Closed tatarsky closed 6 years ago
tatarsky
commented
6 years ago This tcpwrapper was applied a few moments ago. Existing connections will not be impacted but I've limited to the four main subnets that are UCSD owned per similar efforts.
If you are blocked from SSH access from a UCSD subnet you feel should be included to flh1 ssh just drop a comment here and I'll look at it and add as approved by @hirokomatsui
After a trial period this will be applied to flhn2 as well.
tatarsky
commented
6 years ago Been all quiet on this one. I propose @hirokomatsui we apply the same rules to fl-hn2 on Monday. 12/4. Or sooner. Up to you just want to be able to react if we discover somebody in a bind access wise.
hirokomatsui
commented
6 years ago I just realized that over the weekend, and it works fine for me.
tatarsky
commented
6 years ago Want to apply it now so we are around if people have issues? Or wait until Monday?
hirokomatsui
commented
6 years ago Please go ahead. Thank you!
tatarsky
commented
6 years ago Done. Watching the logs. I don't see any obvious signs (via DNS names containing ucsd or sdsc) of blocked campus subnets but am happy to add ranges if people find themselves blocked from what they feel is one.
Per @hirokomatsui shortly I will be limiting the SSH connections to the head nodes to just campus subnets. As that list is somewhat long we will start by using tcpwrappers so I can identify more quickly where people are coming from (it logs more information than iptables as the session is blocked a bit further into the code)
So shortly I will on
flh1only disable SSH from "any" and limit to some ranges I use for other groups.The VPN will have to be used if outside this list.
Please clearly note also that
moshwhich is based on SSH will also require campus only connection. I see a fewmoshsessions on flh1.