DEVHIDE
Login Or Sign up

ufw rate limiting ansible on ubuntu 22

36 Views Asked by At

this was all done on ubuntu 22.

$ ufw version
ufw 0.36.1
Copyright 2008-2021 Canonical Ltd.

$ cat /etc/os-release | grep VERSION
VERSION_ID="22.04"
VERSION="22.04.3 LTS (Jammy Jellyfish)"
VERSION_CODENAME=jammy

Trying to connect to an ubuntu server from a github runner running ansible, I found that ansible was getting blocked by UFW and subsequently received connection time outs.

The UFW logs showed [UFW LIMIT BLOCK] so I knew it was rate limiting. The strange thing is that I can manually connect using SSH from the github runner just fine, however I know ansible likes to open and close a lot of connections so it was probably triggering the rate limit.

To resolve, the seconds and hit_count for the SSH rule in UFW needs to be changed from the default of seconds: 30 hit_count: 3 to something less aggressive. Unfortunately the only way I found to do this was to modify the UFW source (thanks to https://jb.prose.sh/ufw-limit): /usr/lib/python3/dist-packages/ufw/backend_iptables.py

adjusted the section:

# adjust for limit
  pat_limit = re.compile(r' -j LIMIT')
    for i, s in enumerate(snippets):
      if pat_limit.search(s):
        tmp1 = pat_limit.sub(' -m conntrack --ctstate NEW -m recent --set', \                                               
                             s)
        tmp2 = pat_limit.sub(' -m conntrack --ctstate NEW -m recent' + \
                             ' --update --seconds 30 --hitcount 3' + \
                             ' -j ' + prefix + '-user-limit', s)
        tmp3 = pat_limit.sub(' -j ' + prefix + '-user-limit-accept', s)
        snippets[i] = tmp3
        snippets.insert(i, tmp2)
        snippets.insert(i, tmp1)

  return snippets

and changed to --seconds 10 --hitcount 24

Anything less than that and ansible was blocked again.

implemented with

~$ sudo ufw disable
~$ sudo ufw enable

ufw reload was not sufficient as it would not replace the existing rule, just add the new rule next to it, which makes perfect sense since i'm adjusting the codebase.

Is there a better way of doing this? I cant find much information on overriding the hardcoded defaults in UFW, which I'd assume is done through custom rules, but again, no information.

I also saw that github publishes their action runners ip ranges (https://api.github.com/meta), but holy crap it's long and not something that looked easy to manage in UFW.

ubuntu ansible ufw
Original Q&A
0

There are 0 best solutions below

Related Questions in UBUNTU

Related Questions in ANSIBLE

Related Questions in UFW

Trending Questions

Popular # Hahtags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs

Popular Questions

.

Copyright © 2021 Jogjafile Inc.