fix typo with iptables-webserver; add custom list installation for pihole; add snort community rules configuration and setup
This commit is contained in:
parent
df18c65a75
commit
f9b9a2e72b
5 changed files with 80 additions and 2 deletions
|
@ -10,7 +10,7 @@
|
|||
ansible.builtin.iptables:
|
||||
chain: INPUT
|
||||
protocol: tcp
|
||||
destination_port: "{{ port }}"
|
||||
destination_port: "{{ item }}"
|
||||
ctstate: NEW,ESTABLISHED
|
||||
jump: ACCEPT
|
||||
comment: Webserver dedicated port
|
||||
|
|
|
@ -2,3 +2,29 @@
|
|||
# defaults file for pi-hole
|
||||
|
||||
pihole_enabled: false
|
||||
pihole_install_custom_list: false
|
||||
|
||||
pihole_custom_list:
|
||||
- https://blocklistproject.github.io/Lists/ads.txt
|
||||
- https://gist.githubusercontent.com/anudeepND/adac7982307fec6ee23605e281a57f1a/raw/5b8582b906a9497624c3f3187a49ebc23a9cf2fb/Test.txt
|
||||
- https://phishing.army/download/phishing_army_blocklist_extended.txt
|
||||
- https://blocklistproject.github.io/Lists/ransomware.txt
|
||||
- https://phishing.army/download/phishing_army_blocklist.txt
|
||||
- https://raw.githubusercontent.com/DandelionSprout/adfilt/master/Alternate%20versions%20Anti-Malware%20List/AntiMalwareHosts.txt
|
||||
- https://raw.githubusercontent.com/deathbybandaid/piholeparser/master/Subscribable-Lists/ParsedBlacklists/ImmortalMalwareDomains.txt
|
||||
- https://s3.amazonaws.com/lists.disconnect.me/simple_malvertising.txt
|
||||
- https://v.firebog.net/hosts/Prigent-Crypto.txt
|
||||
- https://raw.githubusercontent.com/mitchellkrogza/Phishing.Database/master/phishing-domains-ACTIVE.txt
|
||||
- https://raw.githubusercontent.com/migueldemoura/ublock-umatrix-rulesets/master/Hosts/malware
|
||||
- https://kriskintel.com/feeds/ktip_malicious_domains.txt
|
||||
- https://blocklistproject.github.io/Lists/scam.txt
|
||||
- https://gitlab.com/quidsup/notrack-blocklists/raw/master/notrack-malware.txt
|
||||
- https://raw.githubusercontent.com/mitchellkrogza/The-Big-List-of-Hacked-Malware-Web-Sites/master/hacked-domains.list
|
||||
- https://blocklistproject.github.io/Lists/fraud.txt
|
||||
- https://raw.githubusercontent.com/infinitytec/blocklists/master/scams-and-phishing.txt
|
||||
- https://raw.githubusercontent.com/anudeepND/blacklist/master/adservers.txt
|
||||
- https://raw.githubusercontent.com/FadeMind/hosts.extras/master/UncheckyAds/hosts
|
||||
- https://raw.githubusercontent.com/crazy-max/WindowsSpyBlocker/master/data/hosts/spy.txt
|
||||
- https://v.firebog.net/hosts/Prigent-Ads.txt
|
||||
- https://blocklistproject.github.io/Lists/smart-tv.txt
|
||||
- https://raw.githubusercontent.com/d43m0nhLInt3r/socialblocklists/master/SmartTV/smarttvblocklist.txt
|
||||
|
|
|
@ -15,6 +15,27 @@
|
|||
ansible.builtin.package:
|
||||
name: curl
|
||||
|
||||
- name: Execute manually the automated install and follow instructions
|
||||
- name: Execute manually the automated install and follow instructions, after that you can install custom list
|
||||
ansible.builtin.debug:
|
||||
msg: "curl -sSL https://install.pi-hole.net | bash"
|
||||
|
||||
- name: Check if can install custom list
|
||||
when: pihole_install_custom_list is true
|
||||
block:
|
||||
- name: Check if pi-hole db exists
|
||||
stat:
|
||||
path: /etc/pihole/gravity.db
|
||||
register: pihole_db
|
||||
|
||||
- name: Install sqlite3 package
|
||||
ansible.builtin.package:
|
||||
name: sqlite3
|
||||
|
||||
- name: Install more lists than default
|
||||
when: pihole_db.stat.exists
|
||||
ansible.builtin.shell:
|
||||
cmd: sqlite3 /etc/pihole/gravity.db "INSERT INTO adlist (address, enabled, comment) VALUES ('{{ item }}', 1, '');"
|
||||
loop: "{{ pihole_custom_list }}"
|
||||
|
||||
- name: Update Gravity
|
||||
ansible.builtin.shell: pihole updateGravity
|
||||
|
|
19
roles/snort-community/tasks/install_Community_Rules.yml
Normal file
19
roles/snort-community/tasks/install_Community_Rules.yml
Normal file
|
@ -0,0 +1,19 @@
|
|||
- name: Download updated Community Rules
|
||||
ansible.builtin.get_url:
|
||||
url: https://www.snort.org/rules/community
|
||||
dest: /tmp/snort_community_rules.tar.gz
|
||||
|
||||
- name: Extract Community Rules
|
||||
ansible.builtin.unarchive:
|
||||
src: /tmp/snort_community_rules.tar.gz
|
||||
dest: /tmp/snort_community_rules
|
||||
|
||||
- name: Copy rules to snort config folder
|
||||
ansible.builtin.copy:
|
||||
src: "{{ item }}"
|
||||
dest: /etc/snort/rules
|
||||
with_fileglob:
|
||||
- /tmp/snort_community_rules/*
|
||||
|
||||
- name: Activate Community rules
|
||||
ansible.builtin.shell: sed -i 's/include $RULE_PATH/#include $RULE_PATH/' /etc/snort/snort.conf
|
|
@ -65,6 +65,18 @@
|
|||
regexp: 'ipvar HOME_NET any'
|
||||
replace: 'ipvar HOME_NET {{ snort_home_net_address }}'
|
||||
|
||||
- name: Check if there are rules or files in /etc/snort/rules
|
||||
find:
|
||||
paths: /etc/snort/rules
|
||||
file_type: any
|
||||
hidden: true
|
||||
register: snort_rules
|
||||
|
||||
- name: Install Community Rules if /etc/snort/rules empty
|
||||
when: snort_rules.matched == 0
|
||||
block:
|
||||
- include_tasks: install_Community_Rules.yml
|
||||
|
||||
- name: Validate snort configuration
|
||||
ansible.builtin.shell: snort -T -c /etc/snort/snort.conf
|
||||
register: snort_output
|
||||
|
|
Loading…
Reference in a new issue