tvdu29/roger-skyline-1
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

modified preseed.cfg to initialize network protection

Browse Source
This commit is contained in:
Tanguy MAZE 2018-12-19 16:17:02 +01:00
parent dedc241daf
commit ed49a5e8f0
7 changed files with 51 additions and 72 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
files/firewall.conf
View File

@ -49,5 +49,8 @@ COMMIT
-A OUTPUT -p tcp -m tcp --dport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT -A OUTPUT -p tcp -m tcp --dport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 443 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT -A OUTPUT -p tcp -m tcp --dport 443 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -p udp -m udp --dport 53 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT -A OUTPUT -p udp -m udp --dport 53 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-N port-scanning
-A port-scanning -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s --limit-burst 2 -j RETURN
-A port-scanning -j DROP
COMMIT COMMIT
# Completed on Sat Nov 17 14:32:27 2018 # Completed on Sat Nov 17 14:32:27 2018

1
hosts-init.inv Normal file
View File

@ -0,0 +1 @@
roger-skyline-1 ansible_host=192.168.99.2 ansible_port=2230 ansible_user=tanguy

30
provision.yml
View File

@ -1,14 +1,40 @@
- name: "Initialise packages, user tanguy & webserver" - name: "Initialise packages, user tanguy & webserver"
hosts: "roger-skyline-1" hosts: "roger-skyline-1"
become: yes become: yes
become_user: root become_method: sudo
become_method: su
tasks: tasks:
- name: "Upload sshd_config"
copy:
src: "files/sshd_config"
dest: "/etc/ssh/sshd_config"
owner: "root"
group: "root"
- name: "Create .ssh directory"
file:
path: "/home/tanguy/.ssh"
state: "directory"
- name: "Upload ssh key"
copy:
src: "~/.ssh/id_rsa.pub"
dest: "/home/tanguy/.ssh/authorized_keys"
owner: "tanguy"
group: "tanguy"
- name: "Restart ssh service"
service:
name: "ssh"
state: "restarted"
- name: "Install necessary packages" - name: "Install necessary packages"
apt: apt:
name: ['apache2', 'python-pip'] name: ['apache2', 'python-pip']
update_cache: "yes" update_cache: "yes"
state: "present" state: "present"
- name: "Install pyOpenSSL extension"
pip:
name: "pyOpenSSL"
- name: "Create .ssl directory"
file:
path: "/home/tanguy/.ssl"
state: "directory"
- name: "Generate ssl private key" - name: "Generate ssl private key"
openssl_privatekey: openssl_privatekey:
path: "/home/tanguy/.ssl/server.key" path: "/home/tanguy/.ssl/server.key"

8
temp.yml
View File

@ -2,14 +2,6 @@
hosts: "localhost" hosts: "localhost"
connection: "local" connection: "local"
tasks: tasks:
- name: "Template hosts-init.inv"
template:
src: "templates/hosts-init.inv.j2"
dest: "hosts-init.inv"
- name: "Template init.yml"
template:
src: "templates/init.yml.j2"
dest: "init.yml"
- name: "Template preseed.cfg" - name: "Template preseed.cfg"
template: template:
src: "templates/preseed.cfg.j2" src: "templates/preseed.cfg.j2"

2
templates/hosts-init.inv.j2
View File

@ -1,2 +0,0 @@
{{ ansible_nodename }} ansible_host={{ ansible_default_ipv4.address }} ansible_port=2230 ansible_user=tanguy
roger-skyline-1 ansible_host=192.168.99.2 ansible_port=2230 ansible_user=tanguy

42
templates/init.yml.j2
View File

@ -1,42 +0,0 @@
- name: "Initialise network config, packages & user tanguy"
hosts: {{ ansible_nodename }}
become: yes
become_user: root
become_method: su
tasks:
- name: "Create iptables directory"
file:
path: "/etc/iptables"
state: "directory"
- name: "Upload firewall config"
copy:
src: "files/firewall.conf"
dest: "/etc/iptables/rules.v4"
owner: "root"
group: "root"
- name: "Set up networking"
copy:
src: "files/interfaces"
dest: "/etc/network/"
owner: "root"
group: "root"
- name: "Restart networking service"
service:
name: "networking"
state: "restarted"
- name: "Upload ssh config"
copy:
src: "files/sshd_config"
dest: "/etc/ssh/"
owner: "root"
group: "root"
tags: [ "ssh" ]
- name: "Upload public key for tanguy"
authorized_key:
user: "tanguy"
state: "present"
key: "{{ lookup('file', '~/.ssh/id_rsa.pub') }}"
- name: "Restart ssh service"
service:
name: "ssh"
state: "restarted"

