Closed Bug 907528 Opened 12 years ago Closed 12 years ago

exclude all releng relay boards from scan1.ops.scl3.mozilla.com scans

Categories

(Security Assurance :: General, task)

Product:
Security Assurance
Component:
General
Platform:
x86_64
Windows 7
Type:
task
Priority:
Not set
Severity:
major

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: dividehex, Assigned: mhenry)

References

Details

The connections from scan1.ops.scl3.mozilla.com seem to be having an impact on the relay boards in scl1 causing them to become slow and unresponsive. Bug907514 (relay-board-*.p*.releng.scl1.mozilla.com) These relay boards are small embedded microcontrollers with about 8MB of ram and don't handle multiple tcp connections very well at all. The software that interfaces with these boards (mozpool) takes this into account and does nice things like serializing connections and locking but the connections from scan1.ops.scl3.mozilla.com don't do these nice things and cause their limited resources to become tied up. Can we have all of these boards excluded from being scanned? #> who ID From To Protocol Sessions -- --------------- --------------- -------------------- -------- 1 10.22.8.128 local shell telnet 2 10.22.8.128 local shell telnet 3 10.22.8.128 local shell telnet 4 10.22.8.128 local shell telnet 5 10.22.8.128 local shell telnet 6 10.22.8.128 local shell telnet 7 10.22.8.128 local shell telnet 8 10.22.8.128 local shell telnet 9 10.22.8.128 local shell telnet 10 10.22.8.128 local shell telnet 11 10.22.8.128 local shell telnet 12 10.22.8.128 local shell telnet 13 10.22.8.128 local shell telnet 14 10.26.74.22 local shell telnet
Assignee: nobody → mhenry
I'll create an ongoing block. Should take effect shortly.
I've been looking at inventory/dns for all these boards. There are quite a few entries. Is there a specific subnet or IP range that can be blocked?
If you're blocking the subnets you're also not scanning the linux machines on the subnet. The pandas are set up to be one subnet per rack which includes the boards, the relays, the imaging servers, and the buildbot slaves (foopies). The specific hosts we're asking you to block are: panda-relay-001.p127.releng.scl1.mozilla.com. 10.12.255.40 panda-relay-002.p10.releng.scl1.mozilla.com. 10.12.137.42 panda-relay-003.p10.releng.scl1.mozilla.com. 10.12.137.43 panda-relay-004.p10.releng.scl1.mozilla.com. 10.12.137.44 panda-relay-005.p10.releng.scl1.mozilla.com. 10.12.137.45 panda-relay-006.p10.releng.scl1.mozilla.com. 10.12.137.41 panda-relay-007.p1.releng.scl1.mozilla.com. 10.12.128.40 panda-relay-008.p1.releng.scl1.mozilla.com. 10.12.128.41 panda-relay-009.p1.releng.scl1.mozilla.com. 10.12.128.42 panda-relay-010.p1.releng.scl1.mozilla.com. 10.12.128.43 panda-relay-011.p1.releng.scl1.mozilla.com. 10.12.128.44 panda-relay-012.p1.releng.scl1.mozilla.com. 10.12.128.45 panda-relay-013.p1.releng.scl1.mozilla.com. 10.12.128.46 panda-relay-014.p1.releng.scl1.mozilla.com. 10.12.128.47 panda-relay-015.p2.releng.scl1.mozilla.com. 10.12.129.40 panda-relay-016.p2.releng.scl1.mozilla.com. 10.12.129.41 panda-relay-017.p2.releng.scl1.mozilla.com. 10.12.129.42 panda-relay-018.p2.releng.scl1.mozilla.com. 10.12.129.43 panda-relay-019.p2.releng.scl1.mozilla.com. 10.12.129.44 panda-relay-020.p2.releng.scl1.mozilla.com. 10.12.129.45 panda-relay-021.p2.releng.scl1.mozilla.com. 10.12.129.46 panda-relay-022.p2.releng.scl1.mozilla.com. 10.12.129.47 panda-relay-023.p3.releng.scl1.mozilla.com. 10.12.130.40 panda-relay-024.p3.releng.scl1.mozilla.com. 10.12.130.41 panda-relay-025.p3.releng.scl1.mozilla.com. 10.12.130.42 panda-relay-026.p3.releng.scl1.mozilla.com. 10.12.130.43 panda-relay-027.p3.releng.scl1.mozilla.com. 10.12.130.44 panda-relay-028.p3.releng.scl1.mozilla.com. 10.12.130.45 panda-relay-029.p3.releng.scl1.mozilla.com. 10.12.130.46 panda-relay-030.p3.releng.scl1.mozilla.com. 10.12.130.47 panda-relay-031.p4.releng.scl1.mozilla.com. 10.12.131.40 panda-relay-032.p4.releng.scl1.mozilla.com. 10.12.131.41 panda-relay-033.p4.releng.scl1.mozilla.com. 10.12.131.42 panda-relay-034.p4.releng.scl1.mozilla.com. 10.12.131.43 panda-relay-035.p4.releng.scl1.mozilla.com. 10.12.131.44 panda-relay-036.p4.releng.scl1.mozilla.com. 10.12.131.45 panda-relay-037.p4.releng.scl1.mozilla.com. 10.12.131.46 