Fuel for OpenStack

ssh brute force protection for Slave nodes

Bug #1563721 reported by Adam Heczko on 2016-03-30

256

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Fuel for OpenStack	Fix Committed	Wishlist	Maksim Malchuk	Fuel for OpenStack 10.0
	Mitaka	Won't Fix	Wishlist	Maksim Malchuk	Fuel for OpenStack 9.0

Bug Description

Detailed bug description:
Currently there doesn't exist any mechanism preventing multiple SSH login attempts on Fuel (MOS) slave nodes.
This is especially important as in Fuel GUI there is an option to assign public IP address to slave compute nodes.
Another thing to consider is that we've merged a patch which synchronizes root password for all slave nodes what have security implications.

Expected results:
Apply SSH rate limiting for NEW connections, similarly to https://review.openstack.org/#/c/298846/
For compute nodes, apply rate limiting with the exception of appropriate IP subnetwork used to live migration by nova-compute process (user 'nova' need to spawn multiple SSH processess during KVM live migration).

Actual result:
Lack of sshd protection.

See original description

Tags:

Adam Heczko (aheczko-mirantis) on 2016-03-30

information type:	Public → Public Security
description:	updated

Revision history for this message

Bug Checker Bot (bug-checker) wrote on 2016-03-30: Autochecker

(This check performed automatically)
Please, make sure that bug description contains the following sections filled in with the appropriate data related to the bug you are describing:

version

steps to reproduce

For more detailed information on the contents of each of the listed sections see https://wiki.openstack.org/wiki/Fuel/How_to_contribute#Here_is_how_you_file_a_bug

tags:

added: need-info

Maksim Malchuk (mmalchuk) on 2016-03-30

Changed in fuel:
status:	New → Confirmed

Maksim Malchuk (mmalchuk) on 2016-03-30

tags:

added: area-library team-bugfix

Dmitry Pyzhov (dpyzhov) on 2016-03-30

tags:	added: feature
tags:	removed: team-bugfix

Bug Checker Bot (bug-checker) on 2016-03-30

tags:

removed: need-info

Matthew Mosesohn (raytrac3r) on 2016-04-04

Changed in fuel:
status:	Confirmed → In Progress

Maksim Malchuk (mmalchuk) on 2016-05-30

no longer affects:	fuel/newton
Changed in fuel:
status:	In Progress → Confirmed

Adam Heczko (aheczko-mirantis) on 2016-06-21

tags:

added: feature-security

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-07-18: Fix proposed to fuel-web (master)

Fix proposed to branch: master
Review: https://review.openstack.org/343872

Changed in fuel:
status:	Confirmed → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-07-18: Fix proposed to fuel-library (master)

Fix proposed to branch: master
Review: https://review.openstack.org/343925

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-07-19: Fix merged to fuel-web (master)

Reviewed: https://review.openstack.org/343872
Committed: https://git.openstack.org/cgit/openstack/fuel-web/commit/?id=0825f3e96cddb45d76259247fd325d68515e0c85
Submitter: Jenkins
Branch: master

commit 0825f3e96cddb45d76259247fd325d68515e0c85
Author: Maksim Malchuk <email address hidden>
Date: Mon Jul 18 22:15:51 2016 +0300

Add the 'Brute force protection' checkbox to the UI

    DocImpact
    Partial-Bug: #1563721
    Change-Id: I7bbd96fb43fcd6030621671d0056f56324f50956
    Signed-off-by: Maksim Malchuk <email address hidden>

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-07-20: Fix merged to fuel-library (master)

Reviewed: https://review.openstack.org/343925
Committed: https://git.openstack.org/cgit/openstack/fuel-library/commit/?id=71991fae2cdd6e1cc695a9eaec7419b0bff0b542
Submitter: Jenkins
Branch: master

commit 71991fae2cdd6e1cc695a9eaec7419b0bff0b542
Author: Maksim Malchuk <email address hidden>
Date: Mon Jul 18 23:55:49 2016 +0300

SSH brute force protection for cluster

    This commit implements the same feature used for the Fuel master node
    [0] with rate-limiting requests to SSH with iptables. The protection
    used only when enabled and only for the not provided [1] networks.

[0] I0f452c8b0a808789aa4c2cd85d1d00556b210a39
[1] I34c9907d781b81253ed6942c67b16f8480de3bb5

    DocImpact
    Closes-Bug: #1563721
    Depends-On: I7bbd96fb43fcd6030621671d0056f56324f50956
    Change-Id: Id053e61ae16d126126dfb94cb4d9358dd7126d52
    Co-Authored-By: Alex Schultz <email address hidden>
    Signed-off-by: Maksim Malchuk <email address hidden>