alanorth/ansible-personal
1
0
Fork 0
Code Issues 4 Pull Requests Projects Releases Wiki Activity
835 Commits 2 Branches 0 Tags 4.2 MiB
d261f81642
Commit Graph

8 Commits

Author SHA1 Message Date
Alan Orth
d7c34a30a3
roles/common: Add Spamhaus DROP lists to firewalld ipsets 
This configures the recommended DROP, EDROP, and DROPv6 lists from
Spamhaus as ipsets in firewalld. First we copy an empty placeholder
ipset to seed firewalld, then we use a shell script to download the
real lists and activate them. The same shell script is run daily as
a service (update-spamhaus-lists.service) by a systemd timer.

I am strictly avoiding any direct ipset commands here because I want
to make sure that this works on older hosts where ipsets is used as
well as newer hosts that have moved to nftables such as Ubuntu 20.04.
So far I have tested this on Ubuntu 16.04, 18.04, and 20.04, but ev-
entually I need to abstract the tasks and run them on CentOS 7+ as
well.

See: https://www.spamhaus.org/drop/
 2021-07-21 09:34:51 +03:00
Alan Orth
d8d8a01a5f
roles/common: Remove SSH rate limiting from firewalld 
Rather than a simple rate limit, I'm now using fail2ban to ban IPs
that actually fail to login.
 2019-10-26 16:41:42 +02:00
Alan Orth
d030827f12
roles/common: Relax SSH rate limit in firewalld 
Now that I'm blocking ~10,000 malicious IPs from AbuseIPDB I feel
more comfortable using a more relaxed rate limit for SSH. A limit
of 12 per minute is about one every five seconds.
 2019-10-06 18:27:45 +03:00
Alan Orth
6ebf900960
roles/common: Add missing rules for abusers ipsets 
I had forgotten to add these when porting these rules from another
repository.
 2019-10-05 13:01:51 +03:00
Alan Orth
18ee583261
roles/common: Don't log brute force SSH attempts 
This is nice to see that the throttling is working, but the logs are
completely full of this useless crap now.
 2019-02-26 10:30:03 -08:00
Alan Orth
329edaee87
roles/common: Rate limit SSH connections in firewalld 
I think 5 connections per minute is more than enough. Any over this
and it will be logged to the systemd journal as a warning.

See: https://www.win.tue.nl/~vincenth/ssh_rate_limit_firewalld.htm
See: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/configuring_complex_firewall_rules_with_the_rich-language_syntax
 2019-01-28 14:09:18 +02:00
Alan Orth
c480075789
roles/common: Use "interface" instead of "alias" to get interface name in firewalld template 
Signed-off-by: Alan Orth <alan.orth@gmail.com>
 2015-08-23 12:06:47 +03:00
Alan Orth
1fc2453703 roles/common: Add firewalld support 
Needed in Ubuntu 15.04 where iptables-persistent is going away. I
have added translations of the current IPv4 and IPv6 iptables rules.

Signed-off-by: Alan Orth <alan.orth@gmail.com>
 2015-08-23 00:02:39 +03:00