From cd36bf1e13233fe62d1c0e29b2eff9450695ea9b Mon Sep 17 00:00:00 2001 From: Tanguy MAZE Date: Fri, 14 Dec 2018 14:58:11 +0100 Subject: [PATCH] changed persistence method of firewall rules --- files/check_crontab.sh | 4 ++-- files/firewall.conf | 1 + files/interfaces | 1 + hosts-init.inv | 2 -- init.yml | 37 ------------------------------------- provision.yml | 17 ++++++----------- templates/init.yml.j2 | 22 ++++++++++++++++------ 7 files changed, 26 insertions(+), 58 deletions(-) delete mode 100644 hosts-init.inv delete mode 100644 init.yml diff --git a/files/check_crontab.sh b/files/check_crontab.sh index 4e3b4a7..14607a1 100755 --- a/files/check_crontab.sh +++ b/files/check_crontab.sh @@ -10,13 +10,13 @@ if [ ! -f $md5old ] then printf "Error: %s don't exist\nCreating %s ...\n" "$md5old" "$md5old" >>$log md5sum $cron >$md5old - exit 1 + exit 0 fi if [ ! -s $md5old ] then printf "Error: %s is empty\nadding md5 hash to %s ...\n" "$md5old" "$md5old" >>$log md5sum $cron >$md5old - exit 1 + exit 0 fi if [ ! $(md5sum -c $md5old 2>/dev/null | grep $cron | cut -d' ' -f2) = "OK" ] then diff --git a/files/firewall.conf b/files/firewall.conf index 5483cb7..f21a59b 100644 --- a/files/firewall.conf +++ b/files/firewall.conf @@ -11,6 +11,7 @@ -A PREROUTING -f -j DROP -A PREROUTING -p tcp -m conntrack --ctstate NEW -m tcpmss ! --mss 536:65535 -j DROP -A PREROUTING -s 127.0.0.0/8 ! -i lo -j DROP +-A PREROUTING -s 192.168.99.0/30 ! -i enp0s8 -j DROP -A PREROUTING -p tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP -A PREROUTING -p tcp --tcp-flags FIN,SYN FIN,SYN -j DROP -A PREROUTING -p tcp --tcp-flags SYN,RST SYN,RST -j DROP diff --git a/files/interfaces b/files/interfaces index 401edf7..7f0e3bc 100644 --- a/files/interfaces +++ b/files/interfaces @@ -6,6 +6,7 @@ source /etc/network/interfaces.d/* # The loopback network interface auto lo iface lo inet loopback +post-up iptables-restore /etc/iptables/rules.v4 # The primary network interface auto enp0s3 diff --git a/hosts-init.inv b/hosts-init.inv deleted file mode 100644 index d0a2b39..0000000 --- a/hosts-init.inv +++ /dev/null @@ -1,2 +0,0 @@ -e3r5p2.42.fr ansible_host=10.13.5.2 ansible_port=2230 ansible_user=tanguy -roger-skyline-1 ansible_host=192.168.99.2 ansible_port=2230 ansible_user=tanguy diff --git a/init.yml b/init.yml deleted file mode 100644 index e41b2d4..0000000 --- a/init.yml +++ /dev/null @@ -1,37 +0,0 @@ -- name: "Initialise network config, packages & user tanguy" - hosts: e3r5p2.42.fr - become: yes - become_user: root - become_method: su - tasks: - - name: "Set up networking" - copy: - src: "files/interfaces" - dest: "/etc/network/" - owner: "root" - group: "root" - - name: "Upload ssh config" - copy: - src: "files/sshd_config" - dest: "/etc/ssh/" - owner: "root" - group: "root" - - name: "Install sudo" - apt: - name: ['sudo'] - update_cache: "yes" - state: "present" - - name: "Add tanguy to sudoers" - user: - name: "tanguy" - groups: "sudo" - append: yes - - name: "Upload public key for tanguy" - authorized_key: - user: "tanguy" - state: "present" - key: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDmt03YiHn0kILfc45ylWmSnIYDJvLko2+mHf8wQlap9s6L9RPUwh4FuJ0lxAENelOkzl6CeD8ET7RPLy+EvUjL2B3iLSVlZRFiBNiAbtNHCxxKBl7CF5pRd5Us797BCa1trrfCdW3bznLswkB6aVOqt5GnjXy62/Ambvrb0yBILeQQzEnBdPdxwKLoG57kM1Ag9tulvgM0OkNRgVTzoJrm9MiPPjvHXZxLanC/3hUA5hOKSp0gEcpUm+W/YpyvsrlcAmWSQT3RwvavK+cGa51cNUofKSHUSJmz3QBanYs4EmaTby1QecQA0q7SlIsAdcsznhCC07TWm1qJtjg9DL/nzrinr59BGYkptExod2RGuZeXWB3a7nPvN5pz0whEHfHxARnUMDJFXPToUaeHE/BzyBAzX2cQJuF/eX1ld5WpFNM1aZTuI8LgJbOiNa4xPZEOvnWTRR7i+w6/NrSXggeHcycDmFjiXKUPJMco05T+sropbxB0x/hIdl7KCfr2n+UUZgwfvNnTc/L8x3r8kzXjX76NPeG4qF6T1Q83pcKKCw9Iw4xnNHU7C7hz64CUeWctyxLF3ou6i8lmoqON+olKDWgLVh2oLGEUJKySul292nVgFaW6HExHcdBAESlPts3tN72RuLnvgWAfaSmF4vFkThUr+DsYPxqCa1PdFeCZzw== tmaze@e3r11p6.42.fr" - - name: "Restart networking service" - service: - name: "networking" - state: "restarted" diff --git a/provision.yml b/provision.yml index 975b5b1..8cc746d 100644 --- a/provision.yml +++ b/provision.yml @@ -6,7 +6,7 @@ tasks: - name: "Install necessary packages" apt: - name: ['sudo', 'mailutils', 'fail2ban', 'apache2', 'python-pip', 'iptables-persistent'] + name: ['sudo', 'mailutils', 'fail2ban', 'apache2', 'python-pip'] update_cache: "yes" state: "present" tags: [ "apt", "sudo" ] @@ -16,16 +16,6 @@ groups: "sudo" append: yes tags: [ "sudo" ] - - name: "Upload firewall config" - copy: - src: "files/firewall.conf" - dest: "/etc/iptables/rules.v4" - owner: "root" - group: "root" - tags: [ "firewall" ] - - name: "Apply firewall config" - command: "iptables-restore -c /etc/iptables/rules.v4" - tags: [ "firewall" ] - name: "Upload fail2ban config" copy: src: "files/jail.local" @@ -44,6 +34,7 @@ dest: "/usr/sbin/update_script.sh" owner: "root" group: "root" + mode: "755" tags: [ "scripts" ] - name: "Upload update_script" copy: @@ -58,6 +49,10 @@ dest: "/usr/sbin/check_crontab.sh" owner: "root" group: "root" + mode: "755" + tags: [ "scripts" ] + - name: "Run check_crontab.sh to create save file" + command: "bash /usr/sbin/check_crontab.sh" tags: [ "scripts" ] - name: "Upload check_crontab" copy: diff --git a/templates/init.yml.j2 b/templates/init.yml.j2 index b5c7069..05de8cb 100644 --- a/templates/init.yml.j2 +++ b/templates/init.yml.j2 @@ -4,12 +4,26 @@ become_user: root become_method: su tasks: + - name: "Create iptables directory" + file: + path: "/etc/iptables" + state: "directory" + - name: "Upload firewall config" + copy: + src: "files/firewall.conf" + dest: "/etc/iptables/rules.v4" + owner: "root" + group: "root" - name: "Set up networking" copy: src: "files/interfaces" dest: "/etc/network/" owner: "root" group: "root" + - name: "Restart networking service" + service: + name: "networking" + state: "restarted" - name: "Upload ssh config" copy: src: "files/sshd_config" @@ -17,16 +31,12 @@ owner: "root" group: "root" tags: [ "ssh" ] - - name: "Restart ssh service" - service: - name: "ssh" - state: "restarted" - name: "Upload public key for tanguy" authorized_key: user: "tanguy" state: "present" key: "{{ lookup('file', '~/.ssh/id_rsa.pub') }}" - - name: "Restart networking service" + - name: "Restart ssh service" service: - name: "networking" + name: "ssh" state: "restarted"