diff --git a/.gitignore b/.gitignore index 84ab838..6ed4276 100644 --- a/.gitignore +++ b/.gitignore @@ -1,4 +1,6 @@ inventory/* host_vars/* +group_vars/* +!group_vars/all.yml Dockerfile docker-compose.yml diff --git a/group_vars/all.yml b/group_vars/all.yml new file mode 100644 index 0000000..d852cd4 --- /dev/null +++ b/group_vars/all.yml @@ -0,0 +1,2 @@ +sshd_port: 22 +ipfs_port: 4001 diff --git a/handbook.yml b/handbook.yml index b6b25b6..6263672 100644 --- a/handbook.yml +++ b/handbook.yml @@ -1,25 +1,26 @@ --- -- name: "Setup a GNU/Linux server" +- name: "Setup a GNU/Linux target with standards or defined tags" hosts: "{{ target if target is defined else 'planets' }}" roles: + - role: hardening-basic + tags: [hardening, ips, ids] + - role: iptables-persistent - tags: [firewall] + tags: [firewall, ips, ids] - role: iptables-basic - tags: [firewall] + tags: [firewall, ips, ids] - role: iptables-webserver tags: [firewall, webserver] - role: iptables-ipfs tags: [firewall, ipfs] - role: fail2ban-basic - tags: [hardening] - - role: hardening-basic - tags: [hardening] - - yggdrasil - - role: snort-community - tags: snort + tags: [fail2ban, ips, ids] + + - yggdrasil + + - role: snort-community + tags: [snort, ips, ids] - - role: pi-hole - tags: pi-hole diff --git a/pi-hole.yml b/pi-hole.yml new file mode 100644 index 0000000..c6533ae --- /dev/null +++ b/pi-hole.yml @@ -0,0 +1,6 @@ +--- + +- name: "Setup the target for pi-hole" + hosts: "{{ target if target is defined else 'planets' }}" + roles: + - role: pi-hole diff --git a/roles/fail2ban-basic/README.md b/roles/fail2ban-basic/README.md index 225dd44..c203e1a 100644 --- a/roles/fail2ban-basic/README.md +++ b/roles/fail2ban-basic/README.md @@ -1,38 +1,35 @@ -Role Name +fail2ban-basic ========= -A brief description of the role goes here. +This role install fail2ban into the target. Requirements ------------ -Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required. +. Role Variables -------------- -A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well. +- **fail2ban_enabled** (boolean): Enable of disable fail2ban setup +- **fail2ban_package_name_by_os_family** (array): Each key correspond to [OS family](https://docs.ansible.com/ansible/2.6/user_guide/playbooks_conditionals.html#ansible-os-family), the value correspond to the package name to be installed Dependencies ------------ -A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles. +. Example Playbook ---------------- -Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too: - - - hosts: servers - roles: - - { role: username.rolename, x: 42 } +`ansible-playbook -i inventory/example.yml handbook.yml --extra-vars="target=your_target" --tags fail2ban` License ------- -BSD +GPLv3 Author Information ------------------ -An optional section for the role authors to include contact information, or a website (HTML is not allowed). +- [Claudio Maradonna](https://social.unitoo.it/claudio) diff --git a/roles/fail2ban-basic/defaults/main.yml b/roles/fail2ban-basic/defaults/main.yml index 4bf780d..5370be4 100644 --- a/roles/fail2ban-basic/defaults/main.yml +++ b/roles/fail2ban-basic/defaults/main.yml @@ -1,5 +1,6 @@ --- # defaults file for fail2ban-basic +fail2ban_enabled: true fail2ban_package_name_by_os_family: Debian: fail2ban diff --git a/roles/fail2ban-basic/tasks/main.yml b/roles/fail2ban-basic/tasks/main.yml index 00f2126..9211aee 100644 --- a/roles/fail2ban-basic/tasks/main.yml +++ b/roles/fail2ban-basic/tasks/main.yml @@ -2,6 +2,7 @@ # tasks file for fail2ban-basic # - name: Fail2ban Configuration + when: fail2ban_enabled is true block: - name: Install Fail2ban ansible.builtin.package: diff --git a/roles/hardening-basic/README.md b/roles/hardening-basic/README.md index 1396f4a..95d63a1 100644 --- a/roles/hardening-basic/README.md +++ b/roles/hardening-basic/README.md @@ -11,15 +11,14 @@ Requirements Role Variables -------------- -- *hardening_sshd_enabled* (boolean): Enable or disable ssh hardening -- *hardening_sshd_port* (integer): Set the SSHD port -- *hardening_sshd_authorized_key_file* (string): Set the relative path for sshd authorized_key_file -- *hardening_sshd_tcp_forward* (boolean): Enable or disable sshd tcp forwarding -- *hardening_sshd_legal_banner* (boolean): Enable or disable sshd legal banner (/etc/issue.net) -- *hardening_sshd_permissions_set_sticky_bit* (boolean): Enable or disable the sticky bit for sshd directory and files (root) -- *hardening_sysctl_vm_swappiness* (integer): Set the value for sysctl vm.swappiness -- *hardening_sysctl_disable_ipv6* (boolean): Enable or disable ipv6 though sysctl -- *hardening_modprobe_disable_list* (dict): Array of sections. Each section contains an array of string: modules, protocols and so on that can be disabled through modprobe +- **hardening_sshd_enabled** (boolean): Enable or disable ssh hardening +- **hardening_sshd_authorized_key_file** (string): Set the relative path for sshd authorized_key_file +- **hardening_sshd_tcp_forward** (boolean): Enable or disable sshd tcp forwarding +- **hardening_sshd_legal_banner** (boolean): Enable or disable sshd legal banner (/etc/issue.net) +- **hardening_sshd_permissions_set_sticky_bit** (boolean): Enable or disable the sticky bit for sshd directory and files (root) +- **hardening_sysctl_vm_swappiness** (integer): Set the value for sysctl vm.swappiness +- **hardening_sysctl_disable_ipv6** (boolean): Enable or disable ipv6 though sysctl +- **hardening_modprobe_disable_list** (dict): Array of sections. Each section contains an array of string: modules, protocols and so on that can be disabled through modprobe Dependencies ------------ diff --git a/roles/hardening-basic/defaults/main.yml b/roles/hardening-basic/defaults/main.yml index bd3fee2..7b3bbbe 100644 --- a/roles/hardening-basic/defaults/main.yml +++ b/roles/hardening-basic/defaults/main.yml @@ -2,7 +2,6 @@ # defaults file for hardening-basic hardening_sshd_enabled: true -hardening_sshd_port: 22 hardening_sshd_authorized_key_file: .ssh/authorized_keys hardening_sshd_tcp_forward: false hardening_sshd_legal_banner: false diff --git a/roles/hardening-basic/templates/etc/ssh/sshd_config.d/99-hardening.conf b/roles/hardening-basic/templates/etc/ssh/sshd_config.d/99-hardening.conf index cd08c15..8692650 100644 --- a/roles/hardening-basic/templates/etc/ssh/sshd_config.d/99-hardening.conf +++ b/roles/hardening-basic/templates/etc/ssh/sshd_config.d/99-hardening.conf @@ -4,7 +4,7 @@ Protocol 2 # Protocol 1 is StrictModes yes # Protects from misconfiguration #ListenAddress [ip-here] # Listening address -Port {{ hardening_sshd_port }} # Listening port. Normal 22 +Port {{ sshd_port }} # Listening port. Normal 22 AuthenticationMethods publickey # Only public key authentication allowed AuthorizedKeysFile {{ hardening_sshd_authorized_key_file }} diff --git a/roles/iptables-basic/README.md b/roles/iptables-basic/README.md index 225dd44..f1f966e 100644 --- a/roles/iptables-basic/README.md +++ b/roles/iptables-basic/README.md @@ -1,38 +1,36 @@ -Role Name +iptables-basic ========= -A brief description of the role goes here. +This role setup iptables with good defaults Requirements ------------ -Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required. +. Role Variables -------------- -A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well. +- **iptables_basic_enabled** (boolean): Enable or disable iptable setup +- **iptables_basic_reset_enabled** (boolean): Enable or disable iptables flush +- **iptables_basic_drop_unencrypted_smtp_port** (boolean): If true drop the standard SMTP port (25) Dependencies ------------ -A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles. +. Example Playbook ---------------- -Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too: - - - hosts: servers - roles: - - { role: username.rolename, x: 42 } +`ansible-playbook -i inventory/example.yml handbook.yml --extra-vars="target=your_target" --tags firewall` License ------- -BSD +GPLv3 Author Information ------------------ -An optional section for the role authors to include contact information, or a website (HTML is not allowed). +- [Claudio Maradonna](https://social.unitoo.it/claudio) diff --git a/roles/iptables-basic/defaults/main.yml b/roles/iptables-basic/defaults/main.yml index 8030734..bf0f67e 100644 --- a/roles/iptables-basic/defaults/main.yml +++ b/roles/iptables-basic/defaults/main.yml @@ -3,5 +3,4 @@ iptables_basic_enabled: true iptables_basic_reset_enabled: false -iptables_basic_ssh_port: 22 iptables_basic_drop_unencrypted_smtp_port: true diff --git a/roles/iptables-basic/tasks/main.yml b/roles/iptables-basic/tasks/main.yml index 1081322..e3bf23d 100644 --- a/roles/iptables-basic/tasks/main.yml +++ b/roles/iptables-basic/tasks/main.yml @@ -43,7 +43,7 @@ ansible.builtin.iptables: chain: INPUT protocol: tcp - destination_port: "{{ iptables_basic_ssh_port }}" + destination_port: "{{ sshd_port }}" ctstate: NEW syn: match jump: ACCEPT diff --git a/roles/iptables-ipfs/README.md b/roles/iptables-ipfs/README.md index 225dd44..4adfbda 