Commit Graph

967 Commits

Author SHA1 Message Date
Alan Orth b4d50166f4
roles/common: Fix loop in firewall cleanup 2021-07-28 23:46:53 +03:00
Alan Orth c336b217c5
Remove extra TCP ports from firewall rules
Now all web hosts get TCP 80 and 443 open automatically.
2021-07-28 14:49:50 +03:00
Alan Orth af6c3dd12a
roles/common: Update cache in firewall playbook
cron-apt updates the system against the security-only databases at
night so many packages are "missing" unless you run apt update. We
need to update the cache on all apt tasks actually because I might
be running them by their tag and they currently only get updated at
the beginning of the playbook.
2021-07-28 14:46:58 +03:00
Alan Orth b66c724109
roles/common: Use nftables on Ubuntu 20.04 as well
This mostly copies the Debian 11 nftables setup and includes a play
to clean up the old firewalld settings, timers, etc.
2021-07-28 14:18:41 +03:00
Alan Orth 8bc2b6f493
roles/common: Retab nftables.conf.j2 2021-07-27 22:03:23 +03:00
Alan Orth a74d6dfc08
roles/common: Don't overwrite spamhaus nft sets
The ones in this repo are only placeholders that get updated by the
update-spamhaus-nftables service, so we shouldn't overwrite them if
they exist.
2021-07-27 22:01:57 +03:00
Alan Orth d3922e7878
roles/common: Port configurable firewall logic to nftables
This opens TCP port 22 on all hosts, TCP ports 80 and 443 on hosts
in the web group, and allows configuration of "extra" rules in the
host or group vars.
2021-07-27 21:22:32 +03:00
Alan Orth 14814aa5d9
roles/common: Wire up fail2ban
The nftables support works easily and creates the table, chains, and
sets on demand.
2021-07-26 22:07:31 +03:00
Alan Orth 3b053167b1
roles/common: Fix sources.list for Debian 11 Bullseye
Seems the path to the security updates repo changed.
2021-07-26 21:12:05 +03:00
Alan Orth 9bba0d96bb
roles/common: Add initial support for nftables on Debian 11
I will try using nftables directly instead of via firewalld as of
Debian 11 as it is the replacement for the iptables/ipset stack in
recent years and is easier to work with.

This also includes a systemd service, timer, and script to update
the spamhaus DROP lists as nftables sets.

Still need to add fail2ban support.
2021-07-26 13:09:41 +03:00
Alan Orth 38c333045b
roles/common: bring Ubuntu firewall changes to Debian 11
Note that there is currently an issue loading the spamhaus rules on
Debian 11 when using ipsets with firewalld and the nftables backend.
The bug is apparently caused by overlapping CIDR segments, and the
solution appears to be that we need to manually aggregate them with
a tool like aggregate6 (Python).

See: https://bugzilla.redhat.com/show_bug.cgi?id=1836571
See: https://wiki.fysik.dtu.dk/it/Linux_firewall_configuration#using-ipsets-in-firewalld-on-rhel-centos-8
See: https://github.com/job/aggregate6
2021-07-24 23:09:33 +03:00
Alan Orth d4ede33099
roles/common: Don't configure apt sources on ARM
I was using this on Ubuntu, but might as well bring it here too so
that I can run Debian on Scaleway's ARM instances, for example.
2021-07-24 22:32:20 +03:00
Alan Orth 0bad75788d
roles/common: Add encryption settings to Debian 11 sshd_config
Mostly based on the ssh-audit policy for OpenSSH 8.4, but with any
algorithms using less than 256 bits removed. NSA's Suite B removed
these long ago, and the new CNSA suite only uses 256 and up.

See: https://github.com/jtesta/ssh-audit/blob/master/src/ssh_audit/policy.py
See: https://en.wikipedia.org/wiki/Commercial_National_Security_Algorithm_Suite
2021-07-24 22:28:59 +03:00
Alan Orth 892033b880
roles/common: port common settings to Debian 11 sshd_config
Still need to add the encryption settings.
2021-07-22 14:16:20 +03:00
Alan Orth 7c6ab2a652 roles/common: Add sshd_config from Debian 11 RC2 2021-07-22 14:15:00 +03:00
Alan Orth 1c95c1faa8
roles/common: Update KexAlgorithms in Ubuntu 20.04 sshd_config
Recommended by ssh-audit. Note that curve25519-sha256 is the new name
for the previously private implementation in libssh.
2021-07-22 12:57:31 +03:00
Alan Orth 9ea14de6f5
roles/common: Remove Encrypt-and-MAC modes from Ubuntu 20.04 sshd_config
Recommended by ssh-audit, but also generally the concensus for a few
years that Encrypt-and-MAC is hard to get right. OpenSSH has several
Encrypt-then-MAC schemes available so we can use those.