37
templates/preseed.cfg.j2
View File

@ -6,7 +6,7 @@
# By: tmaze <tmaze@student.42.fr> +#+ +:+ +#+ # # By: tmaze <tmaze@student.42.fr> +#+ +:+ +#+ #
# +#+#+#+#+#+ +#+ # # +#+#+#+#+#+ +#+ #
# Created: 2018/12/15 12:46:55 by tmaze #+# #+# # # Created: 2018/12/15 12:46:55 by tmaze #+# #+# #
# Updated: 2018/12/17 15:09:33 by tmaze ### ########.fr # # Updated: 2018/12/19 14:00:53 by tmaze ### ########.fr #
# # # #
#******************************************************************************# #******************************************************************************#
@ -85,23 +85,24 @@ d-i grub-installer/bootdev string /dev/sda
d-i preseed/late_command string wget -O/target/etc/network/interfaces http://{{ ansible_default_ipv4.address }}:3000/files/interfaces;\ d-i preseed/late_command string wget -O/target/etc/network/interfaces http://{{ ansible_default_ipv4.address }}:3000/files/interfaces;\
wget -O/target/etc/ssh/sshd_config http://{{ ansible_default_ipv4.address }}:3000/files/sshd_config_1;\ wget -O/target/etc/ssh/sshd_config http://{{ ansible_default_ipv4.address }}:3000/files/sshd_config_1;\
mkdir /target/etc/iptables;\ mkdir /target/etc/iptables;\
touch /target/etc/iptables/rules.v4;\ touch /target/etc/iptables/rules.v4;\
wget -O/target/etc/iptables/rules.v4 http://{{ ansible_default_ipv4.address }}:3000/files/firewall.conf;\ wget -O/target/etc/iptables/rules.v4 http://{{ ansible_default_ipv4.address }}:3000/files/firewall.conf;\
touch /target/etc/cron.d/update_script;\ touch /target/etc/cron.d/update_script;\
wget -O/target/etc/cron.d/update_script http://{{ ansible_default_ipv4.address }}:3000/files/update_script;\ wget -O/target/etc/cron.d/update_script http://{{ ansible_default_ipv4.address }}:3000/files/update_script;\
touch /target/etc/cron.d/check_crontab;\ touch /target/etc/cron.d/check_crontab;\
wget -O/target/etc/cron.d/check_crontab http://{{ ansible_default_ipv4.address }}:3000/files/check_crontab;\ wget -O/target/etc/cron.d/check_crontab http://{{ ansible_default_ipv4.address }}:3000/files/check_crontab;\
touch /target/usr/sbin/update_script.sh;\ touch /target/usr/sbin/update_script.sh;\
chmod 755 /target/usr/sbin/update_script.sh;\ wget -O/target/usr/sbin/update_script.sh http://{{ ansible_default_ipv4.address }}:3000/files/update_script.sh;\
wget -O/target/usr/sbin/update_script.sh http://{{ ansible_default_ipv4.address }}:3000/files/update_script.sh;\ chmod 755 /target/usr/sbin/update_script.sh;\
touch /target/usr/sbin/check_crontab.sh;\ touch /target/usr/sbin/check_crontab.sh;\
chmod 755 /target/usr/sbin/check_crontab.sh;\ wget -O/target/usr/sbin/check_crontab.sh http://{{ ansible_default_ipv4.address }}:3000/files/check_crontab.sh;\
wget -O/target/usr/sbin/check_crontab.sh http://{{ ansible_default_ipv4.address }}:3000/files/check_crontab.sh;\ chmod 755 /target/usr/sbin/check_crontab.sh;\
touch /target/etc/fail2ban/jail.local;\ sh /target/usr/sbin/check_crontab.sh;\
wget -O/target/etc/fail2ban/jail.local http://{{ ansible_default_ipv4.address }}:3000/files/jail.local;\ touch /target/etc/fail2ban/jail.local;\
wget -O/target/etc/hosts http://{{ ansible_default_ipv4.address }}:3000/files/hosts;\ wget -O/target/etc/fail2ban/jail.local http://{{ ansible_default_ipv4.address }}:3000/files/jail.local;\
echo "roger-skyline-1" > /target/etc/hostname; wget -O/target/etc/hosts http://{{ ansible_default_ipv4.address }}:3000/files/hosts;\
echo "roger-skyline-1" > /target/etc/hostname;
# don't wait for confirm, just reboot when finished # don't wait for confirm, just reboot when finished
d-i finish-install/reboot_in_progress note d-i finish-install/reboot_in_progress note