Commit Graph

459 Commits

Author SHA1 Message Date
4b5d17ef8c
roles/nginx: Update comment about versions 2020-03-16 18:06:28 +02:00
03254d6aae
roles/common: Use normal tarsnap GPG packaging key 2020-03-16 18:03:53 +02:00
e169a3744a
roles/nginx: Fix munin.conf for nginx_status
This config stopped working a few years ago probably when hosts started
getting IPv6 and we need to allow ::1. Make sure we're only listening
on local loopback interfaces also.
2020-03-10 12:23:12 +02:00
2dc195b33c
Use version() instad of version_compare()
This changed in Ansible 2.5 apparently.

See: https://docs.ansible.com/ansible/latest/user_guide/playbooks_tests.html
2020-03-09 15:20:51 +02:00
d78015c92c
roles/common: Update list of abusive IP addresses
This comes from the AbuseIPDB with a confidence level of 95%. I use
the following command to download and sort the IPs:

$ curl -G https://api.abuseipdb.com/api/v2/blacklist -d confidenceMinimum=95 -H "Key: $ABUSEIPDB_API_KEY" -H "Accept: text/plain" | sort | sed -e '/:/w /tmp/ipv6.txt' -e '/:/d' > /tmp/ipv4.txt

I manually add the XML formatting to each file and run them through
tidy:

$ tidy -xml -utf8 -m -iq -w 0 roles/common/files/abusers-ipv4.xml
$ tidy -xml -utf8 -m -iq -w 0 roles/common/files/abusers-ipv6.xml
2019-12-23 11:39:35 +02:00
e4c3376383
roles/common: Fix logic in enabling individual calls in firewalld 2019-12-10 13:45:00 +02:00
aa1dac8c30
roles: Fix syntax for testing booleans
ansible-lint told me not to test equality with booleans using literal
"True" and "False", but it Ansible complains if I use "is True" also.
It seems that I need to adjust the syntax slightly.
2019-11-26 11:19:22 +02:00
1c631739e7
roles: Fix issue raised by ansible-lint
[601] Don't compare to literal True/False
2019-11-21 22:55:39 +02:00
e1c7bbe096
roles/common: Update list of abusive IP addresses
This comes from the AbuseIPDB with a confidence level of 95%. I use
the following command to download and sort the IPs:

$ curl -G https://api.abuseipdb.com/api/v2/blacklist -d confidenceMinimum=95 -H "Key: $ABUSEIPDB_API_KEY" -H "Accept: text/plain" | sort | sed -e '/:/w /tmp/ipv6.txt' -e '/:/d' > /tmp/ipv4.txt

I manually add the XML formatting to each file and run them through
tidy.
2019-11-13 11:35:14 +02:00
8edc68ca3c
roles/common: Update list of abusive IP addresses
This comes from the AbuseIPDB with a confidence level of 95%. I use
the following command to download and sort the IPs:

$ curl -G https://api.abuseipdb.com/api/v2/blacklist -d confidenceMinimum=95 -H "Key: $ABUSEIPDB_API_KEY" -H "Accept: text/plain" | sort | sed -e '/:/w /tmp/ipv6.txt' -e '/:/d' > /tmp/ipv4.txt

I manually add the XML formatting to each file and run them through
tidy.
2019-11-04 10:12:17 +02:00
2631f76c6d
roles/common: Use iptables backend for firewalld on Debian
For some reason the nftables set support in firewalld doesn't seem
to be working. I see that sets (aka ipsets in nftables lingo) are
created, but they are empty. For now I will just leave these tasks
as they are to revert the behavior on current hosts (should do no
change on new installed, as the regexp won't match).
2019-10-26 19:34:25 +02:00
919fbbbcd9
roles/common: Make sure fail2ban is started 2019-10-26 17:14:28 +02:00
9f27cda97b
roles/common: Update list of abusive IP addresses
This comes from the AbuseIPDB with a confidence level of 95%. I use
the following command to download and sort the IPs:

$ curl -G https://api.abuseipdb.com/api/v2/blacklist -d confidenceMinimum=95 -H "Key: $ABUSEIPDB_API_KEY" -H "Accept: text/plain" | sort > /tmp/ips.txt

I manually remove the IPv6 addresses and save them to a different
filr, then I add the XML formatting to files and run them through
tidy.
2019-10-26 17:09:18 +02:00
d8d8a01a5f
roles/common: Remove SSH rate limiting from firewalld
Rather than a simple rate limit, I'm now using fail2ban to ban IPs
that actually fail to login.
2019-10-26 16:41:42 +02:00
4710ee6f07
roles/common: Bump version checks to Ubuntu 16.04 2019-10-26 16:40:14 +02:00
9db104efa6
roles/common: Bump version checks to Debian 9 2019-10-26 16:37:27 +02:00
0605f70f2e
roles/common: Add support for fail2ban
This is active banning of IPs that are brute forcing login attempts
to SSH, versus the passive banning of 10,000 abusive IPs from the
abuseipdb.com blacklist. For now I am banning IPs that fail to log
in successfully more than twelve times in a one-hour period, but
these settings might change, and I can override them at the group
and host level if needed.

Currently this works for CentOS 7, Ubuntu 16.04, and Ubuntu 18.04,
with minor differences in the systemd configuration due to older
versions on some distributions.

You can see the status of the jail like this:

    # fail2ban-client status sshd
    Status for the jail: sshd
    |- Filter
    |  |- Currently failed: 0
    |  |- Total failed:     0
    |  `- Journal matches:  _SYSTEMD_UNIT=sshd.service + _COMM=sshd
    `- Actions
       |- Currently banned: 1
       |- Total banned:     1
       `- Banned IP list:   106.13.112.20

You can unban IPs like this:

    # fail2ban-client set sshd unbanip 106.13.112.20
2019-10-26 16:36:07 +02:00
f3614d4ad4
roles/common: Remove buster-backports
I was using it to get iptables 1.8.3 to work around an issue with
firewalld, but I've solved that another way.
2019-10-18 22:56:52 +03:00
25e0fd3557
roles/common: Use individual calls with firewalld
Seems to work around an issue when firewalld is using the nftables
backend with iptables 1.8.2 on Debian 10. Alternatively I could go
back to using the iptables backend... hmm.

See: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=914694
2019-10-18 22:49:29 +03:00
cac38af09b
roles/common: Use nftables firewalld backend on Debian 10
nftables is the iptables replacement. There is support for nftables
in firewalld since v0.6.0.

See: https://firewalld.org/2018/07/nftables-backend
2019-10-18 19:02:17 +03:00
7c0b458bc1
roles/common: Don't use iptables from buster-backports
This causes problems every time I re-run the Ansible tag because the
nightly apt security uses a different sources.list and the indexes
are then missing buster-backports. I could add a cache update to the
task, but actually I think the original bug I was trying to solve is
finally fixed, and I'm going to switch to nftables anyways.
2019-10-18 18:53:21 +03:00
1b0a6703b6
roles/common: Update list of abusive IPv4 addresses
This comes from the AbuseIPDB with a confidence level of 95%. I use
the following command to download and sort the IPs:

$ curl -G https://api.abuseipdb.com/api/v2/blacklist -d confidenceMinimum=95 -H "Key: $ABUSEIPDB_API_KEY" -H "Accept: text/plain" | sort > /tmp/ips.txt

Then I add the XML formatting to the file and run it through tidy.
2019-10-18 13:45:59 +03:00
6244530929
roles/common: Fix short name of abusers-ipv6 ipset 2019-10-17 22:04:00 +03:00
68ec9f0467
roles/common: Update list of abusive IPv4 addresses
This comes from the AbuseIPDB with a confidence level of 95%. I use
the following command to download and sort the IPs:

$ curl -G https://api.abuseipdb.com/api/v2/blacklist -d confidenceMinimum=95 -H "Key: $ABUSEIPDB_API_KEY" -H "Accept: text/plain" | sort > /tmp/ips.txt

Then I add the XML formatting to the file and run it through tidy.
2019-10-14 00:24:48 +03:00
a8efe97a02
roles/common: Update list of abusive IPv4 addresses
This comes from the AbuseIPDB with a confidence level of 95%. I use
the following command to download and sort the IPs:

$ curl -G https://api.abuseipdb.com/api/v2/blacklist -d confidenceMinimum=95 -H "Key: $ABUSEIPDB_API_KEY" -H "Accept: text/plain" | sort > /tmp/ips.txt

Then I add the XML formatting to the file and run it through tidy.
2019-10-09 14:52:41 +03:00
d030827f12
roles/common: Relax SSH rate limit in firewalld
Now that I'm blocking ~10,000 malicious IPs from AbuseIPDB I feel
more comfortable using a more relaxed rate limit for SSH. A limit
of 12 per minute is about one every five seconds.
2019-10-06 18:27:45 +03:00
8b28a65bf0
roles/common/files/abusers-ipv4.xml: Top 10,000 abusers from abuseipdb
These are the top 10,000 abusers with 95% confidence from abuseipdb.
2019-10-05 23:56:24 +03:00
6ebf900960
roles/common: Add missing rules for abusers ipsets
I had forgotten to add these when porting these rules from another
repository.
2019-10-05 13:01:51 +03:00
ef3c5c200e
roles/common: Update list of abusive IPv4 addresses
I updated the list with a few dozen more hosts that we brute forcing
SSH but failed to even negotiate a connection because they are using
old ciphers. I will still block them because they attempted 100+ co-
nnections.
2019-10-05 12:46:06 +03:00
80df220602
roles/common: Restart firewalld instead of reload
I'm having problems with reload hanging on Debian 10 so I will just
revert to the older behavior of restarting.
2019-10-05 12:29:30 +03:00
c2a92269e4
roles/common: Add ipsets of abusive IPs to firewalld
This uses the ipsets feature of the Linux kernel to create lists of
IPs (though could be MACs, IP:port, etc) that we can block via the
existing firewalld zone we are already using. In my testing it works
on CentOS 7, Ubuntu 16.04, and Ubuntu 18.04.

The list of abusive IPs currently comes from HPC's systemd journal,
where I filtered for hosts that had attempted and failed to log in
over 100 times. The list is formatted with tidy, for example:

    $ tidy -xml -iq -m -w 0 roles/common/files/abusers-ipv4.xml

See: https://firewalld.org/2015/12/ipset-support
2019-10-05 12:28:30 +03:00
532b533516
roles/common: Update apt in firewall task
Otherwise the buster-backports source might not be available, as
the nightly security upates use a different apt sources.list.
2019-10-05 12:00:08 +03:00
eb7998fd12
roles/nginx: Fix hardcoded "stretch" release in sources
This was causing the stretch version to get installed on buster, w-
hich led to the cipher suite and ssl protocol support to behave st-
rangeley.
2019-09-15 16:03:17 +03:00
1ec6d07232
roles/nginx: Fix php7.3-fpm socket location on Debian 10 2019-09-15 15:55:42 +03:00
2740f050fc
roles/common: Increase ssh MaxAuthTries from 3 to 4
If a user has RSA, ECDSA, and ED25519 private keys present on their
system then the ssh client will offer all of these to the server
and they may not get a chance to try password auth before it fails.
2019-09-15 15:17:00 +03:00
cf16264f53
roles/common: Update sshd_config template for Debian 10
It seems I had imported the stock one from a default install, but I
never configured it.
2019-09-15 15:15:30 +03:00
cbdd779af0
roles/common: Remove lzop and lrzip from packages
zstd is a much better all-purpose compression utility.
2019-09-15 13:23:52 +03:00
4faeb79b5c
roles/common: Add zstd to base packages 2019-09-14 20:36:40 +03:00
a7231bcf5f
roles/mariadb: Remove login_unix_socket from .my.cnf
It is causing an error at client runtime.
2019-09-14 18:32:26 +03:00
43715dd392
roles/common: Use stable tarsnap 2019-09-13 22:14:49 +03:00
7551b803f6
roles/common: Use iptables 1.8.3 on Debian Buster
There is a bug in iptables 1.8.2 in Debian 10 "Buster" that causes
firewalld to fail when restoring rules. The bug has been fixed in
iptables 1.8.3, which is currently in buster-backports.

See: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=914694
2019-08-01 15:36:15 +03:00
b59f7c0702
roles/nginx: Update certbot dependencies for Debian 10
Taken after a clean Debian 10 install on Linode.
2019-07-23 18:38:33 +03:00
0bff851311
roles/php-fpm: Fix Ansible template parsing issue
Remove time formatting strings because Ansible errors when trying
to parse them, even though we are not using them!
2019-07-23 18:32:27 +03:00
2d98d70e02
Update nginx cipher suite and TLS protocols
Use latest Mozilla "intermediate" TLS settings. This configuration
works on (at least) Ubuntu 18.04 and Debian 10.

See: https://ssl-config.mozilla.org/#server=nginx&server-version=1.17.2&config=intermediate&openssl-version=1.1.1
2019-07-23 17:53:22 +03:00
2fadb9029a
roles/mariadb: Use Unix socket for MariaDB tasks
Otherwise Ansible fails due to PyMySQL using a TCP connection.

See: https://github.com/ansible/ansible/issues/47736
2019-07-23 17:26:23 +03:00
7d8457e5b3
roles/common: Remove old SSH public key 2019-07-23 16:07:39 +03:00
c148da73e7
roles/common: Use experimental Tarsnap on Debian buster
Tarsnap currently provides experimental packages for Debian Buster.

See: https://www.tarsnap.com/pkg-deb.html#experimental
2019-07-19 12:07:27 +03:00
e124cac945
roles/nginx: Adjust formatting of apt sources template 2019-07-08 18:44:21 +03:00
70e736bdc5
roles/nginx: Use buster builds
nginx.org has buster builds now.
2019-07-08 18:43:43 +03:00
ca293289aa
roles/nginx: Fix logic error in apt sources template 2019-07-07 17:59:00 +03:00