fix typo with iptables-webserver; add custom list installation for pihole; add snort community rules configuration and setup

This commit is contained in:
Claudio Maradonna 2022-11-19 11:48:56 +01:00
parent df18c65a75
commit f9b9a2e72b
Signed by untrusted user who does not match committer: claudiomaradonna
GPG key ID: 0CBA58694C5680D9
5 changed files with 80 additions and 2 deletions

View file

@ -10,7 +10,7 @@
ansible.builtin.iptables:
chain: INPUT
protocol: tcp
destination_port: "{{ port }}"
destination_port: "{{ item }}"
ctstate: NEW,ESTABLISHED
jump: ACCEPT
comment: Webserver dedicated port

View file

@ -2,3 +2,29 @@
# defaults file for pi-hole
pihole_enabled: false
pihole_install_custom_list: false
pihole_custom_list:
- https://blocklistproject.github.io/Lists/ads.txt
- https://gist.githubusercontent.com/anudeepND/adac7982307fec6ee23605e281a57f1a/raw/5b8582b906a9497624c3f3187a49ebc23a9cf2fb/Test.txt
- https://phishing.army/download/phishing_army_blocklist_extended.txt
- https://blocklistproject.github.io/Lists/ransomware.txt
- https://phishing.army/download/phishing_army_blocklist.txt
- https://raw.githubusercontent.com/DandelionSprout/adfilt/master/Alternate%20versions%20Anti-Malware%20List/AntiMalwareHosts.txt
- https://raw.githubusercontent.com/deathbybandaid/piholeparser/master/Subscribable-Lists/ParsedBlacklists/ImmortalMalwareDomains.txt
- https://s3.amazonaws.com/lists.disconnect.me/simple_malvertising.txt
- https://v.firebog.net/hosts/Prigent-Crypto.txt
- https://raw.githubusercontent.com/mitchellkrogza/Phishing.Database/master/phishing-domains-ACTIVE.txt
- https://raw.githubusercontent.com/migueldemoura/ublock-umatrix-rulesets/master/Hosts/malware
- https://kriskintel.com/feeds/ktip_malicious_domains.txt
- https://blocklistproject.github.io/Lists/scam.txt
- https://gitlab.com/quidsup/notrack-blocklists/raw/master/notrack-malware.txt
- https://raw.githubusercontent.com/mitchellkrogza/The-Big-List-of-Hacked-Malware-Web-Sites/master/hacked-domains.list
- https://blocklistproject.github.io/Lists/fraud.txt
- https://raw.githubusercontent.com/infinitytec/blocklists/master/scams-and-phishing.txt
- https://raw.githubusercontent.com/anudeepND/blacklist/master/adservers.txt
- https://raw.githubusercontent.com/FadeMind/hosts.extras/master/UncheckyAds/hosts
- https://raw.githubusercontent.com/crazy-max/WindowsSpyBlocker/master/data/hosts/spy.txt
- https://v.firebog.net/hosts/Prigent-Ads.txt
- https://blocklistproject.github.io/Lists/smart-tv.txt
- https://raw.githubusercontent.com/d43m0nhLInt3r/socialblocklists/master/SmartTV/smarttvblocklist.txt

View file

@ -15,6 +15,27 @@
ansible.builtin.package:
name: curl
- name: Execute manually the automated install and follow instructions
- name: Execute manually the automated install and follow instructions, after that you can install custom list
ansible.builtin.debug:
msg: "curl -sSL https://install.pi-hole.net | bash"
- name: Check if can install custom list
when: pihole_install_custom_list is true
block:
- name: Check if pi-hole db exists
stat:
path: /etc/pihole/gravity.db
register: pihole_db
- name: Install sqlite3 package
ansible.builtin.package:
name: sqlite3
- name: Install more lists than default
when: pihole_db.stat.exists
ansible.builtin.shell:
cmd: sqlite3 /etc/pihole/gravity.db "INSERT INTO adlist (address, enabled, comment) VALUES ('{{ item }}', 1, '');"
loop: "{{ pihole_custom_list }}"
- name: Update Gravity
ansible.builtin.shell: pihole updateGravity

View file

@ -0,0 +1,19 @@
- name: Download updated Community Rules
ansible.builtin.get_url:
url: https://www.snort.org/rules/community
dest: /tmp/snort_community_rules.tar.gz
- name: Extract Community Rules
ansible.builtin.unarchive:
src: /tmp/snort_community_rules.tar.gz
dest: /tmp/snort_community_rules
- name: Copy rules to snort config folder
ansible.builtin.copy:
src: "{{ item }}"
dest: /etc/snort/rules
with_fileglob:
- /tmp/snort_community_rules/*
- name: Activate Community rules
ansible.builtin.shell: sed -i 's/include $RULE_PATH/#include $RULE_PATH/' /etc/snort/snort.conf

View file

@ -65,6 +65,18 @@
regexp: 'ipvar HOME_NET any'
replace: 'ipvar HOME_NET {{ snort_home_net_address }}'
- name: Check if there are rules or files in /etc/snort/rules
find:
paths: /etc/snort/rules
file_type: any
hidden: true
register: snort_rules
- name: Install Community Rules if /etc/snort/rules empty
when: snort_rules.matched == 0
block:
- include_tasks: install_Community_Rules.yml
- name: Validate snort configuration
ansible.builtin.shell: snort -T -c /etc/snort/snort.conf
register: snort_output