Skip to content

Simplify SSH Checking Across Non-External Hosts #4

New issue
New issue
Open
Open
Simplify SSH Checking Across Non-External Hosts#4
Assignees
jonathanio
Labels
priority/normalThis is a normal-priority issue or pull requesttype/refactoringA refactoring of existing codetype/securityUpdate as a result of an identified security issue
@jonathanio

Description

@jonathanio
jonathanio
opened on Oct 3, 2023

As a Network Engineer,
I want to simplify the rules for SSH traffic,
So that it is easier to control SSH traffic internally and externally.

Description

Currently, the :check:ssh rules are the same regardless of whether the host is internal-only or has external access. Although this is somewhat mute over IPv4 and IPv6 access, we should take a look at the :check:ssh to make sure that they are effective in both situations and also how the following address lists all work together:

  • :ssh:trusted
  • :ssh:controlled
  • ranges.ssh in {network}.yaml

Notes

There are multiple places to set allowed IP addresses, which cover /ip settings, /user set and :check:ssh rules in the filter table of the firewall. This should be analysed to ensure we effectively manage supersets and controls.

Acceptance Criteria

  • Ensure update of SSH settings for internal hosts only allowed accessible addresses.
  • Reduce the number of addresses that can configure the SSH service access.
  • Simplify :check:ssh for internal hosts.

Metadata

Metadata

Assignees

Labels

priority/normalThis is a normal-priority issue or pull requesttype/refactoringA refactoring of existing codetype/securityUpdate as a result of an identified security issue

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions