fix typo with iptables-webserver; add custom list installation for pihole; add snort community rules configuration and setup

2022-11-19 11:48:56 +01:00 · 2022-11-19 11:48:56 +01:00 · f9b9a2e72b
parent df18c65a75
commit f9b9a2e72b
5 changed files with 80 additions and 2 deletions
--- a/roles/iptables-webserver/tasks/main.yml
+++ b/roles/iptables-webserver/tasks/main.yml
@ -10,7 +10,7 @@
      ansible.builtin.iptables:
        chain: INPUT
        protocol: tcp
-        destination_port: "{{ port }}"
+        destination_port: "{{ item }}"
        ctstate: NEW,ESTABLISHED
        jump: ACCEPT
        comment: Webserver dedicated port
--- a/roles/pi-hole/defaults/main.yml
+++ b/roles/pi-hole/defaults/main.yml
@ -2,3 +2,29 @@
 # defaults file for pi-hole

 pihole_enabled: false
+pihole_install_custom_list: false
+
+pihole_custom_list:
+  - https://blocklistproject.github.io/Lists/ads.txt
+  - https://gist.githubusercontent.com/anudeepND/adac7982307fec6ee23605e281a57f1a/raw/5b8582b906a9497624c3f3187a49ebc23a9cf2fb/Test.txt
+  - https://phishing.army/download/phishing_army_blocklist_extended.txt
+  - https://blocklistproject.github.io/Lists/ransomware.txt
+  - https://phishing.army/download/phishing_army_blocklist.txt
+  - https://raw.githubusercontent.com/DandelionSprout/adfilt/master/Alternate%20versions%20Anti-Malware%20List/AntiMalwareHosts.txt
+  - https://raw.githubusercontent.com/deathbybandaid/piholeparser/master/Subscribable-Lists/ParsedBlacklists/ImmortalMalwareDomains.txt
+  - https://s3.amazonaws.com/lists.disconnect.me/simple_malvertising.txt
+  - https://v.firebog.net/hosts/Prigent-Crypto.txt
+  - https://raw.githubusercontent.com/mitchellkrogza/Phishing.Database/master/phishing-domains-ACTIVE.txt
+  - https://raw.githubusercontent.com/migueldemoura/ublock-umatrix-rulesets/master/Hosts/malware
+  - https://kriskintel.com/feeds/ktip_malicious_domains.txt
+  - https://blocklistproject.github.io/Lists/scam.txt
+  - https://gitlab.com/quidsup/notrack-blocklists/raw/master/notrack-malware.txt
+  - https://raw.githubusercontent.com/mitchellkrogza/The-Big-List-of-Hacked-Malware-Web-Sites/master/hacked-domains.list
+  - https://blocklistproject.github.io/Lists/fraud.txt
+  - https://raw.githubusercontent.com/infinitytec/blocklists/master/scams-and-phishing.txt
+  - https://raw.githubusercontent.com/anudeepND/blacklist/master/adservers.txt
+  - https://raw.githubusercontent.com/FadeMind/hosts.extras/master/UncheckyAds/hosts
+  - https://raw.githubusercontent.com/crazy-max/WindowsSpyBlocker/master/data/hosts/spy.txt
+  - https://v.firebog.net/hosts/Prigent-Ads.txt
+  - https://blocklistproject.github.io/Lists/smart-tv.txt
+  - https://raw.githubusercontent.com/d43m0nhLInt3r/socialblocklists/master/SmartTV/smarttvblocklist.txt
--- a/roles/pi-hole/tasks/main.yml
+++ b/roles/pi-hole/tasks/main.yml
@ -15,6 +15,27 @@
          ansible.builtin.package:
            name: curl

-        - name: Execute manually the automated install and follow instructions
+        - name: Execute manually the automated install and follow instructions, after that you can install custom list
          ansible.builtin.debug:
            msg: "curl -sSL https://install.pi-hole.net | bash"
+
+    - name: Check if can install custom list
+      when: pihole_install_custom_list is true
+      block:
+        - name: Check if pi-hole db exists
+          stat:
+            path: /etc/pihole/gravity.db
+          register: pihole_db
+
+        - name: Install sqlite3 package
+          ansible.builtin.package:
+            name: sqlite3
+
+        - name: Install more lists than default
+          when: pihole_db.stat.exists
+          ansible.builtin.shell:
+            cmd: sqlite3 /etc/pihole/gravity.db "INSERT INTO adlist (address, enabled, comment) VALUES ('{{ item }}', 1, '');"
+          loop: "{{ pihole_custom_list }}"
+
+    - name: Update Gravity
+      ansible.builtin.shell: pihole updateGravity
--- a/roles/snort-community/tasks/install_Community_Rules.yml
+++ b/roles/snort-community/tasks/install_Community_Rules.yml
@ -0,0 +1,19 @@
+- name: Download updated Community Rules
+  ansible.builtin.get_url:
+    url: https://www.snort.org/rules/community
+    dest: /tmp/snort_community_rules.tar.gz
+
+- name: Extract Community Rules
+  ansible.builtin.unarchive:
+    src: /tmp/snort_community_rules.tar.gz
+    dest: /tmp/snort_community_rules
+
+- name: Copy rules to snort config folder
+  ansible.builtin.copy:
+    src: "{{ item }}"
+    dest: /etc/snort/rules
+  with_fileglob:
+    - /tmp/snort_community_rules/*
+
+- name: Activate Community rules
+  ansible.builtin.shell: sed -i 's/include $RULE_PATH/#include $RULE_PATH/' /etc/snort/snort.conf
--- a/roles/snort-community/tasks/main.yml
+++ b/roles/snort-community/tasks/main.yml
@ -65,6 +65,18 @@
                regexp: 'ipvar HOME_NET any'
                replace: 'ipvar HOME_NET {{ snort_home_net_address }}'

+        - name: Check if there are rules or files in /etc/snort/rules
+          find:
+            paths: /etc/snort/rules
+            file_type: any
+            hidden: true
+          register: snort_rules
+
+        - name: Install Community Rules if /etc/snort/rules empty
+          when: snort_rules.matched == 0
+          block:
+            - include_tasks: install_Community_Rules.yml
+
        - name: Validate snort configuration
          ansible.builtin.shell: snort -T -c /etc/snort/snort.conf
          register: snort_output