Page MenuHomePhabricator

update profile::waf::apache2::administrative to use the new abuse_networks hiera key
Closed, ResolvedPublic

Description

I have created a new global hiera object called abuse_networks which is available in the private repo. This block is currently used to add an iptables DROP rule on an opt in bases as well as the acl rules used in the caching layer.

Currently the mod security solution is deployed on people, gerrit and phab, we could update those machines so that they opt into the iptables blocking method mentioned above, or we could update profile::waf::apache2::administrative to build the admin2 and admin3 files using data present in the abuse_networks object. However before going down that route i wanted to understand the difference between admin2 and admin3. Currently users in the former get a 501 and users in the later get a 500, neither of which seem right and i couldn't see an explanation explaining the difference. Further the admin2 and admin3 files still contain a very large amount of address space from a previous incident. Is this list still valid or can we revise and reduce it, in its current form, i think its far to overreaching to be used on the caching layer

Event Timeline

jbond created this task.May 26 2020, 1:53 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMay 26 2020, 1:53 PM
jbond triaged this task as Medium priority.May 26 2020, 1:53 PM
jbond added a project: User-jbond.
jbond moved this task from Unsorted 💣 to Blocked 🚧 on the User-jbond board.Jun 2 2020, 2:24 PM
jbond added subscribers: MoritzMuehlenhoff, faidon.EditedJul 1 2020, 8:29 AM

As there has been little activity on this task and the current ACL is quite wide i propse that i will remove the current ACL's and going forward we will block access using iptables and the abuse_networks hiera structure. I will aim to remove the current ACL's Tuesday 13th July 10:00UTC

Change 608807 had a related patch set uploaded (by Jbond; owner: John Bond):
[operations/puppet@production] block_abuse_nets: enable block abuse nets on misc sites

https://gerrit.wikimedia.org/r/c/operations/puppet/ /608807

Change 608806 had a related patch set uploaded (by Jbond; owner: John Bond):
[operations/puppet@production] profile::waf::apache::administrative: remove waf config

https://gerrit.wikimedia.org/r/c/operations/puppet/ /608806

akosiaris added a subscriber: akosiaris.
CDanis added a subscriber: CDanis.Jul 15 2020, 9:02 PM

Change 608806 merged by Jbond:
[operations/puppet@production] profile::waf::apache::administrative: remove waf config

https://gerrit.wikimedia.org/r/608806

Change 608807 merged by Jbond:
[operations/puppet@production] block_abuse_nets: enable block abuse nets on misc sites

https://gerrit.wikimedia.org/r/608807

@jbond: Both patches in Gerrit have been merged. Can this task be resolved (via Add Action...Change Status in the dropdown menu), or is there more to do in this task?

jbond closed this task as Resolved.Aug 17 2020, 10:32 AM
jbond claimed this task.

@jbond: Both patches in Gerrit have been merged. Can this task be resolved (via Add Action...Change Status in the dropdown menu), or is there more to do in this task?

sorry for the delay, vacation.. Yes this can be resolved thanks