100644 --- a/roles/iptables-ipfs/README.md +++ b/roles/iptables-ipfs/README.md @@ -1,38 +1,34 @@ -Role Name +iptables-ipfs ========= -A brief description of the role goes here. +This role setup iptables rules for IPFS Requirements ------------ -Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required. +. Role Variables -------------- -A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well. +**iptables_ipfs_enabled** (boolean): Enable or disable IPFS rules Dependencies ------------ -A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles. +. Example Playbook ---------------- -Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too: - - - hosts: servers - roles: - - { role: username.rolename, x: 42 } +`ansible-playbook -i inventory/example.yml handbook.yml --extra-vars="target=your_target" --tags firewall` License ------- -BSD +GPLv3 Author Information ------------------ -An optional section for the role authors to include contact information, or a website (HTML is not allowed). +- [Claudio Maradonna](https://social.unitoo.it/claudio) diff --git a/roles/iptables-ipfs/defaults/main.yml b/roles/iptables-ipfs/defaults/main.yml index c2496b6..ad7c494 100644 --- a/roles/iptables-ipfs/defaults/main.yml +++ b/roles/iptables-ipfs/defaults/main.yml @@ -2,4 +2,3 @@ # defaults file for iptables-ipfs iptables_ipfs_enabled: false -iptables_ipfs_port: 4001 diff --git a/roles/iptables-ipfs/tasks/main.yml b/roles/iptables-ipfs/tasks/main.yml index 1ccfd35..29898a5 100644 --- a/roles/iptables-ipfs/tasks/main.yml +++ b/roles/iptables-ipfs/tasks/main.yml @@ -10,7 +10,7 @@ ansible.builtin.iptables: chain: INPUT protocol: tcp - destination_port: "{{ iptables_ipfs_port }}" + destination_port: "{{ ipfs_port }}" ctstate: NEW,ESTABLISHED jump: ACCEPT comment: IPFS dedicated port diff --git a/roles/iptables-persistent/README.md b/roles/iptables-persistent/README.md index 225dd44..a016058 100644 --- a/roles/iptables-persistent/README.md +++ b/roles/iptables-persistent/README.md @@ -1,38 +1,36 @@ -Role Name +iptables-persistent ========= -A brief description of the role goes here. +This role setup iptables-persistent and execute rules saving Requirements ------------ -Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required. +. Role Variables -------------- -A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well. +**iptables_persistent_package_name_by_os_family** (array): Each key correspond to [OS family](https://docs.ansible.com/ansible/2.6/user_guide/playbooks_conditionals.html#ansible-os-family), the value correspond to the package name to be installed +**iptables_persistent_save_to_file** (boolean): If true enable file saving with rules + Dependencies ------------ -A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles. +. Example Playbook ---------------- -Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too: - - - hosts: servers - roles: - - { role: username.rolename, x: 42 } +This role aims to be used by other roles. License ------- -BSD +GPLv3 Author Information ------------------ -An optional section for the role authors to include contact information, or a website (HTML is not allowed). +- [Claudio Maradonna](https://social.unitoo.it/claudio) diff --git a/roles/pi-hole/defaults/main.yml b/roles/pi-hole/defaults/main.yml index 9316b2a..70dab4d 100644 --- a/roles/pi-hole/defaults/main.yml +++ b/roles/pi-hole/defaults/main.yml @@ -3,6 +3,7 @@ pihole_enabled: false pihole_install_custom_list: false +pihole_update_gravity: false pihole_custom_list: - https://blocklistproject.github.io/Lists/ads.txt diff --git a/roles/pi-hole/tasks/main.yml b/roles/pi-hole/tasks/main.yml index f999cac..f1c57ab 100644 --- a/roles/pi-hole/tasks/main.yml +++ b/roles/pi-hole/tasks/main.yml @@ -20,7 +20,7 @@ msg: "curl -sSL https://install.pi-hole.net | bash" - name: Check if can install custom list - when: pihole_install_custom_list is true + when: 'pihole_install_custom_list is true' block: - name: Check if pi-hole db exists stat: @@ -38,4 +38,22 @@ loop: "{{ pihole_custom_list }}" - name: Update Gravity + when: 'pihole_update_gravity is true' ansible.builtin.shell: pihole updateGravity + + - name: iptables-webserver + ansible.builtin.include_role: + name: iptables-webserver + + - name: Setup iptables rules + ansible.builtin.iptables: + chain: INPUT + protocol: '{{ item }}' + destination_port: 53 + jump: ACCEPT + comment: Accept DNS connections + loop: [tcp,udp] + + - name: iptables-persistent + ansible.builtin.include_role: + name: iptables-persistent