Commit Graph

40 Commits

Author SHA1 Message Date
8dd7663b3c
roles/common: Use Abuse.ch's SSL Blacklist in nftables
This adds Abuse.sh's list of IPs using blacklisted SSL certificates
to nftables. These IPs are high confidence indicators of compromise
and we should not route them. The list is updated daily by a systemd
timer.

See: https://sslbl.abuse.ch/blacklist/
2021-07-29 10:16:00 +03:00
9bba0d96bb
roles/common: Add initial support for nftables on Debian 11
I will try using nftables directly instead of via firewalld as of
Debian 11 as it is the replacement for the iptables/ipset stack in
recent years and is easier to work with.

This also includes a systemd service, timer, and script to update
the spamhaus DROP lists as nftables sets.

Still need to add fail2ban support.
2021-07-26 13:09:41 +03:00
9b7a31ebf9
roles/common: Remove 00-persistent-journal.conf
This was to enable the persistent systemd journal, but it is no lo-
nger needed as of Ubuntu 18.04 and Debian 11. I had removed the ta-
asks long ago, but forgot to remove this file.
2021-07-21 10:02:33 +03:00
d7c34a30a3
roles/common: Add Spamhaus DROP lists to firewalld ipsets
This configures the recommended DROP, EDROP, and DROPv6 lists from
Spamhaus as ipsets in firewalld. First we copy an empty placeholder
ipset to seed firewalld, then we use a shell script to download the
real lists and activate them. The same shell script is run daily as
a service (update-spamhaus-lists.service) by a systemd timer.

I am strictly avoiding any direct ipset commands here because I want
to make sure that this works on older hosts where ipsets is used as
well as newer hosts that have moved to nftables such as Ubuntu 20.04.
So far I have tested this on Ubuntu 16.04, 18.04, and 20.04, but ev-
entually I need to abstract the tasks and run them on CentOS 7+ as
well.

See: https://www.spamhaus.org/drop/
2021-07-21 09:34:51 +03:00
531ff99af0
roles/common: Update list of abusive IP addresses
This comes from the AbuseIPDB with a confidence level of 95%. I use
the following command to download and sort the IPs:

  $ curl -G https://api.abuseipdb.com/api/v2/blacklist -d \
    confidenceMinimum=95 -H "Key: $ABUSEIPDB_API_KEY" \
    -H "Accept: text/plain" | sort | sed -e '/:/w /tmp/ipv6.txt' \
    -e '/:/d' > /tmp/ipv4.txt

I manually add the XML formatting to each file and run them through
tidy:

  $ tidy -xml -utf8 -m -iq -w 0 roles/common/files/abusers-ipv4.xml
  $ tidy -xml -utf8 -m -iq -w 0 roles/common/files/abusers-ipv6.xml
2021-07-04 11:15:32 +03:00
31a3f5832a
roles/common: Update list of abusive IP addresses
This comes from the AbuseIPDB with a confidence level of 95%. I use
the following command to download and sort the IPs:

  $ curl -G https://api.abuseipdb.com/api/v2/blacklist -d \
    confidenceMinimum=95 -H "Key: $ABUSEIPDB_API_KEY" \
    -H "Accept: text/plain" | sort | sed -e '/:/w /tmp/ipv6.txt' \
    -e '/:/d' > /tmp/ipv4.txt

I manually add the XML formatting to each file and run them through
tidy:

  $ tidy -xml -utf8 -m -iq -w 0 roles/common/files/abusers-ipv4.xml
  $ tidy -xml -utf8 -m -iq -w 0 roles/common/files/abusers-ipv6.xml
2021-05-20 10:20:47 +03:00
4150dac57b
roles/common: Update list of abusive IP addresses
This comes from the AbuseIPDB with a confidence level of 95%. I use
the following command to download and sort the IPs:

  $ curl -G https://api.abuseipdb.com/api/v2/blacklist -d \
    confidenceMinimum=95 -H "Key: $ABUSEIPDB_API_KEY" \
    -H "Accept: text/plain" | sort | sed -e '/:/w /tmp/ipv6.txt' \
    -e '/:/d' > /tmp/ipv4.txt

I manually add the XML formatting to each file and run them through
tidy:

  $ tidy -xml -utf8 -m -iq -w 0 roles/common/files/abusers-ipv4.xml
  $ tidy -xml -utf8 -m -iq -w 0 roles/common/files/abusers-ipv6.xml
2021-04-13 12:11:11 +03:00
58bc9d191f
roles/common: Update list of abusive IP addresses
This comes from the AbuseIPDB with a confidence level of 95%. I use
the following command to download and sort the IPs:

  $ curl -G https://api.abuseipdb.com/api/v2/blacklist -d \
    confidenceMinimum=95 -H "Key: $ABUSEIPDB_API_KEY" \
    -H "Accept: text/plain" | sort | sed -e '/:/w /tmp/ipv6.txt' \
    -e '/:/d' > /tmp/ipv4.txt

I manually add the XML formatting to each file and run them through
tidy:

  $ tidy -xml -utf8 -m -iq -w 0 roles/common/files/abusers-ipv4.xml
  $ tidy -xml -utf8 -m -iq -w 0 roles/common/files/abusers-ipv6.xml
2021-03-24 10:02:43 +02:00
cd4411260c
roles/common: Update list of abusive IP addresses
This comes from the AbuseIPDB with a confidence level of 95%. I use
the following command to download and sort the IPs:

  $ curl -G https://api.abuseipdb.com/api/v2/blacklist -d \
    confidenceMinimum=95 -H "Key: $ABUSEIPDB_API_KEY" \
    -H "Accept: text/plain" | sort | sed -e '/:/w /tmp/ipv6.txt' \
    -e '/:/d' > /tmp/ipv4.txt

I manually add the XML formatting to each file and run them through
tidy:

  $ tidy -xml -utf8 -m -iq -w 0 roles/common/files/abusers-ipv4.xml
  $ tidy -xml -utf8 -m -iq -w 0 roles/common/files/abusers-ipv6.xml
2021-02-07 15:56:33 +02:00
e1b412bfff
roles/common: Update list of abusive IP addresses
This comes from the AbuseIPDB with a confidence level of 95%. I use
the following command to download and sort the IPs:

  $ curl -G https://api.abuseipdb.com/api/v2/blacklist -d \
    confidenceMinimum=95 -H "Key: $ABUSEIPDB_API_KEY" \
    -H "Accept: text/plain" | sort | sed -e '/:/w /tmp/ipv6.txt' \
    -e '/:/d' > /tmp/ipv4.txt

I manually add the XML formatting to each file and run them through
tidy:

  $ tidy -xml -utf8 -m -iq -w 0 roles/common/files/abusers-ipv4.xml
  $ tidy -xml -utf8 -m -iq -w 0 roles/common/files/abusers-ipv6.xml
2020-12-23 09:01:08 +02:00
dd2f65947d
roles/common: Update list of abusive IP addresses
This comes from the AbuseIPDB with a confidence level of 95%. I use
the following command to download and sort the IPs:

    $ curl -G https://api.abuseipdb.com/api/v2/blacklist -d \
      confidenceMinimum=95 -H "Key: $ABUSEIPDB_API_KEY" \
      -H "Accept: text/plain" | sort | sed -e '/:/w /tmp/ipv6.txt' \
      -e '/:/d' > /tmp/ipv4.txt

I manually add the XML formatting to each file and run them through
tidy:

    $ tidy -xml -utf8 -m -iq -w 0 roles/common/files/abusers-ipv4.xml
    $ tidy -xml -utf8 -m -iq -w 0 roles/common/files/abusers-ipv6.xml
2020-11-06 15:44:57 +02:00
99b55403d3
roles/common: Update list of abusive IP addresses
This comes from the AbuseIPDB with a confidence level of 95%. I use
the following command to download and sort the IPs:

$ curl -G https://api.abuseipdb.com/api/v2/blacklist -d \
  confidenceMinimum=95 -H "Key: $ABUSEIPDB_API_KEY" \
  -H "Accept: text/plain" | sort | sed -e '/:/w /tmp/ipv6.txt' \
  -e '/:/d' > /tmp/ipv4.txt

I manually add the XML formatting to each file and run them through
tidy:

    $ tidy -xml -utf8 -m -iq -w 0 roles/common/files/abusers-ipv4.xml
    $ tidy -xml -utf8 -m -iq -w 0 roles/common/files/abusers-ipv6.xml
2020-06-21 16:31:09 +03:00
5242493b53
roles/common: Update list of abusive IP addresses
This comes from the AbuseIPDB with a confidence level of 95%. I use
the following command to download and sort the IPs:

$ curl -G https://api.abuseipdb.com/api/v2/blacklist -d \
  confidenceMinimum=95 -H "Key: $ABUSEIPDB_API_KEY" \
  -H "Accept: text/plain" | sort | sed -e '/:/w /tmp/ipv6.txt' \
  -e '/:/d' > /tmp/ipv4.txt

I manually add the XML formatting to each file and run them through
tidy:

    $ tidy -xml -utf8 -m -iq -w 0 roles/common/files/abusers-ipv4.xml
    $ tidy -xml -utf8 -m -iq -w 0 roles/common/files/abusers-ipv6.xml
2020-06-03 10:10:49 +03:00
d78015c92c
roles/common: Update list of abusive IP addresses
This comes from the AbuseIPDB with a confidence level of 95%. I use
the following command to download and sort the IPs:

$ curl -G https://api.abuseipdb.com/api/v2/blacklist -d confidenceMinimum=95 -H "Key: $ABUSEIPDB_API_KEY" -H "Accept: text/plain" | sort | sed -e '/:/w /tmp/ipv6.txt' -e '/:/d' > /tmp/ipv4.txt

I manually add the XML formatting to each file and run them through
tidy:

$ tidy -xml -utf8 -m -iq -w 0 roles/common/files/abusers-ipv4.xml
$ tidy -xml -utf8 -m -iq -w 0 roles/common/files/abusers-ipv6.xml
2019-12-23 11:39:35 +02:00
e1c7bbe096
roles/common: Update list of abusive IP addresses
This comes from the AbuseIPDB with a confidence level of 95%. I use
the following command to download and sort the IPs:

$ curl -G https://api.abuseipdb.com/api/v2/blacklist -d confidenceMinimum=95 -H "Key: $ABUSEIPDB_API_KEY" -H "Accept: text/plain" | sort | sed -e '/:/w /tmp/ipv6.txt' -e '/:/d' > /tmp/ipv4.txt

I manually add the XML formatting to each file and run them through
tidy.
2019-11-13 11:35:14 +02:00
8edc68ca3c
roles/common: Update list of abusive IP addresses
This comes from the AbuseIPDB with a confidence level of 95%. I use
the following command to download and sort the IPs:

$ curl -G https://api.abuseipdb.com/api/v2/blacklist -d confidenceMinimum=95 -H "Key: $ABUSEIPDB_API_KEY" -H "Accept: text/plain" | sort | sed -e '/:/w /tmp/ipv6.txt' -e '/:/d' > /tmp/ipv4.txt

I manually add the XML formatting to each file and run them through
tidy.
2019-11-04 10:12:17 +02:00
9f27cda97b
roles/common: Update list of abusive IP addresses
This comes from the AbuseIPDB with a confidence level of 95%. I use
the following command to download and sort the IPs:

$ curl -G https://api.abuseipdb.com/api/v2/blacklist -d confidenceMinimum=95 -H "Key: $ABUSEIPDB_API_KEY" -H "Accept: text/plain" | sort > /tmp/ips.txt

I manually remove the IPv6 addresses and save them to a different
filr, then I add the XML formatting to files and run them through
tidy.
2019-10-26 17:09:18 +02:00
1b0a6703b6
roles/common: Update list of abusive IPv4 addresses
This comes from the AbuseIPDB with a confidence level of 95%. I use
the following command to download and sort the IPs:

$ curl -G https://api.abuseipdb.com/api/v2/blacklist -d confidenceMinimum=95 -H "Key: $ABUSEIPDB_API_KEY" -H "Accept: text/plain" | sort > /tmp/ips.txt

Then I add the XML formatting to the file and run it through tidy.
2019-10-18 13:45:59 +03:00
6244530929
roles/common: Fix short name of abusers-ipv6 ipset 2019-10-17 22:04:00 +03:00
68ec9f0467
roles/common: Update list of abusive IPv4 addresses
This comes from the AbuseIPDB with a confidence level of 95%. I use
the following command to download and sort the IPs:

$ curl -G https://api.abuseipdb.com/api/v2/blacklist -d confidenceMinimum=95 -H "Key: $ABUSEIPDB_API_KEY" -H "Accept: text/plain" | sort > /tmp/ips.txt

Then I add the XML formatting to the file and run it through tidy.
2019-10-14 00:24:48 +03:00
a8efe97a02
roles/common: Update list of abusive IPv4 addresses
This comes from the AbuseIPDB with a confidence level of 95%. I use
the following command to download and sort the IPs:

$ curl -G https://api.abuseipdb.com/api/v2/blacklist -d confidenceMinimum=95 -H "Key: $ABUSEIPDB_API_KEY" -H "Accept: text/plain" | sort > /tmp/ips.txt

Then I add the XML formatting to the file and run it through tidy.
2019-10-09 14:52:41 +03:00
8b28a65bf0
roles/common/files/abusers-ipv4.xml: Top 10,000 abusers from abuseipdb
These are the top 10,000 abusers with 95% confidence from abuseipdb.
2019-10-05 23:56:24 +03:00
ef3c5c200e
roles/common: Update list of abusive IPv4 addresses
I updated the list with a few dozen more hosts that we brute forcing
SSH but failed to even negotiate a connection because they are using
old ciphers. I will still block them because they attempted 100+ co-
nnections.
2019-10-05 12:46:06 +03:00
c2a92269e4
roles/common: Add ipsets of abusive IPs to firewalld
This uses the ipsets feature of the Linux kernel to create lists of
IPs (though could be MACs, IP:port, etc) that we can block via the
existing firewalld zone we are already using. In my testing it works
on CentOS 7, Ubuntu 16.04, and Ubuntu 18.04.

The list of abusive IPs currently comes from HPC's systemd journal,
where I filtered for hosts that had attempted and failed to log in
over 100 times. The list is formatted with tidy, for example:

    $ tidy -xml -iq -m -w 0 roles/common/files/abusers-ipv4.xml

See: https://firewalld.org/2015/12/ipset-support
2019-10-05 12:28:30 +03:00
7d8457e5b3
roles/common: Remove old SSH public key 2019-07-23 16:07:39 +03:00
49cfbc4c47
roles/common: Add missing systemd-journald config
I apparently forgot to add this when I committed the systemd-journald
changes a few weeks ago.
2018-12-20 09:59:13 +02:00
f22b6af273
roles/common: Change mode of SSH public key 2018-05-30 08:32:11 -07:00
37a88f676b
roles/common: Add new SSH public key for aorth 2018-05-30 07:48:38 -07:00
131420be17
roles/common: Add task to copy tarsnaprc
One less thing to do manually after server provisioning, and there is
nothing sensitive in here anyways.
2018-05-20 12:51:02 +03:00
ad232a7a8b
roles/common: Remove old SSH key 2016-04-22 11:24:35 +03:00
7f929d5b80
roles/common: Remove unused cron-apt files
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-08-22 23:42:03 +03:00
fc586a2297
roles/common: Adjust cron-apt stuff
- Don't run the static files as templates
- Use a separate playbook for related tasks
- Use a template for security.sources.list

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-08-22 23:39:22 +03:00
0d2763fb59
roles/common: Remove ECDSA SSH public key for aorth@noma
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-01-12 18:19:49 +03:00
d7dd81bc84
roles/common: Add ED25519 SSH public key for aorth@noma
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-01-12 18:19:21 +03:00
3b6c9745ab
roles/common: Add provisioning user to sudoers
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-01-05 08:24:13 +03:00
c3f5e27642
roles/common: Add ECDSA public key for noma
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-10-12 13:25:48 +03:00
a265e48a9f
roles/common: Remove RSA public key
Both client and server support ed25519, so there's no need to even
have the RSA key here.

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-10-12 13:23:01 +03:00
1ee7b385bf
roles/common: Rename SSH keys
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-10-11 13:19:32 +03:00
1e2193efc9
roles/common: Add functionality to copy user keys to provisioning user
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-10-11 12:13:45 +03:00
60b8ecdd4c
Initial commit
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-08-17 00:35:57 +03:00