Limitación de la tasa de SSH utilizando el módulo de firewall títere -- ruby campo con iptables campo con puppet camp codereview Relacionados El problema

SSH rate limiting using Puppet firewall module


2
vote

problema

Español

Solía ​​hacer una limitación simple de tarifa de SSH usando una módulo de títeres UFW . Para obtener un bloqueo más flexible, he cambiado a usar el módulo de firewall oficial en su lugar. ¿Hay algún problema significativo con lo siguiente?

en manifiestos / host.pp :

  include ssh_server include my_firewall […] resources { 'firewall':   purge => true, }  Firewall {   before  => Class['my_firewall::post'],   require => Class['my_firewall::pre'], }   

en módulos / my_firewall / manifiests / init. PP :

  class my_firewall {   include my_firewall::pre   include my_firewall::post    package { 'ufw':     ensure => absent,   } }   

en módulos / my_firewall / manifiests / pre. PP :

  class my_firewall::pre {   Firewall {     require => undef,   }   # Default firewall rules   firewall { '000 accept all icmp':     proto  => 'icmp',     action => 'accept',   } ->   firewall { '001 accept all to lo interface':     proto   => all,     iniface => lo,     action  => accept,   } ->   firewall { '002 reject local traffic not on loopback interface':     iniface     => '! lo',     proto       => all,     destination => '127.0.0.1/8',     action      => reject,   } ->   firewall { '003 accept related established rules':     proto  => all,     state  => ['RELATED', 'ESTABLISHED'],     action => accept,   } }   

en módulos / my_firewall / manifiests / post. PP :

  class my_firewall::post {   firewall { '999 drop all':     proto  => 'all',     action => 'drop',     before => undef,   } }   

en Módulos / SSH_SERVER / Manifiests / init.pp :

  firewall { '200 limit incoming SSH connections to 6 per minute':   dport     => 22,   proto     => tcp,   recent    => update,   rseconds  => 60,   rhitcount => 6,   rname     => 'SSH',   rsource   => true,   action    => drop, } -> firewall { '201 allow incoming SSH connections':   dport   => 22,   proto   => tcp,   recent  => set,   rname   => 'SSH',   rsource => true,   action  => accept, }   
Original en ingles

I used to do simple SSH rate limiting using an UFW Puppet module. To get more flexible blocking I've changed to using the official firewall module instead. Are there any significant issues with the following?

In manifests/host.pp:

include ssh_server include my_firewall [xe2x80xa6] resources { 'firewall':   purge => true, }  Firewall {   before  => Class['my_firewall::post'],   require => Class['my_firewall::pre'], } 

In modules/my_firewall/manifests/init.pp:

class my_firewall {   include my_firewall::pre   include my_firewall::post    package { 'ufw':     ensure => absent,   } } 

In modules/my_firewall/manifests/pre.pp:

class my_firewall::pre {   Firewall {     require => undef,   }   # Default firewall rules   firewall { '000 accept all icmp':     proto  => 'icmp',     action => 'accept',   } ->   firewall { '001 accept all to lo interface':     proto   => all,     iniface => lo,     action  => accept,   } ->   firewall { '002 reject local traffic not on loopback interface':     iniface     => '! lo',     proto       => all,     destination => '127.0.0.1/8',     action      => reject,   } ->   firewall { '003 accept related established rules':     proto  => all,     state  => ['RELATED', 'ESTABLISHED'],     action => accept,   } } 

In modules/my_firewall/manifests/post.pp:

class my_firewall::post {   firewall { '999 drop all':     proto  => 'all',     action => 'drop',     before => undef,   } } 

In modules/ssh_server/manifests/init.pp:

firewall { '200 limit incoming SSH connections to 6 per minute':   dport     => 22,   proto     => tcp,   recent    => update,   rseconds  => 60,   rhitcount => 6,   rname     => 'SSH',   rsource   => true,   action    => drop, } -> firewall { '201 allow incoming SSH connections':   dport   => 22,   proto   => tcp,   recent  => set,   rname   => 'SSH',   rsource => true,   action  => accept, } 
        

Lista de respuestas


Relacionados problema

2  Limitación de la tasa de SSH utilizando el módulo de firewall títere  ( Ssh rate limiting using puppet firewall module ) 
Solía ​​hacer una limitación simple de tarifa de SSH usando una módulo de títeres UFW . Para obtener un bloqueo más flexible, he cambiado a usar el módulo d...




© 2022 respuesta.top Reservados todos los derechos. Centro de preguntas y respuestas reservados todos los derechos