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/fuel-library 10.0.0rc1

This issue was fixed in the openstack/fuel-library 10.0.0rc1 release candidate.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/fuel-library 10.0.0

This issue was fixed in the openstack/fuel-library 10.0.0 release.

To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.