Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Simplify SSH Checking Across Non-External Hosts #4

Open
3 tasks
jonathanio opened this issue Oct 3, 2023 · 0 comments
Open
3 tasks

Simplify SSH Checking Across Non-External Hosts #4

jonathanio opened this issue Oct 3, 2023 · 0 comments
Assignees
@jonathanio
Labels
priority/normal This is a normal-priority issue or pull request type/refactoring A refactoring of existing code type/security Update as a result of an identified security issue

Comments

@jonathanio
Copy link
Contributor

As a Network Engineer,
I want to simplify the rules for SSH traffic,
So that it is easier to control SSH traffic internally and externally.

Description

Currently, the :check:ssh rules are the same regardless of whether the host is internal-only or has external access. Although this is somewhat mute over IPv4 and IPv6 access, we should take a look at the :check:ssh to make sure that they are effective in both situations and also how the following address lists all work together:

  • :ssh:trusted
  • :ssh:controlled
  • ranges.ssh in {network}.yaml

Notes

There are multiple places to set allowed IP addresses, which cover /ip settings, /user set and :check:ssh rules in the filter table of the firewall. This should be analysed to ensure we effectively manage supersets and controls.

Acceptance Criteria

  • Ensure update of SSH settings for internal hosts only allowed accessible addresses.
  • Reduce the number of addresses that can configure the SSH service access.
  • Simplify :check:ssh for internal hosts.
@jonathanio jonathanio added priority/normal This is a normal-priority issue or pull request type/refactoring A refactoring of existing code type/security Update as a result of an identified security issue labels Oct 3, 2023
@jonathanio jonathanio self-assigned this Oct 3, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jonathanio jonathanio

Labels
priority/normal This is a normal-priority issue or pull request type/refactoring A refactoring of existing code type/security Update as a result of an identified security issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@jonathanio