Closed ypid closed 9 years ago
The issue I find here is that in ferm
and tcpwrappers
configuration I can use the name of the service from /etc/services
, but you cannot do the same in sshd_config
. So that would either mean that we stop using ssh
in firewall and tcpwrappers configuration and use 22
instead (ehh... Not that it matters in the end, but... ehhh...), or add a separate list of ports in debops.sshd
just for sshd_config
, or better yet, lookup the name of the port in /etc/services
and replace the service name with its number in sshd_config
.
The other thing is, that if you use multiple sshd
ports, you most certainly have a reson of some of them to be firewalled differently, allow access from different networks, etc. Adding support for that directly in debops.sshd
seems to me to be slightly overkill, when you definitely can configure that separately through Ansible inventory. And use case doesn't seem to me to be that common to warrant additional complexity in the role.
Ok. What about reconfiguring /etc/services if it is only one port (e.g. 22/tcp to something different)?
You don't want to change standard service ports - this might confuse applications that use these names, for example if you change say, SMTP to something different than 25
, and then run:
telnet remote.host.com smtp
telnet
will connect to the port that you have in /etc/services
, which will be different.
What you want to do is to add another set of port/service name in /etc/services
for your additional SSH ports, for example:
ssh-secondary 2200/tcp
You can use debops.etc_services
role to do this. But this still won't allow you to use port names in /etc/ssh/sshd_config
and this is the problem we are trying to tackle. Doing a lookup for a port number in /etc/services
(and you probably want to do the lookup on the remote host anyway, it's where that information is stored) is probably overkill in and of itself.
And it still does not resolve the problem that you probably would want the 22
port heavily firewalled and 2200
port configured with access from some subnet. This will add even more complexity into debops.sshd
role, which IMO is unnecessary. You can easily do this configuration in ferm
separately by adding one or two additional rules in Ansible Inventory.
I should have descibed my usecase a bit better, sorry. I want my sshd to only listen on one high, unprivlaged tcp port which does not get scaned so often. I know that this is security by obscurity and password login is of course already disabled. But I undestand that to keep the complexity down it is better when this is done manually (but still with Ansible of coure :smile: ).
In that case, add this to your inventory:
sshd_ferm_limit: 'false'
sshd_allow: [ '{{ your_subnet }}' ]
sshd_config_ports: [ '22', '2200' ]
ferm_input_list:
- dport: [ '2200' ]
accept_any: True
What will happen is:
ssh
port from your Ansible Controller and specified subnet, access from other hosts on ssh
port will not be allowed;2200
port from any hosts, you can of course customize that as you wish;This configuration will let you configure that host using Ansible without having to set ansible_ssh_port
in the inventory for that host, or changing ~/.ssh/config
or any of that stuff.
Thanks very much. I already configured it in ~/.ssh/config …
Closed by #19. My use case example:
sshd_ferm_ports: [ '2323' ]
sshd_ports: '{{ sshd_ferm_ports }}'
Currently, ferm and tcpwrappers have to be configured separatly.