Web front-ends servers will have a public IP to get web traffic, but don't need it for management, e.g. SSH.
Configure servers to restrict traffic to Drake.
Plan:
- detect if we've a public IP (nodes pillar > network > interfaces > "public" ?)
- create an allowlist of networks safe to use, like IntraNought (*).
- look if a card in nodes pillar is on the list
- if so, listen to the private IP address
(*) An example of not-safe private network is when there is a GRE tunnel to provide connectivity to Drake. If the tunnel fails, we need SSH on public IP to debug/recreate it. The scope of that task is the VMs natively using a private IP address.
To test on web-001.
Without the fix, redeploy SSH config with Salt would do:
----------
ID: /etc/ssh/sshd_config
Function: file.managed
Result: None
Comment: The file /etc/ssh/sshd_config is set to be changed
Note: No changes made, actual changes may
be different due to other states.
Started: 00:16:49.585864
Duration: 28.304 ms
Changes:
----------
diff:
---
+++
@@ -13,8 +13,6 @@
# Changes to this file may cause incorrect behavior
# and will be lost if the state is redeployed.
# </auto-generated>
-
-ListenAddress 172.27.27.10
# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
# but this is overridden so installations will only check .ssh/authorized_keys