alanorth/ansible-personal
1
0
Fork 0
Code Issues 4 Pull Requests Projects Releases Wiki Activity
713 Commits 2 Branches 0 Tags
72b8b193b5839bfde172b3406f06a16ce67348d1
Commit Graph

69 Commits

Author SHA1 Message Date
Alan Orth
72b8b193b5 Remove support for Debian 9 and Ubuntu 16.04 2020-07-14 09:45:33 +03:00
Alan Orth
539f081d4d roles/common: Remove storage-specific tweaks 
We don't have any "storage" group. This was ported from somewhere
else and I didn't notice that code.
 2020-07-14 09:10:07 +03:00
Alan Orth
6fcb1290fe roles/common: Port sshd_config changes from Debian 10 to Ubuntu 20.04 
By now the recommendations we were using as guidance are five years
old. The ciphers have not changed much since then.
 2020-06-08 12:15:29 +03:00
Alan Orth
5a58d93dfe roles/common: Import sshd_config for Ubuntu 20.04 2020-06-08 12:15:29 +03:00
Alan Orth
870bdbfcc3 roles/common: Harden fail2ban service on Ubuntu 20.04 2020-06-08 12:15:29 +03:00
Alan Orth
2dc195b33c Use version() instad of version_compare() 
This changed in Ansible 2.5 apparently.

See: https://docs.ansible.com/ansible/latest/user_guide/playbooks_tests.html
 2020-03-09 15:20:51 +02:00
Alan Orth
d8d8a01a5f roles/common: Remove SSH rate limiting from firewalld 
Rather than a simple rate limit, I'm now using fail2ban to ban IPs
that actually fail to login.
 2019-10-26 16:41:42 +02:00
Alan Orth
0605f70f2e roles/common: Add support for fail2ban 
This is active banning of IPs that are brute forcing login attempts
to SSH, versus the passive banning of 10,000 abusive IPs from the
abuseipdb.com blacklist. For now I am banning IPs that fail to log
in successfully more than twelve times in a one-hour period, but
these settings might change, and I can override them at the group
and host level if needed.

Currently this works for CentOS 7, Ubuntu 16.04, and Ubuntu 18.04,
with minor differences in the systemd configuration due to older
versions on some distributions.

You can see the status of the jail like this:

    # fail2ban-client status sshd
    Status for the jail: sshd
    |- Filter
    |  |- Currently failed: 0
    |  |- Total failed:     0
    |  `- Journal matches:  _SYSTEMD_UNIT=sshd.service + _COMM=sshd
    `- Actions
       |- Currently banned: 1
       |- Total banned:     1
       `- Banned IP list:   106.13.112.20

You can unban IPs like this:

    # fail2ban-client set sshd unbanip 106.13.112.20
 2019-10-26 16:36:07 +02:00
Alan Orth
f3614d4ad4 roles/common: Remove buster-backports 
I was using it to get iptables 1.8.3 to work around an issue with
firewalld, but I've solved that another way.
 2019-10-18 22:56:52 +03:00
Alan Orth
d030827f12 roles/common: Relax SSH rate limit in firewalld 
Now that I'm blocking ~10,000 malicious IPs from AbuseIPDB I feel
more comfortable using a more relaxed rate limit for SSH. A limit
of 12 per minute is about one every five seconds.
 2019-10-06 18:27:45 +03:00
Alan Orth
6ebf900960 roles/common: Add missing rules for abusers ipsets 
I had forgotten to add these when porting these rules from another
repository.
 2019-10-05 13:01:51 +03:00
Alan Orth
2740f050fc roles/common: Increase ssh MaxAuthTries from 3 to 4 
If a user has RSA, ECDSA, and ED25519 private keys present on their
system then the ssh client will offer all of these to the server
and they may not get a chance to try password auth before it fails.
 2019-09-15 15:17:00 +03:00
Alan Orth
cf16264f53 roles/common: Update sshd_config template for Debian 10 
It seems I had imported the stock one from a default install, but I
never configured it.
 2019-09-15 15:15:30 +03:00
Alan Orth
43715dd392 roles/common: Use stable tarsnap 2019-09-13 22:14:49 +03:00
Alan Orth
7551b803f6 roles/common: Use iptables 1.8.3 on Debian Buster 
There is a bug in iptables 1.8.2 in Debian 10 "Buster" that causes
firewalld to fail when restoring rules. The bug has been fixed in
iptables 1.8.3, which is currently in buster-backports.

See: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=914694
 2019-08-01 15:36:15 +03:00
Alan Orth
c148da73e7 roles/common: Use experimental Tarsnap on Debian buster 
Tarsnap currently provides experimental packages for Debian Buster.

See: https://www.tarsnap.com/pkg-deb.html#experimental
 2019-07-19 12:07:27 +03:00
Alan Orth
39622077cd roles/common: Use Debian 9 tarsnap packages 
There are no tarsnap binaries for Debian 10 yet.
 2019-07-06 21:16:19 +03:00
Alan Orth
b79001f97a roles/common: Update security.sources.list for cron-apt 
We need to make sure to get security updates for packages that are
not in main!
 2019-07-06 21:16:19 +03:00
Alan Orth
207296b1f8 roles/common: Update Debian security apt repository 
See: https://www.debian.org/security/
 2019-07-06 21:16:19 +03:00
Alan Orth
dd5662911e roles/common: Import sshd_config from Debian 10 
OpenSSH version is 7.9p1-10.
 2019-07-06 21:16:19 +03:00
Alan Orth
18ee583261 roles/common: Don't log brute force SSH attempts 
This is nice to see that the throttling is working, but the logs are
completely full of this useless crap now.
 2019-02-26 10:30:03 -08:00
Alan Orth
329edaee87 roles/common: Rate limit SSH connections in firewalld 
I think 5 connections per minute is more than enough. Any over this
and it will be logged to the systemd journal as a warning.

See: https://www.win.tue.nl/~vincenth/ssh_rate_limit_firewalld.htm
See: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/configuring_complex_firewall_rules_with_the_rich-language_syntax
 2019-01-28 14:09:18 +02:00
Alan Orth
963bf65099 roles/common: Limit number of SSH authentication attempts 
The default in later OpenSSH is 6, which seems too high. If you can't
get your password correct after 3 tries then I think you need help.

Eventually I'd like an easy way to enable blocking of repeated login
attempts at the firewall level. I think it's possible in firewalld.
 2018-07-23 13:14:54 +03:00
Alan Orth
1a9033dece roles/common: Use bionic tarsnap builds on Ubuntu 18.04 
Tarsnap finally published builds for Ubuntu 18.04 "bionic" so we don't
need to use the 17.10 "artful" ones anymore.
 2018-05-09 00:05:42 +03:00
Alan Orth
9445541f51 roles/common: Always use security.ubuntu.com 
Vanilla Ubuntu (and Debian actually) defaults to using the official
mirror for security updates rather than country or regional mirrors.

Also, for what it's worth, Ubuntu mirrors didn't always sync these
security archives. I'd prefer to stay closer to vanilla Ubuntu but
also it kinda makes sense to get security updates from the official
source than a mirror (in case of delay or errors).
 2018-04-25 18:09:11 +03:00
Alan Orth
832573acc5 roles/common: Remove comments from sources.list 
I want this file to be more like what comes from the stock Ubuntu.
 2018-04-25 18:07:55 +03:00
Alan Orth
f3403cc79a roles/common: Remove Ubuntu partner repo from apt sources 
I haven't used this in years, and it looks to only be proprietary things
like Adobe, Skype, etc.
 2018-04-25 17:49:38 +03:00
Alan Orth
632aa1cf14 Fix a few more Jinja2 filters used as tests 
I had created these earlier in this branch before rebasing it on top
of the Ansible 2.5.0 readiness branch.

See: https://docs.ansible.com/ansible/devel/porting_guides/porting_guide_2.5.html
 2018-04-05 12:17:26 +03:00
Alan Orth
d1ba60e15d Use version_compare to test for Ubuntu 18.04 "bionic" 
It just feels more correct, plus I usually forget the release code
name from time to time.
 2018-04-05 12:17:26 +03:00
Alan Orth
c5bebf0336 roles/common: Use Ubuntu 17.10's tarsnap packages on Ubuntu 18.04 
There are no tarsnap packages for Ubuntu 18.04 "bionic" yet so we
should use Ubuntu 17.10 "artful".
 2018-04-05 12:17:25 +03:00
Alan Orth
19414041e7 roles/common: Add sshd config for Ubuntu 18.04 
From the default sshd_config with some cipher settings from the Debian
9 template.
 2018-04-05 12:17:25 +03:00
Alan Orth
52b4efd3b0 roles/common: Use HTTPS for tarsnap package mirror 2018-03-17 11:51:45 +02:00
Alan Orth
fec081d40a roles/common: Use deb.debian.org instead of httpredir 
Seems to be the evolution of httpredir.
 2017-11-05 01:31:16 +02:00
Alan Orth
5f8820bf9f roles/common: Remove Ubuntu 14.04 logic 
We're only supporting Ubuntu 16.04 now.
 2017-11-05 01:11:37 +02:00
Alan Orth
f76fc64afa roles/common: Remove unused sshd_config templates 
We're not supporting Ubuntu 14.04 or 15.04 anymore so we don't need
these templates.
 2017-11-05 00:59:19 +02:00
Alan Orth
77a3b1cff7 roles/common: Remove Debian 8 sshd_config template 2017-11-05 00:58:03 +02:00
Alan Orth
620e8258ac roles/common: Remove duplicate option in sshd_config 2017-11-01 13:22:18 +02:00
Alan Orth
b945240756 roles/common: Harden sshd_config template for Debian 9 and Ubuntu 16.04 
From: https://wiki.mozilla.org/Security/Guidelines/OpenSSH
 2017-06-19 10:13:24 +03:00
Alan Orth
d766c3dbbe roles/common: Add tasks to install tarsnap 
Now that Tarsnap has official packages this is one less thing that
needs to be manually installed from source after bringing a machine
up.

See: http://mail.tarsnap.com/tarsnap-announce/msg00037.html
 2017-02-07 07:28:35 -08:00
Alan Orth
1fef5c9b5a roles/common: Add sshd_config for Debian 9 (stretch) 
Taken from base install and diffed against the current Ubuntu 16.04
and Debian 8 config templates.
 2017-01-30 14:56:27 +02:00
Alan Orth
9ca685a6af roles/common: Adjust allowed user logic for Ubuntu 16.04 sshd_config 2017-01-30 12:54:35 +02:00
Alan Orth
50536af990 Use Ansible's version_compare instead of doing math on strings 
I'm surprised this worked all these years actually. Since Ansible
version 1.6 it has been possible to use the version_compare filter
instead of doing math logic on strings.

See: https://docs.ansible.com/ansible/playbooks_tests.html
 2016-12-20 15:04:47 +02:00
Alan Orth
b7c92e4dc1 roles/common: Remove 128-bit Ciphers and MACs from sshd_config 
I had removed them from Debian 8 and Ubuntu 14.04 configs last year
when the NSA's Suite B crypto guidelines dropped 128-bit algorithms
but those changes didn't make it to my new Ubuntu 16.04 config.

It is probably overkill and paranoid, but this server is mine, so I
can make those decisions (and I only connect from modern clients).
 2016-08-16 14:28:58 +03:00
Alan Orth
33cdcc9ad1 roles/common: Add a few SHA-2 MACs to sshd_config 
Fixes a problem with Paramiko, which Ansible uses for transport.

See: http://www.paramiko.org/changelog.html#1.16.0
See: https://github.com/ilri/rmg-ansible-public/issues/37
 2016-08-16 14:24:53 +03:00
Alan Orth
33f22b32a4 roles/common: Update sources for cron-apt 
The system's apt configuration is using restricted and multiverse
so the security sources list should as well.
 2016-05-05 12:16:37 +03:00
Alan Orth
a0bb4c2f57 roles/common: Add sshd_config for Ubuntu 16.04 2016-04-22 11:25:35 +03:00
Alan Orth
5f71991259 roles/common: Use httpredir.debian.org as default Debian mirror 
Automatically uses the best mirror for your location, see:

    http://httpredir.debian.org/demo.html

Should be much better than any hardcoded default for most hosts.

Signed-off-by: Alan Orth <alan.orth@gmail.com>
 2015-11-30 09:34:16 +02:00
Alan Orth
973b37be4e roles/common: Tweak sshd_config to match NSA Suite B recommendations 
NSA stopped recommending AES-128 in August, 2015...

Before: https://web.archive.org/web/20150403110658/https://www.nsa.gov/ia/programs/suiteb_cryptography/index.shtml
After: https://web.archive.org/web/20150815072948/https://www.nsa.gov/ia/programs/suiteb_cryptography/index.shtml

I don't see why we shouldn't follow suit; maybe they know something
we don't!

Signed-off-by: Alan Orth <alan.orth@gmail.com>
 2015-09-02 16:55:51 +03:00
Alan Orth
8b336352d7 roles/common: Only allow ssh access by provisioning user 
Signed-off-by: Alan Orth <alan.orth@gmail.com>
 2015-09-02 12:24:11 +03:00
Alan Orth
c480075789 roles/common: Use "interface" instead of "alias" to get interface name in firewalld template 
Signed-off-by: Alan Orth <alan.orth@gmail.com>
 2015-08-23 12:06:47 +03:00