Security

Management router

Configure SSH server

Disable SSH access with password. Instead operators can ssh into the testbed only if their public keys are registered.

Having logged in, run the following commands to switch off password access:

configure
set service ssh disable-password-authentication
commit
save
exit

To add SSH public keys, the key must be saved in a file first, then be loaded.

vi /tmp/my_pubkey
configure
loadkey <user> /tmp/my_pubkey
commit
save
exit

Bring up the firewall

Follow the instructions here to establish a basic set of firewall rules: WAN_IN and WAN_LOCAL

configure

set firewall name WAN_IN default-action drop
set firewall name WAN_IN description 'WAN to internal'
set firewall name WAN_IN rule 10 action accept
set firewall name WAN_IN rule 10 description 'Allow established/related'
set firewall name WAN_IN rule 10 state established enable
set firewall name WAN_IN rule 10 state related enable
set firewall name WAN_IN rule 20 action drop
set firewall name WAN_IN rule 20 description 'Drop invalid state'
set firewall name WAN_IN rule 20 state invalid enable

set firewall name WAN_LOCAL default-action drop
set firewall name WAN_LOCAL description 'WAN to router'
set firewall name WAN_LOCAL rule 10 action accept
set firewall name WAN_LOCAL rule 10 description 'Allow established/related'
set firewall name WAN_LOCAL rule 10 state established enable
set firewall name WAN_LOCAL rule 10 state related enable
set firewall name WAN_LOCAL rule 20 action drop
set firewall name WAN_LOCAL rule 20 description 'Drop invalid state'
set firewall name WAN_LOCAL rule 20 state invalid enable

set interfaces ethernet eth3 firewall in name WAN_IN
set interfaces ethernet eth3 firewall local name WAN_LOCAL

commit ; save

Then, we open only SSH port on the firewall.

Use the GUI to add a new rule to the WAN_LOCAL chain. It already has:

  • Rule 1 - allow established and related

  • Rule 2 - drop invalid.

So add Rule 3 -

  • On the Basic pane: Enable, Action accept, Protocol tcp

  • On the Advanced pane: State new

  • On the Destination pane: Port 22

Check out the source.

Controller node

Configure SSH server

Limit SSH access only to the management network and make sure public key authentication is disabled.

sudo vim /etc/ssh/sshd_config
...
ListenAddress 10.10.2.1
...

Bring up the firewall

Check ufw's status

sudo ufw status

Apply the default policy firewall

sudo ufw default allow outgoing
sudo ufw default deny incoming

Make sure the directive IPV6=yes do exists in /etc/default/ufw file. For instance:

cat /etc/default/ufw

Open and limit SSH TCP port 22 connections, HTTP, and HTTPS

sudo ufw allow ssh
sudo ufw limit ssh
sudo ufw allow http
sudo ufw allow https

Turn on firewall

sudo ufw enable

Check it is up

sudo systemctl status ufw.service
PreviousController NodeNextDeploy Openstack

Last updated