ef3c5c200e
roles/common: Update list of abusive IPv4 addresses
...
I updated the list with a few dozen more hosts that we brute forcing
SSH but failed to even negotiate a connection because they are using
old ciphers. I will still block them because they attempted 100+ co-
nnections.
2019-10-05 12:46:06 +03:00
80df220602
roles/common: Restart firewalld instead of reload
...
I'm having problems with reload hanging on Debian 10 so I will just
revert to the older behavior of restarting.
2019-10-05 12:29:30 +03:00
c2a92269e4
roles/common: Add ipsets of abusive IPs to firewalld
...
This uses the ipsets feature of the Linux kernel to create lists of
IPs (though could be MACs, IP:port, etc) that we can block via the
existing firewalld zone we are already using. In my testing it works
on CentOS 7, Ubuntu 16.04, and Ubuntu 18.04.
The list of abusive IPs currently comes from HPC's systemd journal,
where I filtered for hosts that had attempted and failed to log in
over 100 times. The list is formatted with tidy, for example:
$ tidy -xml -iq -m -w 0 roles/common/files/abusers-ipv4.xml
See: https://firewalld.org/2015/12/ipset-support
2019-10-05 12:28:30 +03:00
532b533516
roles/common: Update apt in firewall task
...
Otherwise the buster-backports source might not be available, as
the nightly security upates use a different apt sources.list.
2019-10-05 12:00:08 +03:00
eb7998fd12
roles/nginx: Fix hardcoded "stretch" release in sources
...
This was causing the stretch version to get installed on buster, w-
hich led to the cipher suite and ssl protocol support to behave st-
rangeley.
2019-09-15 16:03:17 +03:00
1ec6d07232
roles/nginx: Fix php7.3-fpm socket location on Debian 10
2019-09-15 15:55:42 +03:00
2740f050fc
roles/common: Increase ssh MaxAuthTries from 3 to 4
...
If a user has RSA, ECDSA, and ED25519 private keys present on their
system then the ssh client will offer all of these to the server
and they may not get a chance to try password auth before it fails.
2019-09-15 15:17:00 +03:00
cf16264f53
roles/common: Update sshd_config template for Debian 10
...
It seems I had imported the stock one from a default install, but I
never configured it.
2019-09-15 15:15:30 +03:00
cbdd779af0
roles/common: Remove lzop and lrzip from packages
...
zstd is a much better all-purpose compression utility.
2019-09-15 13:23:52 +03:00
4faeb79b5c
roles/common: Add zstd to base packages
2019-09-14 20:36:40 +03:00
a7231bcf5f
roles/mariadb: Remove login_unix_socket from .my.cnf
...
It is causing an error at client runtime.
2019-09-14 18:32:26 +03:00
43715dd392
roles/common: Use stable tarsnap
2019-09-13 22:14:49 +03:00
7551b803f6
roles/common: Use iptables 1.8.3 on Debian Buster
...
There is a bug in iptables 1.8.2 in Debian 10 "Buster" that causes
firewalld to fail when restoring rules. The bug has been fixed in
iptables 1.8.3, which is currently in buster-backports.
See: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=914694
2019-08-01 15:36:15 +03:00
b59f7c0702
roles/nginx: Update certbot dependencies for Debian 10
...
Taken after a clean Debian 10 install on Linode.
2019-07-23 18:38:33 +03:00
0bff851311
roles/php-fpm: Fix Ansible template parsing issue
...
Remove time formatting strings because Ansible errors when trying
to parse them, even though we are not using them!
2019-07-23 18:32:27 +03:00
2d98d70e02
Update nginx cipher suite and TLS protocols
...
Use latest Mozilla "intermediate" TLS settings. This configuration
works on (at least) Ubuntu 18.04 and Debian 10.
See: https://ssl-config.mozilla.org/#server=nginx&server-version=1.17.2&config=intermediate&openssl-version=1.1.1
2019-07-23 17:53:22 +03:00
2fadb9029a
roles/mariadb: Use Unix socket for MariaDB tasks
...
Otherwise Ansible fails due to PyMySQL using a TCP connection.
See: https://github.com/ansible/ansible/issues/47736
2019-07-23 17:26:23 +03:00
7d8457e5b3
roles/common: Remove old SSH public key
2019-07-23 16:07:39 +03:00
c148da73e7
roles/common: Use experimental Tarsnap on Debian buster
...
Tarsnap currently provides experimental packages for Debian Buster.
See: https://www.tarsnap.com/pkg-deb.html#experimental
2019-07-19 12:07:27 +03:00
e124cac945
roles/nginx: Adjust formatting of apt sources template
2019-07-08 18:44:21 +03:00
70e736bdc5
roles/nginx: Use buster builds
...
nginx.org has buster builds now.
2019-07-08 18:43:43 +03:00
ca293289aa
roles/nginx: Fix logic error in apt sources template
2019-07-07 17:59:00 +03:00
03e2abc4fb
roles/common: Install gnupg2 on Debian
...
Needed by Ansible to add and verify apt package signing keys.
2019-07-07 15:52:25 +03:00
12b6f3aaa2
roles/common: Don't ignore errors on Tarsnap key add
...
It turns out that I had the wrong key ID so it's no wonder this was
failing...
2019-07-07 15:51:04 +03:00
704b02ce0a
roles/common: Fix tarsnap package key
...
