From ed49a5e8f06d8c6865174f90058eded96760f706 Mon Sep 17 00:00:00 2001 From: Tanguy MAZE Date: Wed, 19 Dec 2018 16:17:02 +0100 Subject: [PATCH] modified preseed.cfg to initialize network protection --- files/firewall.conf | 3 +++ hosts-init.inv | 1 + provision.yml | 30 ++++++++++++++++++++++++-- temp.yml | 8 ------- templates/hosts-init.inv.j2 | 2 -- templates/init.yml.j2 | 42 ------------------------------------- templates/preseed.cfg.j2 | 37 ++++++++++++++++---------------- 7 files changed, 51 insertions(+), 72 deletions(-) create mode 100644 hosts-init.inv delete mode 100644 templates/hosts-init.inv.j2 delete mode 100644 templates/init.yml.j2 diff --git a/files/firewall.conf b/files/firewall.conf index f21a59b..af6aedb 100644 --- a/files/firewall.conf +++ b/files/firewall.conf @@ -49,5 +49,8 @@ COMMIT -A OUTPUT -p tcp -m tcp --dport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT -A OUTPUT -p tcp -m tcp --dport 443 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT -A OUTPUT -p udp -m udp --dport 53 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT +-N port-scanning +-A port-scanning -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s --limit-burst 2 -j RETURN +-A port-scanning -j DROP COMMIT # Completed on Sat Nov 17 14:32:27 2018 \ No newline at end of file diff --git a/hosts-init.inv b/hosts-init.inv new file mode 100644 index 0000000..ff8b16b --- /dev/null +++ b/hosts-init.inv @@ -0,0 +1 @@ +roger-skyline-1 ansible_host=192.168.99.2 ansible_port=2230 ansible_user=tanguy diff --git a/provision.yml b/provision.yml index 01c87f2..20f1c98 100644 --- a/provision.yml +++ b/provision.yml @@ -1,14 +1,40 @@ - name: "Initialise packages, user tanguy & webserver" hosts: "roger-skyline-1" become: yes - become_user: root - become_method: su + become_method: sudo tasks: + - name: "Upload sshd_config" + copy: + src: "files/sshd_config" + dest: "/etc/ssh/sshd_config" + owner: "root" + group: "root" + - name: "Create .ssh directory" + file: + path: "/home/tanguy/.ssh" + state: "directory" + - name: "Upload ssh key" + copy: + src: "~/.ssh/id_rsa.pub" + dest: "/home/tanguy/.ssh/authorized_keys" + owner: "tanguy" + group: "tanguy" + - name: "Restart ssh service" + service: + name: "ssh" + state: "restarted" - name: "Install necessary packages" apt: name: ['apache2', 'python-pip'] update_cache: "yes" state: "present" + - name: "Install pyOpenSSL extension" + pip: + name: "pyOpenSSL" + - name: "Create .ssl directory" + file: + path: "/home/tanguy/.ssl" + state: "directory" - name: "Generate ssl private key" openssl_privatekey: path: "/home/tanguy/.ssl/server.key" diff --git a/temp.yml b/temp.yml index f088bd5..8920f3f 100644 --- a/temp.yml +++ b/temp.yml @@ -2,14 +2,6 @@ hosts: "localhost" connection: "local" tasks: - - name: "Template hosts-init.inv" - template: - src: "templates/hosts-init.inv.j2" - dest: "hosts-init.inv" - - name: "Template init.yml" - template: - src: "templates/init.yml.j2" - dest: "init.yml" - name: "Template preseed.cfg" template: src: "templates/preseed.cfg.j2" diff --git a/templates/hosts-init.inv.j2 b/templates/hosts-init.inv.j2 deleted file mode 100644 index 8eb8dc6..0000000 --- a/templates/hosts-init.inv.j2 +++ /dev/null @@ -1,2 +0,0 @@ -{{ ansible_nodename }} ansible_host={{ ansible_default_ipv4.address }} ansible_port=2230 ansible_user=tanguy -roger-skyline-1 ansible_host=192.168.99.2 ansible_port=2230 ansible_user=tanguy diff --git a/templates/init.yml.j2 b/templates/init.yml.j2 deleted file mode 100644 index 05de8cb..0000000 --- a/templates/init.yml.j2 +++ /dev/null @@ -1,42 +0,0 @@ -- name: "Initialise network config, packages & user tanguy" - hosts: {{ ansible_nodename }} - become: yes - become_user: root - become_method: su - tasks: - - name: "Create iptables directory" - file: - path: "/etc/iptables" - state: "directory" - - name: "Upload firewall config" - copy: - src: "files/firewall.conf" - dest: "/etc/iptables/rules.v4" - owner: "root" - group: "root" - - name: "Set up networking" - copy: - src: "files/interfaces" - dest: "/etc/network/" - owner: "root" - group: "root" - - name: "Restart networking service" - service: - name: "networking" - state: "restarted" - - name: "Upload ssh config" - copy: - src: "files/sshd_config" - dest: "/etc/ssh/" - owner: "root" - group: "root" - tags: [ "ssh" ] - - name: "Upload public key for tanguy" - authorized_key: - user: "tanguy" - state: "present" - key: "{{ lookup('file', '~/.ssh/id_rsa.pub') }}" - - name: "Restart ssh service" - service: - name: "ssh" - state: "restarted" diff --git a/templates/preseed.cfg.j2 b/templates/preseed.cfg.j2 index 18fadcd..f4b17e3 100644 --- a/templates/preseed.cfg.j2 +++ b/templates/preseed.cfg.j2 @@ -6,7 +6,7 @@ # By: tmaze +#+ +:+ +#+ # # +#+#+#+#+#+ +#+ # # Created: 2018/12/15 12:46:55 by tmaze #+# #+# # -# Updated: 2018/12/17 15:09:33 by tmaze ### ########.fr # +# Updated: 2018/12/19 14:00:53 by tmaze ### ########.fr # # # #******************************************************************************# @@ -85,23 +85,24 @@ d-i grub-installer/bootdev string /dev/sda d-i preseed/late_command string wget -O/target/etc/network/interfaces http://{{ ansible_default_ipv4.address }}:3000/files/interfaces;\ wget -O/target/etc/ssh/sshd_config http://{{ ansible_default_ipv4.address }}:3000/files/sshd_config_1;\ - mkdir /target/etc/iptables;\ - touch /target/etc/iptables/rules.v4;\ - wget -O/target/etc/iptables/rules.v4 http://{{ ansible_default_ipv4.address }}:3000/files/firewall.conf;\ - touch /target/etc/cron.d/update_script;\ - wget -O/target/etc/cron.d/update_script http://{{ ansible_default_ipv4.address }}:3000/files/update_script;\ - touch /target/etc/cron.d/check_crontab;\ - wget -O/target/etc/cron.d/check_crontab http://{{ ansible_default_ipv4.address }}:3000/files/check_crontab;\ - touch /target/usr/sbin/update_script.sh;\ - chmod 755 /target/usr/sbin/update_script.sh;\ - wget -O/target/usr/sbin/update_script.sh http://{{ ansible_default_ipv4.address }}:3000/files/update_script.sh;\ - touch /target/usr/sbin/check_crontab.sh;\ - chmod 755 /target/usr/sbin/check_crontab.sh;\ - wget -O/target/usr/sbin/check_crontab.sh http://{{ ansible_default_ipv4.address }}:3000/files/check_crontab.sh;\ - touch /target/etc/fail2ban/jail.local;\ - wget -O/target/etc/fail2ban/jail.local http://{{ ansible_default_ipv4.address }}:3000/files/jail.local;\ - wget -O/target/etc/hosts http://{{ ansible_default_ipv4.address }}:3000/files/hosts;\ - echo "roger-skyline-1" > /target/etc/hostname; + mkdir /target/etc/iptables;\ + touch /target/etc/iptables/rules.v4;\ + wget -O/target/etc/iptables/rules.v4 http://{{ ansible_default_ipv4.address }}:3000/files/firewall.conf;\ + touch /target/etc/cron.d/update_script;\ + wget -O/target/etc/cron.d/update_script http://{{ ansible_default_ipv4.address }}:3000/files/update_script;\ + touch /target/etc/cron.d/check_crontab;\ + wget -O/target/etc/cron.d/check_crontab http://{{ ansible_default_ipv4.address }}:3000/files/check_crontab;\ + touch /target/usr/sbin/update_script.sh;\ + wget -O/target/usr/sbin/update_script.sh http://{{ ansible_default_ipv4.address }}:3000/files/update_script.sh;\ + chmod 755 /target/usr/sbin/update_script.sh;\ + touch /target/usr/sbin/check_crontab.sh;\ + wget -O/target/usr/sbin/check_crontab.sh http://{{ ansible_default_ipv4.address }}:3000/files/check_crontab.sh;\ + chmod 755 /target/usr/sbin/check_crontab.sh;\ + sh /target/usr/sbin/check_crontab.sh;\ + touch /target/etc/fail2ban/jail.local;\ + wget -O/target/etc/fail2ban/jail.local http://{{ ansible_default_ipv4.address }}:3000/files/jail.local;\ + wget -O/target/etc/hosts http://{{ ansible_default_ipv4.address }}:3000/files/hosts;\ + echo "roger-skyline-1" > /target/etc/hostname; # don't wait for confirm, just reboot when finished d-i finish-install/reboot_in_progress note \ No newline at end of file