alanorth/ansible-personal
1
0
Fork 0
Code Issues 4 Pull Requests Projects Releases Wiki Activity

Compare commits

base: alanorth:b13ead0657b1693a67f4175e247be10195508412
Branches Tags
alanorth:master alanorth:debian13 alanorth:alpine
..
compare: alanorth:df26b6c17e929bca05edb698fac343db230161a1
Branches Tags
alanorth:debian13 alanorth:master alanorth:alpine

2 Commits
b13ead0657 ... df26b6c17e

Author SHA1 Message Date
Alan Orth
df26b6c17e roles/common: notify fail2ban after updating firewall 
We should always restart fail2ban after updating the firewall. Also
note that the order of execution of handlers depends on how they are
defined in the handler config, not on the order they are listed in
the task's notify statement.

See: https://docs.ansible.com/ansible/latest/user_guide/playbooks_handlers.html
 2021-09-28 10:45:51 +03:00
Alan Orth
d92151b8a6 roles/common: Update list of abusive IP addresses 
This comes from the AbuseIPDB with a confidence level of 95%. I use
the following command to download and sort the IPs:

  $ curl -G https://api.abuseipdb.com/api/v2/blacklist -d \
    confidenceMinimum=95 -H "Key: $ABUSEIPDB_API_KEY" \
    -H "Accept: text/plain" | sort | sed -e '/:/w /tmp/ipv6.txt' \
    -e '/:/d' > /tmp/ipv4.txt

I manually add the XML formatting to each file and run them through
tidy:

  $ tidy -xml -utf8 -m -iq -w 0 roles/common/files/abusers-ipv4.xml
  $ tidy -xml -utf8 -m -iq -w 0 roles/common/files/abusers-ipv6.xml

Note: there were no IPv6 addresses in the top 10,000 this time so I
used a dummy address for the nftables set so the syntax was valid.
 2021-09-28 10:28:02 +03:00
7 changed files with 13615 additions and 13599 deletions
Expand all files Collapse all files

13593
roles/common/files/abuseipdb-ipv4.nft
View File

File diff suppressed because it is too large Load Diff

4
roles/common/files/abuseipdb-ipv6.nft
View File

@@ -1,7 +1,5 @@
#!/usr/sbin/nft -f #!/usr/sbin/nft -f
define ABUSEIPDB_IPV6 = { define ABUSEIPDB_IPV6 = {
2400:6180:0:d1::4ce:d001, fe80::bca2:37fa:fe58:414e
2607:5300:60:232d::,
2607:f298:6:a066::1bf:e80e,
} }

13593
roles/common/files/abusers-ipv4.xml
View File

File diff suppressed because it is too large Load Diff

3
roles/common/files/abusers-ipv6.xml
View File

@@ -3,7 +3,4 @@
<option name="family" value="inet6" /> <option name="family" value="inet6" />
<short>abusers-ipv6</short> <short>abusers-ipv6</short>
<description>A list of abusive IPv6 addresses.</description> <description>A list of abusive IPv6 addresses.</description>
<entry>2400:6180:0:d1::4ce:d001</entry>
<entry>2607:5300:60:232d::</entry>
<entry>2607:f298:6:a066::1bf:e80e</entry>
</ipset> </ipset>

9
roles/common/handlers/main.yml
View File

@@ -10,11 +10,14 @@
- name: restart firewalld - name: restart firewalld
systemd: name=firewalld state=restarted systemd: name=firewalld state=restarted
- name: restart fail2ban
systemd: name=fail2ban state=restarted
- name: reload systemd - name: reload systemd
systemd: daemon_reload=yes systemd: daemon_reload=yes
- name: restart nftables - name: restart nftables
systemd: name=nftables state=restarted systemd: name=nftables state=restarted
# 2021-09-28: note to self to keep fail2ban at the end, as handlers are executed
# in the order they are defined, not in the order they are listed in the task's
# notify statement and we must restart fail2ban after updating the firewall.
- name: restart fail2ban
systemd: name=fail2ban state=restarted

