Restricting SSH access to the Grid

[hacker0ni]

By default Security Onion provides no official option to restrict SSH access to the Grid (as of this writing). But this can be done with hacking the Salt configurations a bit.

If you take a look at /opt/so/saltstack/default/salt/firewall/assigned_hostgroups.map.yaml you can see that the anywhere group is assigned the portgroups.ssh which contains tcp ssh port of 22:

...
      INPUT:
        hostgroups:
          anywhere:
            portgroups:
              - {{ portgroups.ssh }}
...

After ensuring that this is the only group that's assigned for SSH access, you can edit the /opt/so/saltstack/default/salt/firewall/hostgroups.yaml to include your choice of IPs for SSH access. Edit the anywhere hostgroup so it looks like the following:

{%- set DNET = salt['pillar.get']('global:dockernet', '172.17.0.0') %}
  firewall:
    hostgroups:
      anywhere:
        ips:
          delete:
          insert:
            - 192.168.1.0/24
            - 192.168.2.0/24
...

Replace the 192.x.x.x IPs with your choice of IP addresses and ranges. The content above assumes you've used the default Docker IP ranges.

You can then save the file and remove the iptables rule that allows SSH access to boxes from anywhere using the following commands from the manager node:

sudo salt '*' state.apply firewall

sudo salt '*' cmd.run "sudo iptables -D INPUT -p tcp -m tcp --dport 22 -j ACCEPT"

If the steps are done correctly, the boxes should have SSH access restricted to your IP addresses.

You MUST follow this guide again when you update your Grid, since the default files will be overwritten by newer updates.

Don't forget to restore this file to original or to add the IP of the new nodes you want to enroll. New nodes require SSH access to the Manager node during enrollment.

[dougburks]

We've created an issue to improve this in the future:
#7477