SSH and SNMP Blocked
23 views
Skip to first unread message
mikeytag
Apr 7, 2009, 4:58:46 PM4/7/09
to scalr-discuss
I am attempting to restrict access to servers in my farm and as a test
attempted the following with just one instance.
I first changed my "default" group to include the
following:
user: 919814621061
group: scalr-ssh2
and
user: 919814621061
group: scalr-snmp
I was assuming this would make sure that Scalr could access ssh and
snmp even if I block it from the security group. However upon doing
this Scalr immediately loses SNMP contact with the instance, and a
"Synchronize to All" shows that SSH is blocked as well because I got
this error:
Apr 3 22:14:45 ec2-72-44-39-234 logger: SCALR(instance-init.sh):
ec2_submit_event(hostInit): Cannot upload keys on 'i-9e3c5cf7'. Failed
to connect to '72.44.39.234:22'.
So, any ideas from the amazing Scalr devs would be excellent. I don't
mind if I have to put a bunch of static ips into my default security
group for Scalr. I think you guys are hosted at The Planet right? I am
assuming you probably have static ips. However, some kind of fix that
doesn't require ips would be excellent, because it would have to
constantly be updated as you guys added/removed servers etc.
Any ideas?
attempted the following with just one instance.
I first changed my "default" group to include the
following:
user: 919814621061
group: scalr-ssh2
and
user: 919814621061
group: scalr-snmp
I was assuming this would make sure that Scalr could access ssh and
snmp even if I block it from the security group. However upon doing
this Scalr immediately loses SNMP contact with the instance, and a
"Synchronize to All" shows that SSH is blocked as well because I got
this error:
Apr 3 22:14:45 ec2-72-44-39-234 logger: SCALR(instance-init.sh):
ec2_submit_event(hostInit): Cannot upload keys on 'i-9e3c5cf7'. Failed
to connect to '72.44.39.234:22'.
So, any ideas from the amazing Scalr devs would be excellent. I don't
mind if I have to put a bunch of static ips into my default security
group for Scalr. I think you guys are hosted at The Planet right? I am
assuming you probably have static ips. However, some kind of fix that
doesn't require ips would be excellent, because it would have to
constantly be updated as you guys added/removed servers etc.
Any ideas?
Alex Kovalyov
Apr 8, 2009, 6:23:02 AM4/8/09
to scalr-discuss
Our lead developer claims userid:group rules stopped working couple
months ago. We're going to file this issue in AWS forums. Until then,
if you have an evidence of a working userid:group rule invocation,
please share :)
Current IPs of Scalr servers that you can expect connections from are
174.132.108.66 and 174.132.97.130
months ago. We're going to file this issue in AWS forums. Until then,
if you have an evidence of a working userid:group rule invocation,
please share :)
Current IPs of Scalr servers that you can expect connections from are
174.132.108.66 and 174.132.97.130
mikeytag
Apr 8, 2009, 2:01:16 PM4/8/09
to scalr-discuss
Thank you soooo much Alex. I will implement the ip check now.
The only userid:group roles that I do see working are my default ones
because if I start up a server in another farm, but in my account I
have access to all ports.
I'll try to do some more testing though.
Thanks,
Mike
The only userid:group roles that I do see working are my default ones
because if I start up a server in another farm, but in my account I
have access to all ports.
I'll try to do some more testing though.
Thanks,
Mike
Alex Kovalyov
Apr 8, 2009, 5:06:24 PM4/8/09
to scalr-discuss
174.129.220.222 must also be added if you want scalr to collect stats
for your farm.
for your farm.
kenja
Apr 13, 2009, 2:30:35 PM4/13/09
to scalr-discuss
Alex,
Has there been any update from the AWS forums? I'd like to lock down
my farm, too, but I hate to do it with an IP check, as that is likely
to break the farm at some point in the future.
Thanks,
Ken
Has there been any update from the AWS forums? I'd like to lock down
my farm, too, but I hate to do it with an IP check, as that is likely
to break the farm at some point in the future.
Thanks,
Ken
mikeytag
Apr 13, 2009, 2:39:02 PM4/13/09
to scalr-discuss
Thanks Alex. I updated my security group with the new ip. Any word on
the userid:group rules?
the userid:group rules?
kenja
Apr 14, 2009, 3:01:28 PM4/14/09
to scalr-discuss
So Mikey -
Are you just adding those three IPs to each security group for ports
22 and 161-162? Then deleting the 0.0.0.0/0 permission? Have you
tested it to make sure it scales okay?
I hate to do that as it is sure to break the farm at some point, but
hopefully the dev team will fix the userid:group permissions soon.
Kenja
Are you just adding those three IPs to each security group for ports
22 and 161-162? Then deleting the 0.0.0.0/0 permission? Have you
tested it to make sure it scales okay?
I hate to do that as it is sure to break the farm at some point, but
hopefully the dev team will fix the userid:group permissions soon.
Kenja
Reply all
Reply to author
Forward
0 new messages