7
roles/common/tasks/firewall_Debian.yml
View File

@@ -34,6 +34,7 @@
template: src=nftables.conf.j2 dest=/etc/nftables.conf owner=root mode=0644 template: src=nftables.conf.j2 dest=/etc/nftables.conf owner=root mode=0644
notify: notify:
- restart nftables - restart nftables
- restart fail2ban
- name: Create /etc/nftables extra config directory - name: Create /etc/nftables extra config directory
when: ansible_distribution_major_version is version('11', '>=') when: ansible_distribution_major_version is version('11', '>=')
@@ -50,6 +51,7 @@
- { src: "abuseipdb-ipv6.nft", force: "yes" } - { src: "abuseipdb-ipv6.nft", force: "yes" }
notify: notify:
- restart nftables - restart nftables
- restart fail2ban
- name: Use iptables backend in firewalld - name: Use iptables backend in firewalld
when: ansible_distribution_major_version is version('10', '==') when: ansible_distribution_major_version is version('10', '==')
@@ -59,6 +61,7 @@
line: 'FirewallBackend=iptables' line: 'FirewallBackend=iptables'
notify: notify:
- restart firewalld - restart firewalld
- restart fail2ban
# firewalld seems to have an issue with iptables 1.8.2 when using the nftables # firewalld seems to have an issue with iptables 1.8.2 when using the nftables
# backend. Using individual calls seems to work around it. # backend. Using individual calls seems to work around it.
@@ -71,6 +74,7 @@
line: 'IndividualCalls=yes' line: 'IndividualCalls=yes'
notify: notify:
- restart firewalld - restart firewalld
- restart fail2ban
- name: Copy firewalld public zone file - name: Copy firewalld public zone file
when: ansible_distribution_major_version is version('10', '<=') when: ansible_distribution_major_version is version('10', '<=')
@@ -81,6 +85,7 @@
command: tidy -xml -iq -m -w 0 /etc/firewalld/zones/public.xml command: tidy -xml -iq -m -w 0 /etc/firewalld/zones/public.xml
notify: notify:
- restart firewalld - restart firewalld
- restart fail2ban
- name: Copy firewalld ipsets of abusive IPs - name: Copy firewalld ipsets of abusive IPs
when: ansible_distribution_major_version is version('10', '<=') when: ansible_distribution_major_version is version('10', '<=')
@@ -92,6 +97,7 @@
- spamhaus-ipv6.xml - spamhaus-ipv6.xml
notify: notify:
- restart firewalld - restart firewalld
- restart fail2ban
- name: Copy Spamhaus firewalld update script - name: Copy Spamhaus firewalld update script
when: ansible_distribution_version is version('10', '<=') when: ansible_distribution_version is version('10', '<=')
@@ -134,6 +140,7 @@
systemd: name=update-spamhaus-lists.timer state=started enabled=yes systemd: name=update-spamhaus-lists.timer state=started enabled=yes
notify: notify:
- restart firewalld - restart firewalld
- restart fail2ban
- name: Start and enable nftables update timers - name: Start and enable nftables update timers
when: ansible_distribution_version is version('11', '>=') when: ansible_distribution_version is version('11', '>=')

5
roles/common/tasks/firewall_Ubuntu.yml
View File

@@ -35,6 +35,7 @@
template: src=nftables.conf.j2 dest=/etc/nftables.conf owner=root mode=0644 template: src=nftables.conf.j2 dest=/etc/nftables.conf owner=root mode=0644
notify: notify:
- restart nftables - restart nftables
- restart fail2ban
- name: Create /etc/nftables extra config directory - name: Create /etc/nftables extra config directory
when: ansible_distribution_version is version('20.04', '>=') when: ansible_distribution_version is version('20.04', '>=')
@@ -51,6 +52,7 @@
- { src: "abuseipdb-ipv6.nft", force: "yes" } - { src: "abuseipdb-ipv6.nft", force: "yes" }
notify: notify:
- restart nftables - restart nftables
- restart fail2ban
- name: Copy firewalld public zone file - name: Copy firewalld public zone file
when: ansible_distribution_version is version('18.04', '<=') when: ansible_distribution_version is version('18.04', '<=')
@@ -61,6 +63,7 @@
command: tidy -xml -iq -m -w 0 /etc/firewalld/zones/public.xml command: tidy -xml -iq -m -w 0 /etc/firewalld/zones/public.xml
notify: notify:
- restart firewalld - restart firewalld
- restart fail2ban
- name: Copy firewalld ipsets of abusive IPs - name: Copy firewalld ipsets of abusive IPs
when: ansible_distribution_version is version('18.04', '<=') when: ansible_distribution_version is version('18.04', '<=')
@@ -72,6 +75,7 @@
- spamhaus-ipv6.xml - spamhaus-ipv6.xml
notify: notify:
- restart firewalld - restart firewalld
- restart fail2ban
- name: Copy Spamhaus firewalld update script - name: Copy Spamhaus firewalld update script
when: ansible_distribution_version is version('18.04', '<=') when: ansible_distribution_version is version('18.04', '<=')
@@ -114,6 +118,7 @@
systemd: name=update-spamhaus-lists.timer state=started enabled=yes systemd: name=update-spamhaus-lists.timer state=started enabled=yes
notify: notify:
- restart firewalld - restart firewalld
- restart fail2ban
- name: Start and enable nftables update timers - name: Start and enable nftables update timers
when: ansible_distribution_version is version('20.04', '>=') when: ansible_distribution_version is version('20.04', '>=')