0

I'm familiar with the standard Ansible best practices for secure connections (disabling root access for hosts and configuring key-based SSH authentication). Should I also use hosts.allow or iptables to prevent the hosts from accepting connections that aren't from the IP address of the control node? It seems logical to me but I don't see anyone doing it, so I'm assuming I'm overlooking something obvious.

Matthew
  • 1
  • 3
    It completely depends on your environment, do you need to accept SSH connections for anything other then ansible or remote administrative purposes. If no, locking down incoming SSH to specific network certainly can strengthen your security. Will you have some out-of-band access to be able to get into the systems in emergencies if ansible fails? You don't want to be Facebook where the server that controls the door security is broken, and locked behind a door controlled by the server. – Zoredache Jul 19 '22 at 20:19

1 Answers1

0

It is always a good idea to limit access to any network service you expose, if you can.

When setting up the ACL for SSH consider that:

  • Normally it is not only Ansible that logs in with ssh, often regular users and/or administrators will also log in over ssh or use scp to copy data.

  • SSH can not only be secured at the IP level, you can configure much more granular security at the application level with:

    • the Match directive in sshd_config overrides global settings set in the config file and can be used to add/set or lift restrictions when certain conditions are met (such as the Ansible user logging on)
    • the often overlooked options that can be added in the ~/.ssh/authorized_keys file to add restrictions to logins with a particular ssh key. See the AUTHORIZED_KEYS FILE FORMAT section in the manual.
Rob
  • 1,175
  • 1
  • 7