18ee583261
roles/common: Don't log brute force SSH attempts
...
This is nice to see that the throttling is working, but the logs are
completely full of this useless crap now.
2019-02-26 10:30:03 -08:00
329edaee87
roles/common: Rate limit SSH connections in firewalld
...
I think 5 connections per minute is more than enough. Any over this
and it will be logged to the systemd journal as a warning.
See: https://www.win.tue.nl/~vincenth/ssh_rate_limit_firewalld.htm
See: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/configuring_complex_firewall_rules_with_the_rich-language_syntax
2019-01-28 14:09:18 +02:00
963bf65099
roles/common: Limit number of SSH authentication attempts
...
The default in later OpenSSH is 6, which seems too high. If you can't
get your password correct after 3 tries then I think you need help.
Eventually I'd like an easy way to enable blocking of repeated login
attempts at the firewall level. I think it's possible in firewalld.
2018-07-23 13:14:54 +03:00
1a9033dece
roles/common: Use bionic tarsnap builds on Ubuntu 18.04
...
Tarsnap finally published builds for Ubuntu 18.04 "bionic" so we don't
need to use the 17.10 "artful" ones anymore.
2018-05-09 00:05:42 +03:00
9445541f51
roles/common: Always use security.ubuntu.com
...
Vanilla Ubuntu (and Debian actually) defaults to using the official
mirror for security updates rather than country or regional mirrors.
Also, for what it's worth, Ubuntu mirrors didn't always sync these
security archives. I'd prefer to stay closer to vanilla Ubuntu but
also it kinda makes sense to get security updates from the official
source than a mirror (in case of delay or errors).
2018-04-25 18:09:11 +03:00
832573acc5
roles/common: Remove comments from sources.list
...
I want this file to be more like what comes from the stock Ubuntu.
2018-04-25 18:07:55 +03:00
f3403cc79a
roles/common: Remove Ubuntu partner repo from apt sources
...
I haven't used this in years, and it looks to only be proprietary things
like Adobe, Skype, etc.
2018-04-25 17:49:38 +03:00
632aa1cf14
Fix a few more Jinja2 filters used as tests
...
I had created these earlier in this branch before rebasing it on top
of the Ansible 2.5.0 readiness branch.
See: https://docs.ansible.com/ansible/devel/porting_guides/porting_guide_2.5.html
2018-04-05 12:17:26 +03:00
d1ba60e15d
Use version_compare to test for Ubuntu 18.04 "bionic"
...
It just feels more correct, plus I usually forget the release code
name from time to time.
2018-04-05 12:17:26 +03:00
c5bebf0336
roles/common: Use Ubuntu 17.10's tarsnap packages on Ubuntu 18.04
...
There are no tarsnap packages for Ubuntu 18.04 "bionic" yet so we
should use Ubuntu 17.10 "artful".
2018-04-05 12:17:25 +03:00
19414041e7
roles/common: Add sshd config for Ubuntu 18.04
...
From the default sshd_config with some cipher settings from the Debian
9 template.
2018-04-05 12:17:25 +03:00
52b4efd3b0
roles/common: Use HTTPS for tarsnap package mirror
2018-03-17 11:51:45 +02:00
fec081d40a
roles/common: Use deb.debian.org instead of httpredir
...
Seems to be the evolution of httpredir.
2017-11-05 01:31:16 +02:00
5f8820bf9f
roles/common: Remove Ubuntu 14.04 logic
...
We're only supporting Ubuntu 16.04 now.
2017-11-05 01:11:37 +02:00
f76fc64afa
roles/common: Remove unused sshd_config templates
...
We're not supporting Ubuntu 14.04 or 15.04 anymore so we don't need
these templates.
2017-11-05 00:59:19 +02:00
77a3b1cff7
roles/common: Remove Debian 8 sshd_config template
2017-11-05 00:58:03 +02:00
620e8258ac
roles/common: Remove duplicate option in sshd_config
2017-11-01 13:22:18 +02:00
b945240756
roles/common: Harden sshd_config template for Debian 9 and Ubuntu 16.04
...
From: https://wiki.mozilla.org/Security/Guidelines/OpenSSH
2017-06-19 10:13:24 +03:00
d766c3dbbe
roles/common: Add tasks to install tarsnap
...
Now that Tarsnap has official packages this is one less thing that
needs to be manually installed from source after bringing a machine
up.
See: http://mail.tarsnap.com/tarsnap-announce/msg00037.html
2017-02-07 07:28:35 -08:00
1fef5c9b5a
roles/common: Add sshd_config for Debian 9 (stretch)
...
Taken from base install and diffed against the current Ubuntu 16.04
and Debian 8 config templates.
2017-01-30 14:56:27 +02:00
9ca685a6af
roles/common: Adjust allowed user logic for Ubuntu 16.04 sshd_config
2017-01-30 12:54:35 +02:00
50536af990
Use Ansible's version_compare instead of doing math on strings
...
I'm surprised this worked all these years actually. Since Ansible
version 1.6 it has been possible to use the version_compare filter
instead of doing math logic on strings.
See: https://docs.ansible.com/ansible/playbooks_tests.html
2016-12-20 15:04:47 +02:00
b7c92e4dc1
roles/common: Remove 128-bit Ciphers and MACs from sshd_config
...
I had removed them from Debian 8 and Ubuntu 14.04 configs last year
when the NSA's Suite B crypto guidelines dropped 128-bit algorithms
but those changes didn't make it to my new Ubuntu 16.04 config.
It is probably overkill and paranoid, but this server is mine, so I
can make those decisions (and I only connect from modern clients).