panda-relay-038.p4.releng.scl1.mozilla.com. 10.12.131.47 panda-relay-039.p5.releng.scl1.mozilla.com. 10.12.132.40 panda-relay-040.p5.releng.scl1.mozilla.com. 10.12.132.41 panda-relay-041.p5.releng.scl1.mozilla.com. 10.12.132.42 panda-relay-042.p5.releng.scl1.mozilla.com. 10.12.132.43 panda-relay-043.p5.releng.scl1.mozilla.com. 10.12.132.44 panda-relay-044.p5.releng.scl1.mozilla.com. 10.12.132.45 panda-relay-045.p5.releng.scl1.mozilla.com. 10.12.132.46 panda-relay-046.p5.releng.scl1.mozilla.com. 10.12.132.47 panda-relay-047.p6.releng.scl1.mozilla.com. 10.12.133.40 panda-relay-048.p6.releng.scl1.mozilla.com. 10.12.133.41 panda-relay-049.p6.releng.scl1.mozilla.com. 10.12.133.42 panda-relay-050.p6.releng.scl1.mozilla.com. 10.12.133.43 panda-relay-051.p6.releng.scl1.mozilla.com. 10.12.133.44 panda-relay-052.p6.releng.scl1.mozilla.com. 10.12.133.45 panda-relay-053.p6.releng.scl1.mozilla.com. 10.12.133.46 panda-relay-054.p6.releng.scl1.mozilla.com. 10.12.133.47 panda-relay-055.p7.releng.scl1.mozilla.com. 10.12.134.40 panda-relay-056.p7.releng.scl1.mozilla.com. 10.12.134.41 panda-relay-057.p7.releng.scl1.mozilla.com. 10.12.134.42 panda-relay-058.p7.releng.scl1.mozilla.com. 10.12.134.43 panda-relay-059.p7.releng.scl1.mozilla.com. 10.12.134.44 panda-relay-060.p7.releng.scl1.mozilla.com. 10.12.134.45 panda-relay-061.p7.releng.scl1.mozilla.com. 10.12.134.46 panda-relay-062.p7.releng.scl1.mozilla.com. 10.12.134.47 panda-relay-063.p8.releng.scl1.mozilla.com. 10.12.135.40 panda-relay-064.p8.releng.scl1.mozilla.com. 10.12.135.41 panda-relay-065.p8.releng.scl1.mozilla.com. 10.12.135.42 panda-relay-066.p8.releng.scl1.mozilla.com. 10.12.135.43 panda-relay-067.p8.releng.scl1.mozilla.com. 10.12.135.44 panda-relay-068.p8.releng.scl1.mozilla.com. 10.12.135.45 panda-relay-069.p8.releng.scl1.mozilla.com. 10.12.135.46 panda-relay-070.p8.releng.scl1.mozilla.com. 10.12.135.47 panda-relay-071.p9.releng.scl1.mozilla.com. 10.12.136.40 panda-relay-072.p9.releng.scl1.mozilla.com. 10.12.136.41 panda-relay-073.p9.releng.scl1.mozilla.com. 10.12.136.42 panda-relay-074.p9.releng.scl1.mozilla.com. 10.12.136.43 panda-relay-075.p9.releng.scl1.mozilla.com. 10.12.136.44 panda-relay-076.p9.releng.scl1.mozilla.com. 10.12.136.45 panda-relay-077.p9.releng.scl1.mozilla.com. 10.12.136.46 panda-relay-078.p9.releng.scl1.mozilla.com. 10.12.136.47 panda-relay-079.p10.releng.scl1.mozilla.com. 10.12.137.40 panda-relay-080.p10.releng.scl1.mozilla.com. 10.12.137.46 stone-ridge-panda-relay-01.sec.scl3.mozilla.com. 10.22.92.128 If you want to block entire subnets, you're talking about all of: 10.12.128/24 - 10.12.137/24 There are also a couple stragglers not in those specific ranges. These will change when all of the panda infrastructure moves to scl3 this year or next.
Blocks: 907514
This is impacting production systems; can we get it turned off asap?
Severity: normal → major
I am sorry I forgot to update the bug. It's been off since last week. I stopped the scan against SCL1 on 8.22.2013 and it has not been running since. I've since deleted the SCL1 profile as part of changes I'm making to the scanner on 8.23.2013 and have not re-added it yet (working on that now, but ensuring the IP's you've requested blocked are blocked. I was awaiting closing this bug pending the re-addition of the profile with these hosts blocked. I can assure you the scan has been disabled. If it's still ongoing, it's not nexpose. What are you seeing?
Status: NEW → ASSIGNED
I haven't seen any new connections or issues since last week. Does removing the SCL1 profile mean the scanner won't touch SCL1 at all?
The scanner does not know about SCL1 right now, so it can't scan SCL1. I am re-adding SCL1 today (right now), but ensuring the IP's listed above are blocked from being scanned. I documented the IP's here as well: https://mana.mozilla.org/wiki/display/SECURITY/Hosts+that+won%27t+be+scanned+by+nexpose
I've ensured this IP's are blocked from global scanning in NexPose. If there is any ongoing issue please reopen this bug, create a new bug, or ping me on IRC. Thanks!
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Component: Operations Security (OpSec): General → General
Product: mozilla.org → Enterprise Information Security
You need to log in before you can comment on or make changes to this bug.