Commit Graph

123 Commits

Author SHA1 Message Date
96f62a17d1 roles/common: Use nftables backend in firewalld on Ubuntu 20.04
The nftables backend should be more performant and flexible. I had
been planning to use it on Ubuntu 18.04 and Debian 10 as well, but
there were issues with the specific versions used in those distros.

See: https://firewalld.org/2018/07/nftables-backend
2020-06-08 12:15:29 +03:00
29bbc14068 roles/common: Remove ufw from Ubuntu systems
We never used this simple firewall utility and in at least one case
a user on the server tried to use it and messed up the rules I had
set via firewalld.
2020-06-08 12:15:29 +03:00
7288a85e72 roles/common: Remove snaps on Ubuntu 20.04
The list of pre-installed snaps and system packages is different on
Ubuntu 20.04 than it was in previous LTS releases.

See: https://www.kevin-custer.com/blog/disabling-snaps-in-ubuntu-20-04/
2020-06-08 12:15:29 +03:00
ed2e0efd9c
roles/common: Actually remove annoying Ubuntu motd spam 2020-04-24 22:37:50 +03:00
03254d6aae
roles/common: Use normal tarsnap GPG packaging key 2020-03-16 18:03:53 +02:00
2dc195b33c
Use version() instad of version_compare()
This changed in Ansible 2.5 apparently.

See: https://docs.ansible.com/ansible/latest/user_guide/playbooks_tests.html
2020-03-09 15:20:51 +02:00
e4c3376383
roles/common: Fix logic in enabling individual calls in firewalld 2019-12-10 13:45:00 +02:00
2631f76c6d
roles/common: Use iptables backend for firewalld on Debian
For some reason the nftables set support in firewalld doesn't seem
to be working. I see that sets (aka ipsets in nftables lingo) are
created, but they are empty. For now I will just leave these tasks
as they are to revert the behavior on current hosts (should do no
change on new installed, as the regexp won't match).
2019-10-26 19:34:25 +02:00
919fbbbcd9
roles/common: Make sure fail2ban is started 2019-10-26 17:14:28 +02:00
4710ee6f07
roles/common: Bump version checks to Ubuntu 16.04 2019-10-26 16:40:14 +02:00
9db104efa6
roles/common: Bump version checks to Debian 9 2019-10-26 16:37:27 +02:00
0605f70f2e
roles/common: Add support for fail2ban
This is active banning of IPs that are brute forcing login attempts
to SSH, versus the passive banning of 10,000 abusive IPs from the
abuseipdb.com blacklist. For now I am banning IPs that fail to log
in successfully more than twelve times in a one-hour period, but
these settings might change, and I can override them at the group
and host level if needed.

Currently this works for CentOS 7, Ubuntu 16.04, and Ubuntu 18.04,
with minor differences in the systemd configuration due to older
versions on some distributions.

You can see the status of the jail like this:

    # fail2ban-client status sshd
    Status for the jail: sshd
    |- Filter
    |  |- Currently failed: 0
    |  |- Total failed:     0
    |  `- Journal matches:  _SYSTEMD_UNIT=sshd.service + _COMM=sshd
    `- Actions
       |- Currently banned: 1
       |- Total banned:     1
       `- Banned IP list:   106.13.112.20

You can unban IPs like this:

    # fail2ban-client set sshd unbanip 106.13.112.20
2019-10-26 16:36:07 +02:00
25e0fd3557
roles/common: Use individual calls with firewalld
Seems to work around an issue when firewalld is using the nftables
backend with iptables 1.8.2 on Debian 10. Alternatively I could go
back to using the iptables backend... hmm.

See: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=914694
2019-10-18 22:49:29 +03:00
cac38af09b
roles/common: Use nftables firewalld backend on Debian 10
nftables is the iptables replacement. There is support for nftables
in firewalld since v0.6.0.

See: https://firewalld.org/2018/07/nftables-backend
2019-10-18 19:02:17 +03:00
7c0b458bc1
roles/common: Don't use iptables from buster-backports
This causes problems every time I re-run the Ansible tag because the
nightly apt security uses a different sources.list and the indexes
are then missing buster-backports. I could add a cache update to the
task, but actually I think the original bug I was trying to solve is
finally fixed, and I'm going to switch to nftables anyways.
2019-10-18 18:53:21 +03:00
80df220602
roles/common: Restart firewalld instead of reload
I'm having problems with reload hanging on Debian 10 so I will just
revert to the older behavior of restarting.
2019-10-05 12:29:30 +03:00
c2a92269e4
roles/common: Add ipsets of abusive IPs to firewalld
This uses the ipsets feature of the Linux kernel to create lists of
IPs (though could be MACs, IP:port, etc) that we can block via the
existing firewalld zone we are already using. In my testing it works
on CentOS 7, Ubuntu 16.04, and Ubuntu 18.04.

The list of abusive IPs currently comes from HPC's systemd journal,
where I filtered for hosts that had attempted and failed to log in
over 100 times. The list is formatted with tidy, for example:

    $ tidy -xml -iq -m -w 0 roles/common/files/abusers-ipv4.xml

See: https://firewalld.org/2015/12/ipset-support
2019-10-05 12:28:30 +03:00
532b533516
roles/common: Update apt in firewall task
Otherwise the buster-backports source might not be available, as
the nightly security upates use a different apt sources.list.
2019-10-05 12:00:08 +03:00
cbdd779af0
roles/common: Remove lzop and lrzip from packages
zstd is a much better all-purpose compression utility.
2019-09-15 13:23:52 +03:00
4faeb79b5c
roles/common: Add zstd to base packages 2019-09-14 20:36:40 +03:00
7551b803f6
roles/common: Use iptables 1.8.3 on Debian Buster
There is a bug in iptables 1.8.2 in Debian 10 "Buster" that causes
firewalld to fail when restoring rules. The bug has been fixed in
iptables 1.8.3, which is currently in buster-backports.

See: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=914694
2019-08-01 15:36:15 +03:00
c148da73e7
roles/common: Use experimental Tarsnap on Debian buster
Tarsnap currently provides experimental packages for Debian Buster.

See: https://www.tarsnap.com/pkg-deb.html#experimental
2019-07-19 12:07:27 +03:00
03e2abc4fb roles/common: Install gnupg2 on Debian
Needed by Ansible to add and verify apt package signing keys.
2019-07-07 15:52:25 +03:00
12b6f3aaa2
roles/common: Don't ignore errors on Tarsnap key add
It turns out that I had the wrong key ID so it's no wonder this was
failing...
2019-07-07 15:51:04 +03:00
704b02ce0a
roles/common: Fix tarsnap package key
For some reason the key ID I had here was wrong. According to the
Tarsnap website the key ID is 0x6D97F5A4CA38CF33.

ee: https://www.tarsnap.com/pkg-deb.html
2019-07-07 15:49:45 +03:00
709a947987
Merge branch 'debian10' 2019-07-06 21:43:41 +03:00
3b95730417
roles/common: Synchronize Debian package task with Ubuntu 2019-07-06 21:36:04 +03:00
10200e52ab
roles/common: Use a fact for base packages on Debian
This is safer and ends up being faster because all packages get in-
stalled in one apt transaction.
2019-07-06 21:31:59 +03:00
1b4e9ae87c roles/common: Install Python 3 version of pycurl on Debian 10
Debian 10 comes with Python 2 and Python 3 (at least from the ISO),
so we should prefer the Python 3 version of pycurl. We'll see whet-
her cloud providers like Linode and Digital Ocean ship with Python
3 or not in their default image.
2019-07-06 21:16:19 +03:00
da4a6660fb roles/common: Update comment in tasks/ntp.yml 2019-07-06 21:16:19 +03:00
5957f5f2c5
roles: The apt cache_valid_time implies update_cache
See: https://docs.ansible.com/ansible/latest/modules/apt_module.html
2019-03-17 17:29:28 +02:00
c5b5cda3d3
Smarter updating of apt index during playbook execution
We can register changes when adding repositories and keys and then
update the apt package index conditionally. This should make it be
more consistent between initial host setup and subsequent re-runs.
2019-03-17 17:29:15 +02:00
bec79f18d1
roles/common: Ignore tarsnap key errors
Ansible errors on adding the tarsnap signing key because it is not
valid (expired a month ago). I contacted Colin Percival about this
on Twitter but he did not seem worried for some reason.
2019-03-13 12:36:47 +02:00
9921a40c19
roles/common: Update comment 2018-12-20 10:31:18 +02:00
91356ab364
roles/common: Disable Canonical spam in MOTD 2018-12-20 10:27:52 +02:00
96f14bdda7
roles/common: Remove blank line 2018-12-20 09:57:47 +02:00
6aed22b633
roles/common: Use one task to remove Ubuntu packages
I had previously been removing some packages for security reasons,
then removing others because they were annoying, and yet *others*
because they were annoying on newer Ubuntus only. It is easier to
just unify these tasks and remove them all in one go.