2016-08-16 14:28:58 +03:00
33cdcc9ad1
roles/common: Add a few SHA-2 MACs to sshd_config
...
Fixes a problem with Paramiko, which Ansible uses for transport.
See: http://www.paramiko.org/changelog.html#1.16.0
See: https://github.com/ilri/rmg-ansible-public/issues/37
2016-08-16 14:24:53 +03:00
33f22b32a4
roles/common: Update sources for cron-apt
...
The system's apt configuration is using restricted and multiverse
so the security sources list should as well.
2016-05-05 12:16:37 +03:00
a0bb4c2f57
roles/common: Add sshd_config for Ubuntu 16.04
2016-04-22 11:25:35 +03:00
5f71991259
roles/common: Use httpredir.debian.org as default Debian mirror
...
Automatically uses the best mirror for your location, see:
http://httpredir.debian.org/demo.html
Should be much better than any hardcoded default for most hosts.
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-11-30 09:34:16 +02:00
973b37be4e
roles/common: Tweak sshd_config to match NSA Suite B recommendations
...
NSA stopped recommending AES-128 in August, 2015...
Before: https://web.archive.org/web/20150403110658/https://www.nsa.gov/ia/programs/suiteb_cryptography/index.shtml
After: https://web.archive.org/web/20150815072948/https://www.nsa.gov/ia/programs/suiteb_cryptography/index.shtml
I don't see why we shouldn't follow suit; maybe they know something
we don't!
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-09-02 16:55:51 +03:00
8b336352d7
roles/common: Only allow ssh access by provisioning user
...
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-09-02 12:24:11 +03:00
c480075789
roles/common: Use "interface" instead of "alias" to get interface name in firewalld template
...
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-08-23 12:06:47 +03:00
18ca44193d
roles/common: Add sysctl template for Debian hosts
...
Note: I've only tested this on a Debian container, and you can't
set these sysctls on containers (the host controls them). To make
matters worse, there is no fact to make ansible skip this on hosts
that are running in containers. For now I will just skip it on
hosts that are "virtualization" servers... even though we actually
do have KVM running on Debian on real hardware. *sigh*
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-08-23 00:12:17 +03:00
96fe209843
roles/common: Fix mode on Debian 8 sshd_config
...
Accidentally added it with 777.
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-08-23 00:02:39 +03:00
7519995153
roles/common: Add Debian 8 sshd_config
...
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-08-23 00:02:39 +03:00
dc24285ec6
roles/common: Use apt_mirror variable in Debian sources
...
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-08-23 00:02:39 +03:00
28f61d589e
roles/common: Add Debian support to sources.list template
...
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-08-23 00:02:39 +03:00
1fc2453703
roles/common: Add firewalld support
...
Needed in Ubuntu 15.04 where iptables-persistent is going away. I
have added translations of the current IPv4 and IPv6 iptables rules.
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-08-23 00:02:39 +03:00
9aaad366f5
roles/common: Only add extras repo on Ubuntu 14.04
...
The Extras repo was discontinued after 14.10 (but the latest we
deploy is 14.04).
See: https://lists.ubuntu.com/archives/technical-board/2015-January/002063.html
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-08-23 00:02:38 +03:00
e84f777a6b
roles/common: Bring Ubuntu 15.04 sshd_config up to date with standards
...
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-08-23 00:02:38 +03:00
b2dbd138f7
roles/common: Add Ubuntu 15.04 sshd_config
...
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-08-23 00:02:38 +03:00
fc586a2297
roles/common: Adjust cron-apt stuff
...
- Don't run the static files as templates
- Use a separate playbook for related tasks
- Use a template for security.sources.list
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-08-22 23:39:22 +03:00
ae10677b65
roles/common: Specify default apt_mirror for fallback in sources.list template
...
New hosts often fail due to not having an apt_mirror, because there
isn't one defined for their group and their host_vars haven't over-
ridden it.
We want new hosts to deploy successfully, so let's just use a default
apt_mirror if there isn't one defined. Rather have a slow mirror than
a failed deployment. And in any case, Linode can download from KENET's
mirror at 10MB/sec. ;)
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-06-04 21:57:11 +03:00
a8f4500567
Add IPv6 support to firewall tasks / template
...
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-05-25 18:17:23 +03:00
3a5b50f941
roles/common: Set I/O scheduler via udev
...
All servers with non-rotating disks (SSDs) should be running noop,
and the rest should be running deadline.
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-03-15 17:52:05 +03:00
2367b843d9
roles/common: Remove I/O scheduler logic from rc.local
...
It's better to set this using udev rules anyways
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-03-15 17:40:54 +03:00
58222706ba
roles/common: Remove logic for TCP congestion avoidance on early kernels in sysctl
...
We don't have anything near 2.6.32 anymore.
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-03-15 17:25:33 +03:00
60ba4dacbd
roles/common: Add TCP/IP tweaks to sysctl template
...
Disable TCP slow start and increase the number of ports available
for client connections.
See: http://vincent.bernat.im/en/blog/2014-tcp-time-wait-state-linux.html
See: http://www.chromium.org/spdy/spdy-best-practices
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-03-15 17:23:10 +03:00
13b592dfcd
roles/common: Tune sshd_config to be more strict
...
Disable ECDSA as a signature algorithm and drop some older message
authentication algorithms.
See: https://stribika.github.io/2015/01/04/secure-secure-shell.html
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-01-07 01:47:06 +03:00
a80cb49957
roles/common: Update sshd_config template to explicitly allow the provisioning user
...
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-01-06 17:45:06 +03:00
60b8ecdd4c
Initial commit
...
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-08-17 00:35:57 +03:00