Merge pull request #7305 from Security-Onion-Solutions/delta_ssh

allow only manager to connect to ssh port for idh node
2025-12-06 17:22:49 +01:00 · 2022-02-23 15:17:31 -05:00
parent 83aa261d88 61ae61953f
commit a9c6dc32ab
7 changed files with 74 additions and 5 deletions
--- a/salt/firewall/assigned_hostgroups.map.yaml
+++ b/salt/firewall/assigned_hostgroups.map.yaml
@@ -659,7 +659,6 @@ role:
        hostgroups:
          anywhere:
            portgroups:
              - {{ portgroups.ssh }}
            {% set idh_services = salt['pillar.get']('idh:services', []) %}
            {% for service in idh_services %}
              - {{ portgroups['idh_'~service] }}
@@ -670,3 +669,6 @@ role:
          localhost:
            portgroups:
              - {{ portgroups.all }}
          manager:
            portgroups:
              - {{ portgroups.ssh }}
--- a/salt/firewall/portgroups.yaml
+++ b/salt/firewall/portgroups.yaml
@@ -1,6 +1,10 @@
 {% if grains.role == 'so-idh' %}
  {% from 'idh/opencanary_config.map.jinja' import OPENCANARYCONFIG %}
  {% from 'idh/openssh/map.jinja' import openssh_map %}
  {% set idh_services = salt['pillar.get']('idh:services', []) %}
  {% set ssh_port = openssh_map.config.port %}
 {% else %}
  {% set ssh_port = 22 %}
 {% endif %}
 firewall:
@@ -88,7 +92,7 @@ firewall:
          - 443
      ssh:
        tcp:
-          - 22
+          - {{ ssh_port }}
      strelka_frontend:
        tcp:
          - 57314
--- a/salt/idh/defaults/defaults.yaml
+++ b/salt/idh/defaults/defaults.yaml
@@ -33,3 +33,7 @@ idh:
      tcpbanner_1.keep_alive_probes: 11
      tcpbanner_1.keep_alive_interval: 300
      tcpbanner_1.keep_alive_idle: 300
  openssh:
    enable: true
    config:
      port: 2222
--- a/salt/idh/init.sls
+++ b/salt/idh/init.sls
@@ -20,6 +20,9 @@
 {% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %}
 {% set MANAGER = salt['grains.get']('master') %}
 include:
  - idh.openssh.config
 # IDH State
 # Create a config directory
--- a/salt/idh/openssh/config.sls
+++ b/salt/idh/openssh/config.sls
@@ -0,0 +1,23 @@
 {% from "idh/openssh/map.jinja" import openssh_map with context %}
 include:
  - idh.openssh
 {% if grains.os_family == 'RedHat' %}
 sshd_selinux:
  selinux.port_policy_present:
    - name: tcp/{{ openssh_map.config.port }}
    - port: {{ openssh_map.config.port }}
    - protocol: tcp
    - sel_type: ssh_port_t
    - prereq:
      - file: openssh_config
 {% endif %}
 openssh_config:
  file.replace:
    - name: {{ openssh_map.conf }}
    - pattern: '(^|^#)Port \d+$'
    - repl: 'Port {{ openssh_map.config.port }}'
    - watch_in:
      - service: {{ openssh_map.service }}
--- a/salt/idh/openssh/init.sls
+++ b/salt/idh/openssh/init.sls
@@ -0,0 +1,17 @@
 {# This state is designed to only manage the openssh server settings of an IDH node and is seperate from the ssh setting for OpenCanary #}
 {% from "idh/openssh/map.jinja" import openssh_map with context %}
 openssh:
  pkg.installed:
    - name: {{ openssh_map.server }}
  {% if openssh_map.enable is sameas true %}
  service.running:
    - enable: {{ openssh_map.enable }}
    - name: {{ openssh_map.service }}
    - require:
      - pkg: {{ openssh_map.server }}
  {% else %}
  service.dead:
    - enable: False
    - name: {{ openssh_map.service }}
  {% endif %}
--- a/salt/idh/openssh/map.jinja
+++ b/salt/idh/openssh/map.jinja
@@ -0,0 +1,16 @@
 {% import_yaml "idh/defaults/defaults.yaml" as idh_defaults with context %}
 {% set openssh_map = salt['grains.filter_by']({
    'Debian': {
        'client': 'openssh-client',
        'server': 'openssh-server',
        'service': 'ssh',
        'conf': '/etc/ssh/sshd_config'
    },
    'RedHat': {
        'client': 'openssh-clients',
        'server': 'openssh-server',
        'service': 'sshd',
        'conf': '/etc/ssh/sshd_config'
    },
 }, merge=salt['pillar.get']('idh:openssh', default=idh_defaults.idh.openssh, merge=True)) %}