Page MenuHomePhabricator
Create Task
Maniphest T253632

update profile::waf::apache2::administrative to use the new abuse_networks hiera key
Closed, ResolvedPublic
Actions

Assigned To
jbond
Authored By
jbond
May 26 2020, 1:53 PM
Tags
Referenced Files
None
Subscribers
Aklapper
akosiaris
CDanis
chasemp
Dzahn
faidon
jbond
MoritzMuehlenhoff
Tokens
"100" token, awarded by akosiaris."Like" token, awarded by Aklapper."Yellow Medal" token, awarded by chasemp.

Description

I have created a new global hiera object called abuse_networks which is available in the private repo. This block is currently used to add an iptables DROP rule on an opt in bases as well as the acl rules used in the caching layer.

Currently the mod security solution is deployed on people, gerrit and phab, we could update those machines so that they opt into the iptables blocking method mentioned above, or we could update profile::waf::apache2::administrative to build the admin2 and admin3 files using data present in the abuse_networks object. However before going down that route i wanted to understand the difference between admin2 and admin3. Currently users in the former get a 501 and users in the later get a 500, neither of which seem right and i couldn't see an explanation explaining the difference. Further the admin2 and admin3 files still contain a very large amount of address space from a previous incident. Is this list still valid or can we revise and reduce it, in its current form, i think its far to overreaching to be used on the caching layer

Details

SubjectRepoBranchLines +/-
block_abuse_nets: enable block abuse nets on misc sitesoperations/puppetproduction+5 -68
profile::waf::apache::administrative: remove waf configoperations/puppetproduction+7 -27
Customize query in gerrit

Related Objects
Search...

Event Timeline

jbond created this task.May 26 2020, 1:53 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMay 26 2020, 1:53 PM
jbond triaged this task as Medium priority.May 26 2020, 1:53 PM
jbond added a project: User-jbond.
chasemp awarded a token.May 26 2020, 2:28 PM
jbond moved this task from Unsorted 💣 to Blocked 🚧 on the User-jbond board.Jun 2 2020, 2:24 PM
jbond added subscribers: MoritzMuehlenhoff, faidon.EditedJul 1 2020, 8:29 AM

As there has been little activity on this task and the current ACL is quite wide i propse that i will remove the current ACL's and going forward we will block access using iptables and the abuse_networks hiera structure. I will aim to remove the current ACL's Tuesday 13th July 10:00UTC

gerritbot added a comment.Jul 1 2020, 8:49 AM

Change 608807 had a related patch set uploaded (by Jbond; owner: John Bond):
[operations/puppet@production] block_abuse_nets: enable block abuse nets on misc sites

https://gerrit.wikimedia.org/r/c/operations/puppet/ /608807

gerritbot added a project: Patch-For-Review.Jul 1 2020, 8:49 AM

Change 608806 had a related patch set uploaded (by Jbond; owner: John Bond):
[operations/puppet@production] profile::waf::apache::administrative: remove waf config

https://gerrit.wikimedia.org/r/c/operations/puppet/ /608806

Aklapper awarded a token.Jul 8 2020, 1:17 PM
akosiaris awarded a token.Jul 8 2020, 2:15 PM
akosiaris subscribed.
Dzahn added a subtask: T257507: HTTP 500 error trying to access phabricator from my server.Jul 9 2020, 8:26 PM
Dzahn subscribed.
Dzahn added a subtask: T254568: Accessing Phabricator from Tor (some ranges blocked but not others).Jul 9 2020, 8:29 PM
Dzahn mentioned this in T254568: Accessing Phabricator from Tor (some ranges blocked but not others).Jul 9 2020, 8:32 PM
CDanis subscribed.Jul 15 2020, 9:02 PM
gerritbot added a comment.Jul 16 2020, 8:13 AM

Change 608806 merged by Jbond:
[operations/puppet@production] profile::waf::apache::administrative: remove waf config

https://gerrit.wikimedia.org/r/608806

gerritbot added a comment.Jul 16 2020, 8:21 AM

Change 608807 merged by Jbond:
[operations/puppet@production] block_abuse_nets: enable block abuse nets on misc sites

https://gerrit.wikimedia.org/r/608807

Maintenance_bot removed a project: Patch-For-Review.Jul 16 2020, 9:10 AM
Isarra closed subtask T257507: HTTP 500 error trying to access phabricator from my server as Resolved.Jul 17 2020, 6:34 PM
Aklapper added a comment.Aug 5 2020, 2:06 PM

@jbond: Both patches in Gerrit have been merged. Can this task be resolved (via Add Action...Change Status in the dropdown menu), or is there more to do in this task?

Aklapper mentioned this in T234598: Access Forbidden to Phabricator at WikiArabia 2019 (Morocco) via Indian IP 185.174.156.75.Aug 5 2020, 2:09 PM
jbond closed this task as Resolved.Aug 17 2020, 10:32 AM
jbond claimed this task.
In T253632#6362858, @Aklapper wrote:

@jbond: Both patches in Gerrit have been merged. Can this task be resolved (via Add Action...Change Status in the dropdown menu), or is there more to do in this task?

sorry for the delay, vacation.. Yes this can be resolved thanks

Aklapper closed subtask T254568: Accessing Phabricator from Tor (some ranges blocked but not others) as Resolved.Jul 11 2023, 9:40 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL