Commit Graph

592 Commits

Author SHA1 Message Date
cba2a7a996
roles/common: Fix nftables in Debian firewall
The previous commit meant to move the service start, not the config
copying task.
2021-07-29 10:10:04 +03:00
197bdf7666
roles/common: Start nftables service later
We should only try to start the nftables service after we finish
copying all the config files just in case there is some unclean
state in one of them. On a first run this shouldn't matter, but
after nftables and some abuse list update scripts have run this
can happen (mostly in testing!).
2021-07-29 10:05:15 +03:00
46fc2ce3d4
roles/common: Move cleanup to a one-off play
We only need to run this once on existing hosts that are using the
old firewalld/ipsets setup before applying the new nftables config.
2021-07-29 10:00:30 +03:00
b4d50166f4
roles/common: Fix loop in firewall cleanup 2021-07-28 23:46:53 +03:00
af6c3dd12a
roles/common: Update cache in firewall playbook
cron-apt updates the system against the security-only databases at
night so many packages are "missing" unless you run apt update. We
need to update the cache on all apt tasks actually because I might
be running them by their tag and they currently only get updated at
the beginning of the playbook.
2021-07-28 14:46:58 +03:00
b66c724109
roles/common: Use nftables on Ubuntu 20.04 as well
This mostly copies the Debian 11 nftables setup and includes a play
to clean up the old firewalld settings, timers, etc.
2021-07-28 14:18:41 +03:00
8bc2b6f493
roles/common: Retab nftables.conf.j2 2021-07-27 22:03:23 +03:00
a74d6dfc08
roles/common: Don't overwrite spamhaus nft sets
The ones in this repo are only placeholders that get updated by the
update-spamhaus-nftables service, so we shouldn't overwrite them if
they exist.
2021-07-27 22:01:57 +03:00
d3922e7878
roles/common: Port configurable firewall logic to nftables
This opens TCP port 22 on all hosts, TCP ports 80 and 443 on hosts
in the web group, and allows configuration of "extra" rules in the
host or group vars.
2021-07-27 21:22:32 +03:00
14814aa5d9
roles/common: Wire up fail2ban
The nftables support works easily and creates the table, chains, and
sets on demand.
2021-07-26 22:07:31 +03:00
3b053167b1
roles/common: Fix sources.list for Debian 11 Bullseye
Seems the path to the security updates repo changed.
2021-07-26 21:12:05 +03:00
9bba0d96bb
roles/common: Add initial support for nftables on Debian 11
I will try using nftables directly instead of via firewalld as of
Debian 11 as it is the replacement for the iptables/ipset stack in
recent years and is easier to work with.

This also includes a systemd service, timer, and script to update
the spamhaus DROP lists as nftables sets.

Still need to add fail2ban support.
2021-07-26 13:09:41 +03:00
38c333045b
roles/common: bring Ubuntu firewall changes to Debian 11
Note that there is currently an issue loading the spamhaus rules on
Debian 11 when using ipsets with firewalld and the nftables backend.
The bug is apparently caused by overlapping CIDR segments, and the
solution appears to be that we need to manually aggregate them with
a tool like aggregate6 (Python).

See: https://bugzilla.redhat.com/show_bug.cgi?id=1836571
See: https://wiki.fysik.dtu.dk/it/Linux_firewall_configuration#using-ipsets-in-firewalld-on-rhel-centos-8
See: https://github.com/job/aggregate6
2021-07-24 23:09:33 +03:00
d4ede33099
roles/common: Don't configure apt sources on ARM
I was using this on Ubuntu, but might as well bring it here too so
that I can run Debian on Scaleway's ARM instances, for example.
2021-07-24 22:32:20 +03:00
0bad75788d
roles/common: Add encryption settings to Debian 11 sshd_config
Mostly based on the ssh-audit policy for OpenSSH 8.4, but with any
algorithms using less than 256 bits removed. NSA's Suite B removed
these long ago, and the new CNSA suite only uses 256 and up.

See: https://github.com/jtesta/ssh-audit/blob/master/src/ssh_audit/policy.py
See: https://en.wikipedia.org/wiki/Commercial_National_Security_Algorithm_Suite
2021-07-24 22:28:59 +03:00
892033b880
roles/common: port common settings to Debian 11 sshd_config
Still need to add the encryption settings.
2021-07-22 14:16:20 +03:00
7c6ab2a652 roles/common: Add sshd_config from Debian 11 RC2 2021-07-22 14:15:00 +03:00
1c95c1faa8
roles/common: Update KexAlgorithms in Ubuntu 20.04 sshd_config
Recommended by ssh-audit. Note that curve25519-sha256 is the new name
for the previously private implementation in libssh.
2021-07-22 12:57:31 +03:00
9ea14de6f5
roles/common: Remove Encrypt-and-MAC modes from Ubuntu 20.04 sshd_config
Recommended by ssh-audit, but also generally the concensus for a few
years that Encrypt-and-MAC is hard to get right. OpenSSH has several
Encrypt-then-MAC schemes available so we can use those.

See: https://www.daemonology.net/blog/2009-06-24-encrypt-then-mac.html
2021-07-22 12:48:12 +03:00
9b7a31ebf9
roles/common: Remove 00-persistent-journal.conf
This was to enable the persistent systemd journal, but it is no lo-
nger needed as of Ubuntu 18.04 and Debian 11. I had removed the ta-
asks long ago, but forgot to remove this file.
2021-07-21 10:02:33 +03:00
d7c34a30a3
roles/common: Add Spamhaus DROP lists to firewalld ipsets
This configures the recommended DROP, EDROP, and DROPv6 lists from
Spamhaus as ipsets in firewalld. First we copy an empty placeholder
ipset to seed firewalld, then we use a shell script to download the
real lists and activate them. The same shell script is run daily as
a service (update-spamhaus-lists.service) by a systemd timer.

I am strictly avoiding any direct ipset commands here because I want
to make sure that this works on older hosts where ipsets is used as
well as newer hosts that have moved to nftables such as Ubuntu 20.04.
So far I have tested this on Ubuntu 16.04, 18.04, and 20.04, but ev-
entually I need to abstract the tasks and run them on CentOS 7+ as
well.

See: https://www.spamhaus.org/drop/
2021-07-21 09:34:51 +03:00
531ff99af0
roles/common: Update list of abusive IP addresses
This comes from the AbuseIPDB with a confidence level of 95%. I use
the following command to download and sort the IPs:

  $ curl -G https://api.abuseipdb.com/api/v2/blacklist -d \
    confidenceMinimum=95 -H "Key: $ABUSEIPDB_API_KEY" \
    -H "Accept: text/plain" | sort | sed -e '/:/w /tmp/ipv6.txt' \
    -e '/:/d' > /tmp/ipv4.txt

I manually add the XML formatting to each file and run them through
tidy:

  $ tidy -xml -utf8 -m -iq -w 0 roles/common/files/abusers-ipv4.xml
  $ tidy -xml -utf8 -m -iq -w 0 roles/common/files/abusers-ipv6.xml
2021-07-04 11:15:32 +03:00
82d3a7ff2a
roles/nginx: Add convenience tags to fact task 2021-07-01 18:17:14 +03:00
6c3cf40a16
roles/nginx: Use snakeoil cert from ssl-cert
Instead of manually creating our own self-signed certificate we can
use the one created automatically by the ssl-cert package on Debian.
This is only used by the dummy default HTTPS vhost.
2021-07-01 18:11:34 +03:00
31a3f5832a
roles/common: Update list of abusive IP addresses
This comes from the AbuseIPDB with a confidence level of 95%. I use
the following command to download and sort the IPs:

  $ curl -G https://api.abuseipdb.com/api/v2/blacklist -d \
    confidenceMinimum=95 -H "Key: $ABUSEIPDB_API_KEY" \
    -H "Accept: text/plain" | sort | sed -e '/:/w /tmp/ipv6.txt' \
    -e '/:/d' > /tmp/ipv4.txt

I manually add the XML formatting to each file and run them through
tidy:

  $ tidy -xml -utf8 -m -iq -w 0 roles/common/files/abusers-ipv4.xml
  $ tidy -xml -utf8 -m -iq -w 0 roles/common/files/abusers-ipv6.xml
2021-05-20 10:20:47 +03:00
bd0b6a16de
roles/nginx/defaults/main.yml: Update version comment
Stable is now 1.20.0
2021-05-10 16:00:44 +03:00
7ba5afcec4
roles/nginx: Opt out of Google FLoC
Google's new Federated Learning of Cohorts (FLoC) will read user's
browser history and assign them to cohorts to track them unless we
set this header.
2021-04-16 12:41:09 +03:00
4150dac57b
roles/common: Update list of abusive IP addresses
This comes from the AbuseIPDB with a confidence level of 95%. I use
the following command to download and sort the IPs:

  $ curl -G https://api.abuseipdb.com/api/v2/blacklist -d \
    confidenceMinimum=95 -H "Key: $ABUSEIPDB_API_KEY" \
    -H "Accept: text/plain" | sort | sed -e '/:/w /tmp/ipv6.txt' \
    -e '/:/d' > /tmp/ipv4.txt

I manually add the XML formatting to each file and run them through
tidy:

  $ tidy -xml -utf8 -m -iq -w 0 roles/common/files/abusers-ipv4.xml
  $ tidy -xml -utf8 -m -iq -w 0 roles/common/files/abusers-ipv6.xml
2021-04-13 12:11:11 +03:00
58bc9d191f
roles/common: Update list of abusive IP addresses
This comes from the AbuseIPDB with a confidence level of 95%. I use
the following command to download and sort the IPs:

  $ curl -G https://api.abuseipdb.com/api/v2/blacklist -d \
    confidenceMinimum=95 -H "Key: $ABUSEIPDB_API_KEY" \
    -H "Accept: text/plain" | sort | sed -e '/:/w /tmp/ipv6.txt' \
    -e '/:/d' > /tmp/ipv4.txt

I manually add the XML formatting to each file and run them through
tidy:

  $ tidy -xml -utf8 -m -iq -w 0 roles/common/files/abusers-ipv4.xml
  $ tidy -xml -utf8 -m -iq -w 0 roles/common/files/abusers-ipv6.xml
2021-03-24 10:02:43 +02:00
96cefc7f74
roles/nginx: Parameterize HSTS header
This parameterizes the HTTP Strict Transport Security header so we
can use it consistently across all templates. Also, it updates the
max-age to be ~1 year in seconds, which is recommended by Google.

See: https://hstspreload.org/
2021-03-23 15:36:28 +02:00
f85eb2841a
roles/nginx: Add webroot to systemd renewal service 2021-03-20 00:18:17 +02:00
af49f27551
roles/nginx: Update comment in defaults 2021-03-19 23:50:39 +02:00
f341d2e5eb
roles/nginx: Remove nginx pre/post hooks
We are now using the well-known webroot.
2021-03-19 23:46:22 +02:00
ceba0ea417
roles/nginx: Use consistent task style 2021-03-19 23:45:41 +02:00
a34cb1e666
roles/nginx: Switch to acme.sh for Let's Encrypt
The certbot-auto client that I've been using for a long time is now
only supported if you install it using snap. I don't use snap on my
systems so I decided to switch to the acme.sh client, which is imp-
lemented in POSIX shell with no dependencies. One bonus of this is
that I can start using ECC certificates.

This also configures the .well-known directory so we can use webroot
when installing and renewing certificates. I have yet to understand
how the renewal works with regards to webroot, though. I may have to
update the systemd timers to point to /var/lib/letsencrypt/.well-known.
2021-03-19 23:39:30 +02:00
65fc52c5e5
roles/nginx: Use variable for nginx_ssl_dhparam
I went years without realizing that I was hard coding the file dest
in this particular task.
2021-03-19 18:13:55 +02:00
7f72a9eda4
roles/nginx: Use RFC 7919 4096-bit dhparams
Recommended by internet.nl, which made me aware of RFC 7919.

See: https://tools.ietf.org/html/rfc7919#page-14
2021-03-19 13:13:56 +02:00
db412066b3
roles/mariadb: Only create users on 127.0.0.1 and ::1
A few months ago I disabled hostname lookups so only IP addresses
work now anyways.
2021-02-13 13:11:28 +02:00
63a836e2a7
roles/common: Update Tarsnap GPG key
Apparently this changed since I last ran the tarsnap task.
2021-02-13 12:57:17 +02:00
cd4411260c
roles/common: Update list of abusive IP addresses
This comes from the AbuseIPDB with a confidence level of 95%. I use
the following command to download and sort the IPs:

  $ curl -G https://api.abuseipdb.com/api/v2/blacklist -d \
    confidenceMinimum=95 -H "Key: $ABUSEIPDB_API_KEY" \
    -H "Accept: text/plain" | sort | sed -e '/:/w /tmp/ipv6.txt' \
    -e '/:/d' > /tmp/ipv4.txt

I manually add the XML formatting to each file and run them through
tidy:

  $ tidy -xml -utf8 -m -iq -w 0 roles/common/files/abusers-ipv4.xml
  $ tidy -xml -utf8 -m -iq -w 0 roles/common/files/abusers-ipv6.xml
2021-02-07 15:56:33 +02:00
b0420d2adb
roles: Remove mentions of Piwik
I never check the damn analytics stats and the database is huge.
2021-01-06 09:00:18 +02:00
ac860e72f2
roles/php-fpm: Only run PHP tasks if we need them 2021-01-01 19:54:12 +02:00
1b75679496
roles/mariadb: The service is mariadb 2020-12-29 11:25:30 +02:00
ebf4a4c2ac
roles/mariadb: Disable name lookups
Add skip-name-resolve=1 to disable lookups of hostnames to IPs. We
need to make sure all accounts are using IPs like 127.0.0.1 instead
of "localhost" now.
2020-12-29 11:19:01 +02:00
57a83cef26
roles/mariadb: Tweak temp table size
mysqltuner.pl said:

    When making adjustments, make tmp_table_size/max_heap_table_size equal
2020-12-29 11:10:31 +02:00
8ee52143fc
roles/mariadb: Disable the query cache by default
It seems that the usefulness of the query cache is diminishing in
recent years. If your cache is large then the time taken to scan
the cache can be longer than the SQL query itself.

See: https://haydenjames.io/mysql-query-cache-size-performance/
2020-12-29 11:07:33 +02:00
67a18c4f49
roles/mariadb: Reduce key buffer size
mysqltuner.pl shows currently 6M out of 33M being used.
2020-12-29 10:58:12 +02:00
b8428e67a8
roles/mariadb: Install MariaDB 10.5 2020-12-29 10:41:27 +02:00
e18529e6e1
roles/mariadb: Update service name
As of MariaDB 10.5 the service name and binaries have changed from
mysql, mysqld, etc to mariadbd.

See: https://mariadb.com/kb/en/upgrading-from-mariadb-104-to-mariadb-105/
2020-12-29 10:40:13 +02:00
89db1449d1
roles/mariadb: Fetch signing key from mariadb.org
I downloaded the key and checked the fingerprint with gpg:

    $ gpg --dry-run --import mariadb_release_signing_key.asc
    gpg: key F1656F24C74CD1D8: 6 signatures not checked due to missing keys
    gpg: Total number processed: 1
2020-12-29 10:36:33 +02:00
6660a0cd36
roles/mariadb: Remove innodb_buffer_pool_instances
This was deprecated in MariaDB 10.5. The setting is now ignored and
will be removed in a future version.

See: https://mariadb.com/kb/en/changes-improvements-in-mariadb-105/#innodb-removed-or-deprecated-variables
2020-12-29 10:18:23 +02:00
73d6abd15f
roles/nginx: Allow sites to override the root 2020-12-28 22:53:32 +02:00
e1b412bfff
roles/common: Update list of abusive IP addresses
This comes from the AbuseIPDB with a confidence level of 95%. I use
the following command to download and sort the IPs:

  $ curl -G https://api.abuseipdb.com/api/v2/blacklist -d \
    confidenceMinimum=95 -H "Key: $ABUSEIPDB_API_KEY" \
    -H "Accept: text/plain" | sort | sed -e '/:/w /tmp/ipv6.txt' \
    -e '/:/d' > /tmp/ipv4.txt

I manually add the XML formatting to each file and run them through
tidy:

  $ tidy -xml -utf8 -m -iq -w 0 roles/common/files/abusers-ipv4.xml
  $ tidy -xml -utf8 -m -iq -w 0 roles/common/files/abusers-ipv6.xml
2020-12-23 09:01:08 +02:00
d4fd06862a
roles/nginx: Fix Let's Encrypt pre/post renewal hooks 2020-12-10 15:20:23 +02:00
4edf92fe0d
roles/common: Allow adding extra SSH users 2020-12-08 23:15:51 +02:00
dd2f65947d
roles/common: Update list of abusive IP addresses
This comes from the AbuseIPDB with a confidence level of 95%. I use
the following command to download and sort the IPs:

    $ curl -G https://api.abuseipdb.com/api/v2/blacklist -d \
      confidenceMinimum=95 -H "Key: $ABUSEIPDB_API_KEY" \
      -H "Accept: text/plain" | sort | sed -e '/:/w /tmp/ipv6.txt' \
      -e '/:/d' > /tmp/ipv4.txt

I manually add the XML formatting to each file and run them through
tidy:

    $ tidy -xml -utf8 -m -iq -w 0 roles/common/files/abusers-ipv4.xml
    $ tidy -xml -utf8 -m -iq -w 0 roles/common/files/abusers-ipv6.xml
2020-11-06 15:44:57 +02:00
f4b104953c
roles/common: Use correct Ansible version comparison
The major version is "16", not "16.04".
2020-07-27 14:23:58 +03:00
c9ea286fff
roles/mariadb: Simplify sources.list 2020-07-14 09:51:35 +03:00
b366b0af3d
roles/nginx: Update version comment 2020-07-14 09:48:12 +03:00
0c192e6c4a
roles/munin: Remove tomcat config
We don't use tomcat here.
2020-07-14 09:47:39 +03:00
f5b6fa74c6
roles/munin: Use systemd module instead of service
All hosts are running systemd.
2020-07-14 09:47:18 +03:00
dbb4dd7098
roles/php-fpm: Add missing Ubuntu 20.04 PHP-FPM task 2020-07-14 09:45:51 +03:00
72b8b193b5
Remove support for Debian 9 and Ubuntu 16.04 2020-07-14 09:45:33 +03:00
539f081d4d
roles/common: Remove storage-specific tweaks
We don't have any "storage" group. This was ported from somewhere
else and I didn't notice that code.
2020-07-14 09:10:07 +03:00
a1f110c8bc
Add PHP 7.4 FPM support 2020-07-13 23:25:32 +03:00
20ab27e1d2
roles/php-fpm: Fix 7.4 pool config 2020-07-13 23:25:09 +03:00
7f5499c307
roles/php-fpm: Import config changes for PHP 7.4 2020-07-13 22:37:12 +03:00
057e98ab47
roles/php-fpm: Import Ubuntu 20.04 PHP 7.4 FPM configs 2020-07-13 22:34:02 +03:00
5282154d7d
roles/common: Disable Canonical spam in MOTD 2020-06-25 21:12:00 +03:00
99b55403d3
roles/common: Update list of abusive IP addresses
This comes from the AbuseIPDB with a confidence level of 95%. I use
the following command to download and sort the IPs:

$ curl -G https://api.abuseipdb.com/api/v2/blacklist -d \
  confidenceMinimum=95 -H "Key: $ABUSEIPDB_API_KEY" \
  -H "Accept: text/plain" | sort | sed -e '/:/w /tmp/ipv6.txt' \
  -e '/:/d' > /tmp/ipv4.txt

I manually add the XML formatting to each file and run them through
tidy:

    $ tidy -xml -utf8 -m -iq -w 0 roles/common/files/abusers-ipv4.xml
    $ tidy -xml -utf8 -m -iq -w 0 roles/common/files/abusers-ipv6.xml
2020-06-21 16:31:09 +03:00
9abfe80245 roles/nginx: Add pre and post hooks for Let's Encrypt on Ubuntu 20.04
Certbot will run any executables in the pre and post directories
during certificate renewal.
2020-06-08 12:15:29 +03:00
0587841476 roles/nginx: Adjust certbot tasks
It seems that it is no longer recommended/supported to install the
standalone certbot-auto client on Ubuntu 20.04. We apparently need
to use the one provided by Ubuntu, which luckily includes a service
and timer to renew the certs.
2020-06-08 12:15:29 +03:00
40ac858d60 roles/common: Ignore errors removing snaps
If the snap binary doesn't even exist then it means we've probably
already run this playbook and removed all installed snaps as well.
2020-06-08 12:15:29 +03:00
ba3004ef2b roles/common: Don't run rc.local task on Ubuntu 20.04
We haven't actually used rc.local since Ubuntu 16.04. Now anything
that we need to run at boot we can do with systemd anyways.
2020-06-08 12:15:29 +03:00
ef6ce2335e roles/common: Remove systemd-journald drop-in
Older Ubuntus originally didn't use a persistent journal, which was
somewhat of a surprise when looking at logs after a few months. Now
this does not seem to be an issue since Ubuntu 18.04. As for CentOS
I do not use that distro here so I don't need to care.
2020-06-08 12:15:29 +03:00
6fcb1290fe roles/common: Port sshd_config changes from Debian 10 to Ubuntu 20.04
By now the recommendations we were using as guidance are five years
old. The ciphers have not changed much since then.
2020-06-08 12:15:29 +03:00
5a58d93dfe roles/common: Import sshd_config for Ubuntu 20.04 2020-06-08 12:15:29 +03:00
870bdbfcc3 roles/common: Harden fail2ban service on Ubuntu 20.04 2020-06-08 12:15:29 +03:00
96f62a17d1 roles/common: Use nftables backend in firewalld on Ubuntu 20.04
The nftables backend should be more performant and flexible. I had
been planning to use it on Ubuntu 18.04 and Debian 10 as well, but
there were issues with the specific versions used in those distros.

See: https://firewalld.org/2018/07/nftables-backend
2020-06-08 12:15:29 +03:00
29bbc14068 roles/common: Remove ufw from Ubuntu systems
We never used this simple firewall utility and in at least one case
a user on the server tried to use it and messed up the rules I had
set via firewalld.
2020-06-08 12:15:29 +03:00
7288a85e72 roles/common: Remove snaps on Ubuntu 20.04
The list of pre-installed snaps and system packages is different on
Ubuntu 20.04 than it was in previous LTS releases.

See: https://www.kevin-custer.com/blog/disabling-snaps-in-ubuntu-20-04/
2020-06-08 12:15:29 +03:00
5242493b53
roles/common: Update list of abusive IP addresses
This comes from the AbuseIPDB with a confidence level of 95%. I use
the following command to download and sort the IPs:

$ curl -G https://api.abuseipdb.com/api/v2/blacklist -d \
  confidenceMinimum=95 -H "Key: $ABUSEIPDB_API_KEY" \
  -H "Accept: text/plain" | sort | sed -e '/:/w /tmp/ipv6.txt' \
  -e '/:/d' > /tmp/ipv4.txt

I manually add the XML formatting to each file and run them through
tidy:

    $ tidy -xml -utf8 -m -iq -w 0 roles/common/files/abusers-ipv4.xml
    $ tidy -xml -utf8 -m -iq -w 0 roles/common/files/abusers-ipv6.xml
2020-06-03 10:10:49 +03:00
ed2e0efd9c
roles/common: Actually remove annoying Ubuntu motd spam 2020-04-24 22:37:50 +03:00
4b5d17ef8c
roles/nginx: Update comment about versions 2020-03-16 18:06:28 +02:00
03254d6aae
roles/common: Use normal tarsnap GPG packaging key 2020-03-16 18:03:53 +02:00
e169a3744a
roles/nginx: Fix munin.conf for nginx_status
This config stopped working a few years ago probably when hosts started
getting IPv6 and we need to allow ::1. Make sure we're only listening
on local loopback interfaces also.
2020-03-10 12:23:12 +02:00
2dc195b33c
Use version() instad of version_compare()
This changed in Ansible 2.5 apparently.

See: https://docs.ansible.com/ansible/latest/user_guide/playbooks_tests.html
2020-03-09 15:20:51 +02:00
d78015c92c
roles/common: Update list of abusive IP addresses
This comes from the AbuseIPDB with a confidence level of 95%. I use
the following command to download and sort the IPs:

$ curl -G https://api.abuseipdb.com/api/v2/blacklist -d confidenceMinimum=95 -H "Key: $ABUSEIPDB_API_KEY" -H "Accept: text/plain" | sort | sed -e '/:/w /tmp/ipv6.txt' -e '/:/d' > /tmp/ipv4.txt

I manually add the XML formatting to each file and run them through
tidy:

$ tidy -xml -utf8 -m -iq -w 0 roles/common/files/abusers-ipv4.xml
$ tidy -xml -utf8 -m -iq -w 0 roles/common/files/abusers-ipv6.xml
2019-12-23 11:39:35 +02:00
e4c3376383
roles/common: Fix logic in enabling individual calls in firewalld 2019-12-10 13:45:00 +02:00
aa1dac8c30
roles: Fix syntax for testing booleans
ansible-lint told me not to test equality with booleans using literal
"True" and "False", but it Ansible complains if I use "is True" also.
It seems that I need to adjust the syntax slightly.
2019-11-26 11:19:22 +02:00
1c631739e7
roles: Fix issue raised by ansible-lint
[601] Don't compare to literal True/False
2019-11-21 22:55:39 +02:00
e1c7bbe096
roles/common: Update list of abusive IP addresses
This comes from the AbuseIPDB with a confidence level of 95%. I use
the following command to download and sort the IPs:

$ curl -G https://api.abuseipdb.com/api/v2/blacklist -d confidenceMinimum=95 -H "Key: $ABUSEIPDB_API_KEY" -H "Accept: text/plain" | sort | sed -e '/:/w /tmp/ipv6.txt' -e '/:/d' > /tmp/ipv4.txt

I manually add the XML formatting to each file and run them through
tidy.
2019-11-13 11:35:14 +02:00
8edc68ca3c
roles/common: Update list of abusive IP addresses
This comes from the AbuseIPDB with a confidence level of 95%. I use
the following command to download and sort the IPs:

$ curl -G https://api.abuseipdb.com/api/v2/blacklist -d confidenceMinimum=95 -H "Key: $ABUSEIPDB_API_KEY" -H "Accept: text/plain" | sort | sed -e '/:/w /tmp/ipv6.txt' -e '/:/d' > /tmp/ipv4.txt

I manually add the XML formatting to each file and run them through
tidy.
2019-11-04 10:12:17 +02:00
2631f76c6d
roles/common: Use iptables backend for firewalld on Debian
For some reason the nftables set support in firewalld doesn't seem
to be working. I see that sets (aka ipsets in nftables lingo) are
created, but they are empty. For now I will just leave these tasks
as they are to revert the behavior on current hosts (should do no
change on new installed, as the regexp won't match).
2019-10-26 19:34:25 +02:00
919fbbbcd9
roles/common: Make sure fail2ban is started 2019-10-26 17:14:28 +02:00
9f27cda97b
roles/common: Update list of abusive IP addresses
This comes from the AbuseIPDB with a confidence level of 95%. I use
the following command to download and sort the IPs:

$ curl -G https://api.abuseipdb.com/api/v2/blacklist -d confidenceMinimum=95 -H "Key: $ABUSEIPDB_API_KEY" -H "Accept: text/plain" | sort > /tmp/ips.txt

I manually remove the IPv6 addresses and save them to a different
filr, then I add the XML formatting to files and run them through
tidy.
2019-10-26 17:09:18 +02:00
d8d8a01a5f
roles/common: Remove SSH rate limiting from firewalld
Rather than a simple rate limit, I'm now using fail2ban to ban IPs
that actually fail to login.
2019-10-26 16:41:42 +02:00
4710ee6f07
roles/common: Bump version checks to Ubuntu 16.04 2019-10-26 16:40:14 +02:00
9db104efa6
roles/common: Bump version checks to Debian 9 2019-10-26 16:37:27 +02:00
0605f70f2e
roles/common: Add support for fail2ban
This is active banning of IPs that are brute forcing login attempts
to SSH, versus the passive banning of 10,000 abusive IPs from the
abuseipdb.com blacklist. For now I am banning IPs that fail to log
in successfully more than twelve times in a one-hour period, but
these settings might change, and I can override them at the group
and host level if needed.

Currently this works for CentOS 7, Ubuntu 16.04, and Ubuntu 18.04,
with minor differences in the systemd configuration due to older
versions on some distributions.

You can see the status of the jail like this:

    # fail2ban-client status sshd
    Status for the jail: sshd
    |- Filter
    |  |- Currently failed: 0
    |  |- Total failed:     0
    |  `- Journal matches:  _SYSTEMD_UNIT=sshd.service + _COMM=sshd
    `- Actions
       |- Currently banned: 1
       |- Total banned:     1
       `- Banned IP list:   106.13.112.20

You can unban IPs like this:

    # fail2ban-client set sshd unbanip 106.13.112.20
2019-10-26 16:36:07 +02:00