Hi there, What connections does puppetd make to the master during a configuration run? Does it just make one, and use that for getting stuff from the puppetmasterd fileserver as well? Or does it make one to the puppetmasterd for config, and another to the puppetmasterd fileserver? We want to add iptables rules that limit the rate of new connections to puppetmasterd port, knowing this will tell us how to handle that. Thanks -i --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users-unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---
On May 16, 2008, at 9:11 AM, Iwan wrote:> Hi there, > > What connections does puppetd make to the master during a > configuration run? Does it just make one, and use that for getting > stuff from the puppetmasterd fileserver as well? Or does it make one > to the puppetmasterd for config, and another to the puppetmasterd > fileserver? > > We want to add iptables rules that limit the rate of new connections > to puppetmasterd port, knowing this will tell us how to handle that.It creates a new connection for every transfer, including each file description and retrieval. We tried to reduce it to one but got file corruption. -- It''s not to control, but to protect the citizens of Singapore. In our society, you can state your views, but they have to be correct. -- Ernie Hai, co-ordinator of the Singapore Government Internet Project --------------------------------------------------------------------- Luke Kanies | http://reductivelabs.com | http://madstop.com --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users-unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---
Hi, On May 16, 5:44 pm, Luke Kanies <l...@madstop.com> wrote:> On May 16, 2008, at 9:11 AM, Iwan wrote: > > What connections does puppetd make to the master during a > > configuration run? > > It creates a new connection for every transfer, including each file > description and retrieval. > > We tried to reduce it to one but got file corruption.Mmm, Ok, so one to get the config, and one for each file description and retrieval thereafter. And all of these are to port 8140. So there would not really be a way for iptables to distinguish between a normal run and a brute-force attack? (We use the recent module to, for example guard ssh access: http://www.debian-administration.org/articles/187 ). Any other ideas to firewall puppetmasterd? (Assuming you don''t know in advance the IPs of the puppetd clients...) Is it perhaps possible to configure the puppetmasterd fileserver to listen on a different port altogether? Then one could allow unlimited connections to that port for a client IP that has managed to successfully connect to 8140 for the initial config retrieval. And you can limit the number of connections made from a particular IP to 8140, because that (I assume) would then only happen a fixed number of times per run? -i --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users-unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---
James Turnbull
2008-May-17 09:04 UTC
[Puppet Users] Re: What connection are made to master?
Iwan wrote:> So there would not really be a way for iptables to distinguish between > a normal run and a brute-force attack? (We use the recent module to, > for example guard ssh access: http://www.debian-administration.org/articles/187 > ). >Not readily no.> Any other ideas to firewall puppetmasterd? (Assuming you don''t know in > advance the IPs of the puppetd clients...) >Why wouldn''t you know the IPs?> Is it perhaps possible to configure the puppetmasterd fileserver to > listen on a different port altogether? Then one could allow unlimited > connections to that port for a client IP that has managed to > successfully connect to 8140 for the initial config retrieval. And you > can limit the number of connections made from a particular IP to 8140, > because that (I assume) would then only happen a fixed number of times > per run? >Yes - see http://reductivelabs.com/trac/puppet/wiki/PuppetScalability. I don''t overly see the benefit of the limit though - I would have thought in terms of risk there are a lot of other connections that offer greater exploitability for DoS/DDoS attacks. Regards James Turnbull -- James Turnbull (james@lovedthanlost.net) Author of: * Pulling Strings with Puppet (http://www.amazon.com/gp/product/1590599780/) * Pro Nagios 2.0 (http://www.amazon.com/gp/product/1590596099/) * Hardening Linux (http://www.amazon.com/gp/product/1590594444/) --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users-unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---
On May 17, 11:04 am, James Turnbull <ja...@lovedthanlost.net> wrote:> Iwan wrote: > > Any other ideas to firewall puppetmasterd? (Assuming you don''t know in > > advance the IPs of the puppetd clients...) > > Why wouldn''t you know the IPs?We use puppet not only for our servers, but also for (parts of our) workstations - some of which are notebook computers that use dynamic IPs - possibly on different, unknown networks.> > Is it perhaps possible to configure the puppetmasterd fileserver to > > listen on a different port altogether? > > Yes - seehttp://reductivelabs.com/trac/puppet/wiki/PuppetScalability.Thanks, will do.> > Then one could allow unlimited > > connections to that port for a client IP that has managed to > > successfully connect to 8140 for the initial config retrieval. And you > > can limit the number of connections made from a particular IP to 8140, > > because that (I assume) would then only happen a fixed number of times > > per run? > > I don''t overly see the benefit of the limit though - I would have > thought in terms of risk there are a lot of other connections that offer > greater exploitability for DoS/DDoS attacks.Yes, I suppose you can argument that it is overkill, since puppet does seem to take security seriously. But it is an extra layer of protection - surely the same arguments apply equally to a well set-up ssh daemon and limiting the rate of connections to it? Or am I being too paranoid? -i --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users-unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---
James Turnbull
2008-May-18 10:49 UTC
[Puppet Users] Re: What connection are made to master?
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Iwan wrote:> We use puppet not only for our servers, but also for (parts of our) > workstations - some of which are notebook computers that use dynamic > IPs - possibly on different, unknown networks.Ah I see.> Yes, I suppose you can argument that it is overkill, since puppet does > seem to take security seriously. But it is an extra layer of > protection - surely the same arguments apply equally to a well set-up > ssh daemon and limiting the rate of connections to it? Or am I being > too paranoid?It is a risk decision for your organisation. Personally, putting my security hat on, I''d rate that as a low risk but your environment may be different. Regards James Turnbull - -- James Turnbull (james@lovedthanlost.net) Author of: * Pulling Strings with Puppet (http://www.amazon.com/gp/product/1590599780/) * Pro Nagios 2.0 (http://www.amazon.com/gp/product/1590596099/) * Hardening Linux (http://www.amazon.com/gp/product/1590594444/) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFIMAnW9hTGvAxC30ARAlAsAKC35S0ZoLtLMaodcYBNANs3SQxFdACdG3zf if9RYM65HvX5WYybe4pW7m4=NSee -----END PGP SIGNATURE----- --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users-unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---