Merge pull request #1663 from shapeblue/4.9-dnsreflection-attack
[LTS/blocker] CLOUDSTACK-6432: Prevent DNS reflection attacksCLOUDSTACK-6432:
Prevent DNS reflection attacks
DNS on VR should not be publically accessible as it may be prone to DNS
amplification/reflection attacks. This fixes the issue by only allowing VR
DNS (port 53) to be accessible from guest network cidr, as per the fix in:
https://issues.apache.org/jira/browse/CLOUDSTACK-6432
- Only allows guest network cidrs to query VR DNS on port 53.
- Includes marvin smoke test that checks the VR DNS accessibility checks
from
guest and non-guest network.
- Fixes Marvin sshClient to avoid using ssh agent when password is provided,
previous some environments may have seen 'No existing session' exception
without
this fix.
- Adds a new dnspython dependency that is used to perform dns resolutions
in the
tests.
Due to repository commit issues I've created this PR, based on #1653 .
/cc @jburwell @karuturi @NuxRo @ustcweizhou @wido and others
* pr/1663:
CLOUDSTACK-6432: Prevent DNS reflection attacks
Signed-off-by: Rohit Yadav <[email protected]>
Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo
Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/3e6f49d9
Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/3e6f49d9
Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/3e6f49d9
Branch: refs/heads/4.9-bountycastle-daan
Commit: 3e6f49d9e28007d8c4a0b51b34e32e7f6d724c1e
Parents: 0671a80 14504dc
Author: Rohit Yadav <[email protected]>
Authored: Tue Aug 30 22:42:40 2016 +0530
Committer: Rohit Yadav <[email protected]>
Committed: Tue Aug 30 22:43:17 2016 +0530
----------------------------------------------------------------------
.../debian/config/opt/cloud/bin/cs/CsAddress.py | 24 +-
test/integration/smoke/test_router_dns.py | 268 +++++++++++++++++++
tools/marvin/marvin/sshClient.py | 3 +-
tools/marvin/setup.py | 1 +
4 files changed, 282 insertions(+), 14 deletions(-)
----------------------------------------------------------------------