Phabricator security policy open up port 222 for regular ssh with git on port 22
Closed, ResolvedPublic

Description

Diffusion needs port 222 to be open so that I can get access to the shell while serving git cloning nomally. The port probably shouldn't be open on machines without being setup to handle it. https://secure.phabricator.com/book/phabricator/article/diffusion_hosting/#configuring-ssh

Negative24 updated the task description. (Show Details)
Negative24 raised the priority of this task from to Needs Triage.
Negative24 added projects: Labs, Phabricator.
Negative24 added a subscriber: Negative24.
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMar 27 2015, 7:04 PM
Negative24 renamed this task from Phabricator security policy open up port 222 to Phabricator security policy open up port 222 for alternate ssh.Mar 27 2015, 7:06 PM
Negative24 updated the task description. (Show Details)
Negative24 set Security to None.
Dzahn added a subscriber: Dzahn.Mar 27 2015, 7:08 PM

This is about phabricator in labs, so it's about a project admin using the security policies via the wikitech ui.

I see no problem with having port 222 opened. @chasemp: should we just make @Negative24 an admin on the wikitech "phabricator" project?

I see no problem with having port 222 opened. @chasemp: should we just make @Negative24 an admin on the wikitech "phabricator" project?

I'm not sure what instance this is for? Is the instance in question in that project? What instance is this?

Aside from that, idk how to do it yet :)

@chasemp: phab-02

and I don't know how to do it either ;)

@chasemp: phab-02

and I don't know how to do it either ;)

Do what? Open port 222, make me an admin, or configure Diffusion?

yes, the instances are in the same project. see above link for this quote:

"Every project has a 'default' security group that provides access to ssh and Nagios (which is used for status monitoring.) Unless you are doing something very unusual, you will want every instance to be a member of the default group. "

so technically you could have one instance use a different (non-default) group, but i would not recommend doing that. change the existing default group instead if you think that's ok to open the port. i remember there was a bug that only happened when you create new groups, so the recommendation was always to change the default instead of making one.

Essentially all you need to do is click "Add rule" in the default group, put 222 in both the beginning and end port range inputs, tcp as the protocol, and 0.0.0.0/0 as the CIDR range (and don't change the source group).

TBH far more people are going to be annoyed and inconvenienced with git on
a weird port than ssh. Only a few people will ever ssh in. If I'm doing
it in prod and it is my call now I'm reversing the ports.

demon added a subscriber: demon.EditedMar 27 2015, 10:24 PM

TBH far more people are going to be annoyed and inconvenienced with git on
a weird port than ssh. Only a few people will ever ssh in. If I'm doing
it in prod and it is my call now I'm reversing the ports.

This. A bazillion times this. If you're not offering Git+SSH over 22 then don't bother.

See also the eternal T37611: Remove port 29418 from cloning process

@chasemp @demon Well that was amusing. Yes. SSH for maintenance is over port 222. I'm not insane enough to serve cloning from port 222. :) (you guys should read the document in the description to see the process. For now I'm going to make this very clear what is actually going to happen)

Negative24 updated the task description. (Show Details)Mar 27 2015, 10:31 PM
Negative24 renamed this task from Phabricator security policy open up port 222 for alternate ssh to Phabricator security policy open up port 222 for regular ssh with git on port 22.

@chasemp @demon Well that was amusing. Yes. SSH for maintenance is over port 222. I'm not insane enough to serve cloning from port 222. :) (you guys should read the document in the description to see the process. For now I'm going to make this very clear what is actually going to happen)

Shouldn't do that either. You should have a public IP that serves an SSH daemon on 22 for Git, and a private IP for SSH for SSHing.

Keep in mind, this is a Labs instance. We can figure out the production configuration but for now I think that that would be overkill.

@Negative24: you are now a projectadmin ...

Negative24 closed this task as Resolved.Mar 28 2015, 3:35 AM
Negative24 claimed this task.

@mmodell Thanks.

Restricted Application added a subscriber: scfc. · View Herald TranscriptJun 29 2015, 3:59 PM