On older Ubuntus where some packages don't exist the task will just
succeed because the package is absent anyways.
2018-12-20 09:54:46 +02:00
a15faabe32
roles/common: Update apt cache only if it's older than 1 hour 2018-12-20 09:40:10 +02:00
aeaa96b753
roles/common: Remove s3cmd from Ubuntu packages
I'm using tarsnap for backups so I don't need Amazon S3 stuff.
2018-12-20 09:38:51 +02:00
67172138a1
roles/common: Fix typo 2018-12-20 09:38:10 +02:00
400926821c
roles/common: Only update apt index if cache is older than 1 hour 2018-12-20 09:37:44 +02:00
281689e506
roles/common: Use an Ansible fact for Ubuntu packages 2018-12-20 09:36:43 +02:00
46bbb06527
roles/common: Remove more annoying packages on Ubuntu
Ubuntu 16.04 and up install a bunch of their technologies that I'm
not using, like lxc, lxd, and snaps.
2018-12-20 09:31:58 +02:00
691deb4fa7
roles/common: Use a persistent systemd journal
The default systemd journal configuration on CentOS 7 and Ubuntu
16.04 does not keep journal logs for multiple boots. This limits
the usefulness of the journal entirely (for example, try to see
sshd logs from even two or three months ago!).

Changing the storage to "persistent" makes systemd keep the logs
on disk in /var/log/journal for up to 2% of the partition size.
2018-12-07 23:46:18 +02:00
131420be17
roles/common: Add task to copy tarsnaprc
One less thing to do manually after server provisioning, and there is
nothing sensitive in here anyways.
2018-05-20 12:51:02 +03:00
0f512a5bf7
roles/common: Use blocks to tag children of dynamic tasks
When using dynamic includes, child tasks do not inherit tags from their
parents. You must tag the parent and each child task separately, or use
a block to group children and then apply a tag to a block.

See: https://docs.ansible.com/ansible/devel/porting_guides/porting_guide_2.5.html
2018-04-26 16:58:35 +03:00
7d950ade99
roles: Remove unreachable "packages" tags
After reörganizing for dynamic includes these tags will never be reached
because the children of dynamic includes do not inherit tags from their
parents as they did with static imports.
2018-04-26 16:31:06 +03:00
ab27caf877
roles/common: Use dynamic include_tasks for firewall
Use dynamic includes instead of static imports when you are running
tasks conditionally or using variable interpolation. The down side
is that you need to then tag the parent task as well as all child
tasks, as tags only apply to children of statically imported tasks.
2018-04-25 18:58:31 +03:00
a044fd2f55
roles/common: Add missing vim modelines 2018-04-25 18:55:22 +03:00
8b660dcfbe
roles/common: Use dynamic include_tasks for packages
Basically, when using conditionals or variables in your tasks you should
use include_tasks instead of import_tasks. The down side is that you now
need to tag all included tasks individually or with a block, unlike when
using static imports (tags are applied to all imported child tasks).

I would actually like to reduce this task to a single one that uses the
host's ansible_distribution variable, but Ansible 2.5.1 currently gives
the following error: ansible_distribution is undefined.
2018-04-25 18:46:28 +03:00