Maniphest T262071

WebPageTest and WebPageReplay should limit SSH access
Closed, DeclinedPublic
Actions

Assigned To

None

Authored By

	• dpifke
	Sep 4 2020, 5:06 PM

Description

I propose adding firewall rules to only allow connections from WMF bastion hosts. This would limit their exposure in the event of misconfiguration or OpenSSH bug.

Prior to doing so, everyone who logs in will need to add a ProxyJump line to ~/.ssh/config, e.g.

Host wpr-mobile
    User uibuntu
    Hostname wpr-mobile.wmftest.org
    IdentityFile ~/.ssh/sitespeedio.pem
    ProxyJump primary.bastion.wmflabs.org

(repeat for other hosts as well)

@Peter: Please assign this task back to me once you've done the above, and I'll make the change.

Related Objects

Mentioned In: T262761: All WebPageReplay servers can't send data to Graphite

Event Timeline

• dpifke created this task.Sep 4 2020, 5:06 PM

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptSep 4 2020, 5:06 PM

Peter moved this task from Inbox, needs triage to Backlog: Maintenance, non-prioritized on the Performance-Team board.Sep 8 2020, 6:12 PM

Thank you Dave!

I've added them now. There WebPageReplay servers, one Graphite and one WebPageTest.

• dpifke mentioned this in T262761: All WebPageReplay servers can't send data to Graphite.Sep 14 2020, 5:13 PM

Peter added projects: Synthetic-Performance-Testing, WebPageTest.Sep 15 2020, 12:03 PM

Krinkle renamed this task from WebPageTest and WebPageRelay should limit SSH access to WebPageTest and WebPageReplay should limit SSH access.Apr 6 2022, 6:53 PM

Removing inactive task assignee (please do so as part of offboarding processes).

Peter closed this task as Declined.Nov 18 2022, 12:50 PM

WebPageTest and WebPageReplay should limit SSH accessClosed, DeclinedPublicActions

Description

Related Objects

Event Timeline

WebPageTest and WebPageReplay should limit SSH access
Closed, DeclinedPublic
Actions