See: https://www.daemonology.net/blog/2009-06-24-encrypt-then-mac.html
2021-07-22 12:48:12 +03:00
Alan Orth 9b7a31ebf9
roles/common: Remove 00-persistent-journal.conf
This was to enable the persistent systemd journal, but it is no lo-
nger needed as of Ubuntu 18.04 and Debian 11. I had removed the ta-
asks long ago, but forgot to remove this file.
2021-07-21 10:02:33 +03:00
Alan Orth d7c34a30a3
roles/common: Add Spamhaus DROP lists to firewalld ipsets
This configures the recommended DROP, EDROP, and DROPv6 lists from
Spamhaus as ipsets in firewalld. First we copy an empty placeholder
ipset to seed firewalld, then we use a shell script to download the
real lists and activate them. The same shell script is run daily as
a service (update-spamhaus-lists.service) by a systemd timer.

I am strictly avoiding any direct ipset commands here because I want
to make sure that this works on older hosts where ipsets is used as
well as newer hosts that have moved to nftables such as Ubuntu 20.04.
So far I have tested this on Ubuntu 16.04, 18.04, and 20.04, but ev-
entually I need to abstract the tasks and run them on CentOS 7+ as
well.

See: https://www.spamhaus.org/drop/
2021-07-21 09:34:51 +03:00
Alan Orth ee5f4cdf74
host_vars: don't hard code python path
We now use auto mode in ansible.cfg, so we don't need to hard code
this in every single host's vars file.

See: https://docs.ansible.com/ansible/latest/reference_appendices/interpreter_discovery.html
2021-07-07 12:23:05 +03:00
Alan Orth b014c09a2c
ansible.cfg: Use auto discovery of Python interpreter
Uses a built-in table of OSes and Python versions to decide which
Python interpreter to use. This is better than hard coding python3
in every single host's host_vars.

See: https://docs.ansible.com/ansible/latest/reference_appendices/interpreter_discovery.html
2021-07-07 12:22:00 +03:00
Alan Orth 531ff99af0
roles/common: Update list of abusive IP addresses
This comes from the AbuseIPDB with a confidence level of 95%. I use
the following command to download and sort the IPs:

  $ curl -G https://api.abuseipdb.com/api/v2/blacklist -d \
    confidenceMinimum=95 -H "Key: $ABUSEIPDB_API_KEY" \
    -H "Accept: text/plain" | sort | sed -e '/:/w /tmp/ipv6.txt' \
    -e '/:/d' > /tmp/ipv4.txt

I manually add the XML formatting to each file and run them through
tidy:

  $ tidy -xml -utf8 -m -iq -w 0 roles/common/files/abusers-ipv4.xml
  $ tidy -xml -utf8 -m -iq -w 0 roles/common/files/abusers-ipv6.xml
2021-07-04 11:15:32 +03:00
Alan Orth 82d3a7ff2a
roles/nginx: Add convenience tags to fact task 2021-07-01 18:17:14 +03:00
Alan Orth 6c3cf40a16
roles/nginx: Use snakeoil cert from ssl-cert
Instead of manually creating our own self-signed certificate we can
use the one created automatically by the ssl-cert package on Debian.
This is only used by the dummy default HTTPS vhost.
2021-07-01 18:11:34 +03:00
Alan Orth 681be5eb19
Pipfile.lock: run pipenv update
Ansible 4.2.0 and Ansible Core 2.11.2
2021-07-01 18:11:11 +03:00
Alan Orth 4fae56a386
host_vars/web19: WordPress 5.7.2 2021-06-13 16:14:22 +03:00
Alan Orth 1d5db7bdbe
Pipfile.lock: run pipenv update 2021-06-13 16:14:05 +03:00
Alan Orth 32da3a3341
Pipfile.lock: Re-create pipenv environment for Ansible 4.0.0
Seems we need to manually uninstall and re-install.
2021-05-20 10:21:01 +03:00
Alan Orth 31a3f5832a
roles/common: Update list of abusive IP addresses
This comes from the AbuseIPDB with a confidence level of 95%. I use
the following command to download and sort the IPs:

  $ curl -G https://api.abuseipdb.com/api/v2/blacklist -d \
    confidenceMinimum=95 -H "Key: $ABUSEIPDB_API_KEY" \
    -H "Accept: text/plain" | sort | sed -e '/:/w /tmp/ipv6.txt' \
    -e '/:/d' > /tmp/ipv4.txt

I manually add the XML formatting to each file and run them through
tidy:

  $ tidy -xml -utf8 -m -iq -w 0 roles/common/files/abusers-ipv4.xml
  $ tidy -xml -utf8 -m -iq -w 0 roles/common/files/abusers-ipv6.xml
2021-05-20 10:20:47 +03:00
Alan Orth 3e7130b519
Pipfile.lock: run pipenv update 2021-05-14 13:56:56 +03:00
Alan Orth bd0b6a16de
roles/nginx/defaults/main.yml: Update version comment
Stable is now 1.20.0
2021-05-10 16:00:44 +03:00
Alan Orth 7145298f90
Pipfile.lock: Run pipenv update 2021-05-10 15:59:34 +03:00
Alan Orth 1bfd2bc441
Pipfile.lock: Run pipenv update
Ansible 3.3.0
2021-04-28 12:49:23 +03:00
Alan Orth 884b3b8425
host_vars/web19: remove dead host 2021-04-24 20:17:17 +03:00
Alan Orth e06a0c4093
host_vars/web19: WordPress 5.7.1 2021-04-16 19:51:55 +03:00
Alan Orth 7ba5afcec4
roles/nginx: Opt out of Google FLoC
Google's new Federated Learning of Cohorts (FLoC) will read user's
browser history and assign them to cohorts to track them unless we
set this header.
2021-04-16 12:41:09 +03:00
Alan Orth d3978e5b07
Pipfile.lock: run pipenv update 2021-04-13 14:28:34 +03:00
Alan Orth 4150dac57b
roles/common: Update list of abusive IP addresses
This comes from the AbuseIPDB with a confidence level of 95%. I use
the following command to download and sort the IPs:

  $ curl -G https://api.abuseipdb.com/api/v2/blacklist -d \
    confidenceMinimum=95 -H "Key: $ABUSEIPDB_API_KEY" \
    -H "Accept: text/plain" | sort | sed -e '/:/w /tmp/ipv6.txt' \
    -e '/:/d' > /tmp/ipv4.txt

I manually add the XML formatting to each file and run them through
tidy:

  $ tidy -xml -utf8 -m -iq -w 0 roles/common/files/abusers-ipv4.xml
  $ tidy -xml -utf8 -m -iq -w 0 roles/common/files/abusers-ipv6.xml
2021-04-13 12:11:11 +03:00
Alan Orth 58bc9d191f
roles/common: Update list of abusive IP addresses
This comes from the AbuseIPDB with a confidence level of 95%. I use
the following command to download and sort the IPs:

  $ curl -G https://api.abuseipdb.com/api/v2/blacklist -d \
    confidenceMinimum=95 -H "Key: $ABUSEIPDB_API_KEY" \
    -H "Accept: text/plain" | sort | sed -e '/:/w /tmp/ipv6.txt' \
    -e '/:/d' > /tmp/ipv4.txt

I manually add the XML formatting to each file and run them through
tidy:

  $ tidy -xml -utf8 -m -iq -w 0 roles/common/files/abusers-ipv4.xml
  $ tidy -xml -utf8 -m -iq -w 0 roles/common/files/abusers-ipv6.xml
2021-03-24 10:02:43 +02:00
Alan Orth 96cefc7f74
roles/nginx: Parameterize HSTS header
This parameterizes the HTTP Strict Transport Security header so we
can use it consistently across all templates. Also, it updates the
max-age to be ~1 year in seconds, which is recommended by Google.

See: https://hstspreload.org/
2021-03-23 15:36:28 +02:00
Alan Orth f85eb2841a
roles/nginx: Add webroot to systemd renewal service 2021-03-20 00:18:17 +02:00
Alan Orth 5d506ebc65
README.md: Update copyright year 2021-03-20 00:16:16 +02:00
Alan Orth af49f27551
roles/nginx: Update comment in defaults 2021-03-19 23:50:39 +02:00
Alan Orth f341d2e5eb
roles/nginx: Remove nginx pre/post hooks
We are now using the well-known webroot.
2021-03-19 23:46:22 +02:00
Alan Orth ceba0ea417
roles/nginx: Use consistent task style 2021-03-19 23:45:41 +02:00
Alan Orth a34cb1e666
roles/nginx: Switch to acme.sh for Let's Encrypt
The certbot-auto client that I've been using for a long time is now
only supported if you install it using snap. I don't use snap on my
systems so I decided to switch to the acme.sh client, which is imp-
lemented in POSIX shell with no dependencies. One bonus of this is
that I can start using ECC certificates.

This also configures the .well-known directory so we can use webroot
when installing and renewing certificates. I have yet to understand
how the renewal works with regards to webroot, though. I may have to
update the systemd timers to point to /var/lib/letsencrypt/.well-known.
2021-03-19 23:39:30 +02:00
Alan Orth 65fc52c5e5
roles/nginx: Use variable for nginx_ssl_dhparam
I went years without realizing that I was hard coding the file dest
in this particular task.
2021-03-19 18:13:55 +02:00
Alan Orth 7f13c8c675
host_vars/web19: WordPress 3.7 2021-03-19 13:27:34 +02:00
Alan Orth 9c36cfb8e5
Pipfile.lock: Run pipenv update 2021-03-19 13:18:19 +02:00
Alan Orth 7f72a9eda4
roles/nginx: Use RFC 7919 4096-bit dhparams
Recommended by internet.nl, which made me aware of RFC 7919.

See: https://tools.ietf.org/html/rfc7919#page-14
2021-03-19 13:13:56 +02:00