For some reason the key ID I had here was wrong. According to the
Tarsnap website the key ID is 0x6D97F5A4CA38CF33.
ee: https://www.tarsnap.com/pkg-deb.html
2019-07-07 15:49:45 +03:00
709a947987
Merge branch 'debian10'
2019-07-06 21:43:41 +03:00
3b95730417
roles/common: Synchronize Debian package task with Ubuntu
2019-07-06 21:36:04 +03:00
10200e52ab
roles/common: Use a fact for base packages on Debian
...
This is safer and ends up being faster because all packages get in-
stalled in one apt transaction.
2019-07-06 21:31:59 +03:00
460c1df65b
roles/php-fpm: Update for PHP 7.3 in Debian 10
2019-07-06 21:16:19 +03:00
5fe583541a
roles/nginx: Set Let's Encrypt packages for Debian 10
...
Taken from the list of packages that the certbot-auto script wants
to bootstrap on a fresh Debian 10 "buster" install.
2019-07-06 21:16:19 +03:00
619f536cd8
roles/nginx: Use Debian 9 "stretch" builds on Debian 10 "buster"
...
There are no Debian 10 "buster" builds from nginx.org yet.
2019-07-06 21:16:19 +03:00
39622077cd
roles/common: Use Debian 9 tarsnap packages
...
There are no tarsnap binaries for Debian 10 yet.
2019-07-06 21:16:19 +03:00
b79001f97a
roles/common: Update security.sources.list for cron-apt
...
We need to make sure to get security updates for packages that are
not in main!
2019-07-06 21:16:19 +03:00
207296b1f8
roles/common: Update Debian security apt repository
...
See: https://www.debian.org/security/
2019-07-06 21:16:19 +03:00
1b4e9ae87c
roles/common: Install Python 3 version of pycurl on Debian 10
...
Debian 10 comes with Python 2 and Python 3 (at least from the ISO),
so we should prefer the Python 3 version of pycurl. We'll see whet-
her cloud providers like Linode and Digital Ocean ship with Python
3 or not in their default image.
2019-07-06 21:16:19 +03:00
da4a6660fb
roles/common: Update comment in tasks/ntp.yml
2019-07-06 21:16:19 +03:00
dd5662911e
roles/common: Import sshd_config from Debian 10
...
OpenSSH version is 7.9p1-10.
2019-07-06 21:16:19 +03:00
4fb2d48e10
roles/mariadb: Install MariaDB 10.4
...
MariaDB 10.4 is now GA.
See: https://mariadb.com/kb/en/library/changes-improvements-in-mariadb-104/
See: https://mariadb.com/kb/en/library/upgrading-from-mariadb-103-to-mariadb-104/
2019-07-05 20:39:17 +03:00
dc2e14a6a3
roles/mariadb: Use python3-pymysql for Ansible
...
For Python 3 Ansible needs a different library to help with MySQL
tasks.
2019-05-08 09:15:47 +03:00
5957f5f2c5
roles: The apt cache_valid_time implies update_cache
...
See: https://docs.ansible.com/ansible/latest/modules/apt_module.html
2019-03-17 17:29:28 +02:00
c5b5cda3d3
Smarter updating of apt index during playbook execution
...
We can register changes when adding repositories and keys and then
update the apt package index conditionally. This should make it be
more consistent between initial host setup and subsequent re-runs.
2019-03-17 17:29:15 +02:00
bec79f18d1
roles/common: Ignore tarsnap key errors
...
Ansible errors on adding the tarsnap signing key because it is not
valid (expired a month ago). I contacted Colin Percival about this
on Twitter but he did not seem worried for some reason.
2019-03-13 12:36:47 +02:00
18ee583261
roles/common: Don't log brute force SSH attempts
...
This is nice to see that the throttling is working, but the logs are
completely full of this useless crap now.
2019-02-26 10:30:03 -08:00
329edaee87
roles/common: Rate limit SSH connections in firewalld
...
I think 5 connections per minute is more than enough. Any over this
and it will be logged to the systemd journal as a warning.
See: https://www.win.tue.nl/~vincenth/ssh_rate_limit_firewalld.htm
See: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/configuring_complex_firewall_rules_with_the_rich-language_syntax
2019-01-28 14:09:18 +02:00
bbab45ae6f
Adjust ansible_managed to use comment filter
...
We don't need to comment the ansible_managed block manually.
2019-01-10 12:50:54 +02:00
9921a40c19
roles/common: Update comment
2018-12-20 10:31:18 +02:00
91356ab364
roles/common: Disable Canonical spam in MOTD
2018-12-20 10:27:52 +02:00
49cfbc4c47
roles/common: Add missing systemd-journald config
...
I apparently forgot to add this when I committed the systemd-journald
changes a few weeks ago.
2018-12-20 09:59:13 +02:00
96f14bdda7
roles/common: Remove blank line
2018-12-20 09:57:47 +02:00
6aed22b633
roles/common: Use one task to remove Ubuntu packages
...
I had previously been removing some packages for security reasons,
then removing others because they were annoying, and yet *others*
because they were annoying on newer Ubuntus only. It is easier to
just unify these tasks and remove them all in one go.
On older Ubuntus where some packages don't exist the task will just
succeed because the package is absent anyways.
2018-12-20 09:54:46 +02:00
