fix typo with iptables-webserver; add custom list installation for pihole; add snort community rules configuration and setup
This commit is contained in:
parent
df18c65a75
commit
f9b9a2e72b
5 changed files with 80 additions and 2 deletions
|
@ -10,7 +10,7 @@
|
||||||
ansible.builtin.iptables:
|
ansible.builtin.iptables:
|
||||||
chain: INPUT
|
chain: INPUT
|
||||||
protocol: tcp
|
protocol: tcp
|
||||||
destination_port: "{{ port }}"
|
destination_port: "{{ item }}"
|
||||||
ctstate: NEW,ESTABLISHED
|
ctstate: NEW,ESTABLISHED
|
||||||
jump: ACCEPT
|
jump: ACCEPT
|
||||||
comment: Webserver dedicated port
|
comment: Webserver dedicated port
|
||||||
|
|
|
@ -2,3 +2,29 @@
|
||||||
# defaults file for pi-hole
|
# defaults file for pi-hole
|
||||||
|
|
||||||
pihole_enabled: false
|
pihole_enabled: false
|
||||||
|
pihole_install_custom_list: false
|
||||||
|
|
||||||
|
pihole_custom_list:
|
||||||
|
- https://blocklistproject.github.io/Lists/ads.txt
|
||||||
|
- https://gist.githubusercontent.com/anudeepND/adac7982307fec6ee23605e281a57f1a/raw/5b8582b906a9497624c3f3187a49ebc23a9cf2fb/Test.txt
|
||||||
|
- https://phishing.army/download/phishing_army_blocklist_extended.txt
|
||||||
|
- https://blocklistproject.github.io/Lists/ransomware.txt
|
||||||
|
- https://phishing.army/download/phishing_army_blocklist.txt
|
||||||
|
- https://raw.githubusercontent.com/DandelionSprout/adfilt/master/Alternate%20versions%20Anti-Malware%20List/AntiMalwareHosts.txt
|
||||||
|
- https://raw.githubusercontent.com/deathbybandaid/piholeparser/master/Subscribable-Lists/ParsedBlacklists/ImmortalMalwareDomains.txt
|
||||||
|
- https://s3.amazonaws.com/lists.disconnect.me/simple_malvertising.txt
|
||||||
|
- https://v.firebog.net/hosts/Prigent-Crypto.txt
|
||||||
|
- https://raw.githubusercontent.com/mitchellkrogza/Phishing.Database/master/phishing-domains-ACTIVE.txt
|
||||||
|
- https://raw.githubusercontent.com/migueldemoura/ublock-umatrix-rulesets/master/Hosts/malware
|
||||||
|
- https://kriskintel.com/feeds/ktip_malicious_domains.txt
|
||||||
|
- https://blocklistproject.github.io/Lists/scam.txt
|
||||||
|
- https://gitlab.com/quidsup/notrack-blocklists/raw/master/notrack-malware.txt
|
||||||
|
- https://raw.githubusercontent.com/mitchellkrogza/The-Big-List-of-Hacked-Malware-Web-Sites/master/hacked-domains.list
|
||||||
|
- https://blocklistproject.github.io/Lists/fraud.txt
|
||||||
|
- https://raw.githubusercontent.com/infinitytec/blocklists/master/scams-and-phishing.txt
|
||||||
|
- https://raw.githubusercontent.com/anudeepND/blacklist/master/adservers.txt
|
||||||
|
- https://raw.githubusercontent.com/FadeMind/hosts.extras/master/UncheckyAds/hosts
|
||||||
|
- https://raw.githubusercontent.com/crazy-max/WindowsSpyBlocker/master/data/hosts/spy.txt
|
||||||
|
- https://v.firebog.net/hosts/Prigent-Ads.txt
|
||||||
|
- https://blocklistproject.github.io/Lists/smart-tv.txt
|
||||||
|
- https://raw.githubusercontent.com/d43m0nhLInt3r/socialblocklists/master/SmartTV/smarttvblocklist.txt
|
||||||
|
|
|
@ -15,6 +15,27 @@
|
||||||
ansible.builtin.package:
|
ansible.builtin.package:
|
||||||
name: curl
|
name: curl
|
||||||
|
|
||||||
- name: Execute manually the automated install and follow instructions
|
- name: Execute manually the automated install and follow instructions, after that you can install custom list
|
||||||
ansible.builtin.debug:
|
ansible.builtin.debug:
|
||||||
msg: "curl -sSL https://install.pi-hole.net | bash"
|
msg: "curl -sSL https://install.pi-hole.net | bash"
|
||||||
|
|
||||||
|
- name: Check if can install custom list
|
||||||
|
when: pihole_install_custom_list is true
|
||||||
|
block:
|
||||||
|
- name: Check if pi-hole db exists
|
||||||
|
stat:
|
||||||
|
path: /etc/pihole/gravity.db
|
||||||
|
register: pihole_db
|
||||||
|
|
||||||
|
- name: Install sqlite3 package
|
||||||
|
ansible.builtin.package:
|
||||||
|
name: sqlite3
|
||||||
|
|
||||||
|
- name: Install more lists than default
|
||||||
|
when: pihole_db.stat.exists
|
||||||
|
ansible.builtin.shell:
|
||||||
|
cmd: sqlite3 /etc/pihole/gravity.db "INSERT INTO adlist (address, enabled, comment) VALUES ('{{ item }}', 1, '');"
|
||||||
|
loop: "{{ pihole_custom_list }}"
|
||||||
|
|
||||||
|
- name: Update Gravity
|
||||||
|
ansible.builtin.shell: pihole updateGravity
|
||||||
|
|
19
roles/snort-community/tasks/install_Community_Rules.yml
Normal file
19
roles/snort-community/tasks/install_Community_Rules.yml
Normal file
|
@ -0,0 +1,19 @@
|
||||||
|
- name: Download updated Community Rules
|
||||||
|
ansible.builtin.get_url:
|
||||||
|
url: https://www.snort.org/rules/community
|
||||||
|
dest: /tmp/snort_community_rules.tar.gz
|
||||||
|
|
||||||
|
- name: Extract Community Rules
|
||||||
|
ansible.builtin.unarchive:
|
||||||
|
src: /tmp/snort_community_rules.tar.gz
|
||||||
|
dest: /tmp/snort_community_rules
|
||||||
|
|
||||||
|
- name: Copy rules to snort config folder
|
||||||
|
ansible.builtin.copy:
|
||||||
|
src: "{{ item }}"
|
||||||
|
dest: /etc/snort/rules
|
||||||
|
with_fileglob:
|
||||||
|
- /tmp/snort_community_rules/*
|
||||||
|
|
||||||
|
- name: Activate Community rules
|
||||||
|
ansible.builtin.shell: sed -i 's/include $RULE_PATH/#include $RULE_PATH/' /etc/snort/snort.conf
|
|
@ -65,6 +65,18 @@
|
||||||
regexp: 'ipvar HOME_NET any'
|
regexp: 'ipvar HOME_NET any'
|
||||||
replace: 'ipvar HOME_NET {{ snort_home_net_address }}'
|
replace: 'ipvar HOME_NET {{ snort_home_net_address }}'
|
||||||
|
|
||||||
|
- name: Check if there are rules or files in /etc/snort/rules
|
||||||
|
find:
|
||||||
|
paths: /etc/snort/rules
|
||||||
|
file_type: any
|
||||||
|
hidden: true
|
||||||
|
register: snort_rules
|
||||||
|
|
||||||
|
- name: Install Community Rules if /etc/snort/rules empty
|
||||||
|
when: snort_rules.matched == 0
|
||||||
|
block:
|
||||||
|
- include_tasks: install_Community_Rules.yml
|
||||||
|
|
||||||
- name: Validate snort configuration
|
- name: Validate snort configuration
|
||||||
ansible.builtin.shell: snort -T -c /etc/snort/snort.conf
|
ansible.builtin.shell: snort -T -c /etc/snort/snort.conf
|
||||||
register: snort_output
|
register: snort_output
|
||||||
|
|
Loading…
Reference in a new issue