alanorth/ansible-personal
1
0
Fork 0
Code Issues 4 Pull Requests Projects Releases Wiki Activity

roles/common: Use Abuse.ch's SSL Blacklist in nftables

Browse Source 
This adds Abuse.sh's list of IPs using blacklisted SSL certificates
to nftables. These IPs are high confidence indicators of compromise
and we should not route them. The list is updated daily by a systemd
timer.

See: https://sslbl.abuse.ch/blacklist/
This commit is contained in:
Alan Orth
2021-07-29 10:16:00 +03:00
parent cba2a7a996
commit 8dd7663b3c
7 changed files with 146 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
roles/common/tasks/firewall_Debian.yml
View File

@ -39,6 +39,7 @@
loop:
- spamhaus-ipv4.nft
- spamhaus-ipv6.nft
- abusech-ipv4.nft
notify:
- reload nftables
@ -102,20 +103,23 @@
loop:
- update-spamhaus-nftables.sh
- aggregate-cidr-addresses.pl
- update-abusech-nftables.sh
- name: Copy Spamhaus nftables systemd units
- name: Copy nftables systemd units
when: ansible_distribution_version is version('11', '>=')
copy: src={{ item }} dest=/etc/systemd/system/{{ item }} mode=0644 owner=root group=root
loop:
- update-spamhaus-nftables.service
- update-spamhaus-nftables.timer
register: spamhaus_nftables_systemd_units
- update-abusech-nftables.service
- update-abusech-nftables.timer
register: nftables_systemd_units
# need to reload to pick up service/timer/environment changes
- name: Reload systemd daemon
systemd: daemon_reload=yes
when: spamhaus_firewalld_systemd_units is changed or
spamhaus_nftables_systemd_units is changed
nftables_systemd_units is changed
- name: Start and enable Spamhaus firewalld update timer
when: ansible_distribution_version is version('10', '<=')
@ -123,9 +127,12 @@
notify:
- restart firewalld
- name: Start and enable Spamhaus nftables update timer
- name: Start and enable nftables update timers
when: ansible_distribution_version is version('11', '>=')
systemd: name=update-spamhaus-nftables.timer state=started enabled=yes
systemd: name={{ item }} state=started enabled=yes
loop:
- update-spamhaus-nftables.timer
- update-abusech-nftables.timer
- name: Start and enable nftables
when: ansible_distribution_major_version is version('11', '>=')

19
roles/common/tasks/firewall_Ubuntu.yml
View File

@ -45,6 +45,7 @@
loop:
- spamhaus-ipv4.nft
- spamhaus-ipv6.nft
- abusech-ipv4.nft
notify:
- reload nftables
@ -81,26 +82,29 @@
- update-spamhaus-lists.timer
register: spamhaus_firewalld_systemd_units
- name: Copy Spamhaus nftables update scripts
- name: Copy nftables update scripts
when: ansible_distribution_version is version('20.04', '>=')
copy: src={{ item }} dest=/usr/local/bin/{{ item }} mode=0755 owner=root group=root
loop:
- update-spamhaus-nftables.sh
- aggregate-cidr-addresses.pl
- update-abusech-nftables.sh
- name: Copy Spamhaus nftables systemd units
- name: Copy nftables systemd units
when: ansible_distribution_version is version('20.04', '>=')
copy: src={{ item }} dest=/etc/systemd/system/{{ item }} mode=0644 owner=root group=root
loop:
- update-spamhaus-nftables.service
- update-spamhaus-nftables.timer
register: spamhaus_nftables_systemd_units
- update-abusech-nftables.service
- update-abusech-nftables.timer
register: nftables_systemd_units
# need to reload to pick up service/timer/environment changes
- name: Reload systemd daemon
systemd: daemon_reload=yes
when: spamhaus_firewalld_systemd_units is changed or
spamhaus_nftables_systemd_units is changed
nftables_systemd_units is changed
- name: Start and enable Spamhaus firewalld update timer
when: ansible_distribution_version is version('18.04', '<=')
@ -108,9 +112,12 @@
notify:
- restart firewalld
- name: Start and enable Spamhaus nftables update timer
- name: Start and enable nftables update timers
when: ansible_distribution_version is version('20.04', '>=')
systemd: name=update-spamhaus-nftables.timer state=started enabled=yes
systemd: name={{ item }} state=started enabled=yes
loop:
- update-spamhaus-nftables.timer
- update-abusech-nftables.timer
- name: Start and enable nftables
when: ansible_distribution_version is version('20.04', '>=')