Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unpredictable rsync source address on dual-stack or multiple interface servers #8

Open
mpounsett opened this issue May 5, 2023 · 0 comments
Open

Unpredictable rsync source address on dual-stack or multiple interface servers #8

mpounsett opened this issue May 5, 2023 · 0 comments

Comments

@mpounsett
Copy link

Farsight sets ACLs to only allow rsync of SIE data from specific sources. However, on systems with multiple interfaces it is unpredictable which source address will be used to upload data, which can run afoul of those ACLs.

The official advice we got when setting up the sensor was to directly modify the ssh_cmd definition in /usr/lib/sie/functions to pin a source address. However, this hidden change can break as servers are updated or replaced, as we recently discovered on a server that hadn't successfully uploaded any data for two years.

The config file should accept an optional source address for rsync, and use that (if present) to set the source address on the ssh_cmd.
mpounsett added a commit to mpounsett/sie-dns-sensor that referenced this issue May 5, 2023
@mpounsett
accept optional source address for rsync of data, fixes farsightsec#8
c9b7185 
- adds an optional config parameter `rsync_source`, which will set the
  bind_interface option on the ssh session used by rsync when present
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@mpounsett