Should ssh_port = 22 always be provisioned and exposed? #636

Mess0 · 2023-03-10T08:46:14Z

Mess0
Mar 10, 2023

After using this terraform script, I found that thessh_port = 22is always provisioned. So I found where it is set and have a question if it is not a issue?

   # Allow all traffic to the ssh ports
    {
      description = "Allow Incoming SSH Traffic"
      direction   = "in"
      protocol    = "tcp"
      port        = "22"
      source_ips  = ["0.0.0.0/0", "::/0"]
    }
    ], var.ssh_port == 22 ? [] : [
    {
      description = "Allow Incoming SSH Traffic"
      direction   = "in"
      protocol    = "tcp"
      port        = var.ssh_port
      source_ips  = ["0.0.0.0/0", "::/0"]
    },

The first block is always true, so default ssh_port = 22 always provisioned and exposed. If user sets for example var.ssh_port == 2022 the different one than default, it shouldn't expose both of them? For hardening the machines, I assume port 22 would be better not to expose and not to have two of them open. Or is there a problem in creating the infrastructure if port 22 is disabled?

I mean to change to something like this?

{
  description = "Allow Incoming SSH Traffic"
  direction   = "in"
  protocol    = "tcp"
  port        = var.ssh_port != null ? var.ssh_port : 22
  source_ips  = ["0.0.0.0/0", "::/0"]
}

I can create an issue as well and fix it ;)

Answered by mysticaltech

Mar 14, 2023

I understood why it's there, it's because of the rescue image which forces us to use port 22. However, you can close this port afterward, after the cluster is deployed, by applying this rule via extra_firewall_rules, it will replace it.

  extra_firewall_rules = [
    # Close the SSH port 22
    {
      direction       = "in"
      protocol        = "tcp"
      port            = "22"
      source_ips      = ["255.255.255.254/32"] # no source IPs allowed
      destination_ips = []                     # Won't be used for this rule
    }
  ]

View full answer

mysticaltech · 2023-03-14T05:03:15Z

mysticaltech
Mar 14, 2023
Maintainer

I understood why it's there, it's because of the rescue image which forces us to use port 22. However, you can close this port afterward, after the cluster is deployed, by applying this rule via extra_firewall_rules, it will replace it.

  extra_firewall_rules = [
    # Close the SSH port 22
    {
      direction       = "in"
      protocol        = "tcp"
      port            = "22"
      source_ips      = ["255.255.255.254/32"] # no source IPs allowed
      destination_ips = []                     # Won't be used for this rule
    }
  ]

3 replies

Mess0 Mar 14, 2023
Author

Thank you, that's why I want to ask before I create an issue if it is being used forcibly somewhere. 👍 I will try the additional rule you provided.

Mess0 Mar 14, 2023
Author

Maybe It would be helpful to add a comment above this block, that is used to be able to use rescue remote exec.

# Allow all traffic to the ssh ports
# port = 22 provisioned to be able to use rescue remote exec. 
# extra_firewall_rules to use to replace it.
    {
      description = "Allow Incoming SSH Traffic"
      direction   = "in"
      protocol    = "tcp"
      port        = "22"
      source_ips  = ["0.0.0.0/0", "::/0"]
    }

mysticaltech Mar 14, 2023
Maintainer

Absolutely, please don't hesitate to PR, I will just merge it ASAP.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Should ssh_port = 22 always be provisioned and exposed? #636

{{title}}

{{editor}}'s edit

{{editor}}'s edit

Replies: 1 comment 3 replies

{{title}}

{{title}}

{{title}}

{{title}}

{{editor}}'s edit

{{editor}}'s edit

Select a reply

Should ssh_port = 22 always be provisioned and exposed? #636

Mess0 Mar 10, 2023

Replies: 1 comment · 3 replies

mysticaltech Mar 14, 2023 Maintainer

Mess0 Mar 14, 2023 Author

Mess0 Mar 14, 2023 Author

mysticaltech Mar 14, 2023 Maintainer

Mess0
Mar 10, 2023

Replies: 1 comment 3 replies

mysticaltech
Mar 14, 2023
Maintainer

Mess0 Mar 14, 2023
Author

Mess0 Mar 14, 2023
Author

mysticaltech Mar 14, 2023
Maintainer