diff options
| author | heqnx <root@heqnx.com> | 2025-05-24 16:06:06 +0300 |
|---|---|---|
| committer | heqnx <root@heqnx.com> | 2025-05-24 16:06:06 +0300 |
| commit | 2ccb5034924a75aac483f1060ae5d0d1a0293569 (patch) | |
| tree | ac19c69e34b0fbb56b5f1f9abc9696f8537c199c | |
| parent | 007be4c334fdd072ff5c058f68c7b373c3ddf7b7 (diff) | |
| download | ansible-playbooks-2ccb5034924a75aac483f1060ae5d0d1a0293569.tar.gz ansible-playbooks-2ccb5034924a75aac483f1060ae5d0d1a0293569.zip | |
added fail2ban, sshd verbose logging, more handlers
| -rw-r--r-- | attackbox/handlers/main.yaml | 26 | ||||
| -rw-r--r-- | attackbox/playbook.yaml | 3 | ||||
| -rw-r--r-- | attackbox/tasks/handlers.yaml | 8 | ||||
| -rw-r--r-- | attackbox/tasks/harden.yaml | 18 | ||||
| -rw-r--r-- | attackbox/templates/jail.local.j2 | 46 | ||||
| -rw-r--r-- | attackbox/vars/packages.yaml | 1 |
6 files changed, 92 insertions, 10 deletions
diff --git a/attackbox/handlers/main.yaml b/attackbox/handlers/main.yaml new file mode 100644 index 0000000..1e18521 --- /dev/null +++ b/attackbox/handlers/main.yaml @@ -0,0 +1,26 @@ +- name: update grub + command: update-grub + +- name: restart ssh + systemd: + name: ssh + state: restarted + enabled: true + when: ansible_facts['service_mgr'] == 'systemd' + +- name: restart fail2ban + systemd: + name: fail2ban + state: restarted + enabled: true + when: ansible_facts['service_mgr'] == 'systemd' + +- name: reload fail2ban + command: fail2ban-client reload + +- name: restart tor + systemd: + name: tor + state: restarted + enabled: true + when: ansible_facts['service_mgr'] == 'systemd' diff --git a/attackbox/playbook.yaml b/attackbox/playbook.yaml index 169fef2..dbd436c 100644 --- a/attackbox/playbook.yaml +++ b/attackbox/playbook.yaml @@ -4,7 +4,6 @@ vars_files: - vars/packages.yaml tasks: - - import_tasks: tasks/handlers.yaml - import_tasks: tasks/apt_packages.yaml - import_tasks: tasks/harden.yaml - import_tasks: tasks/golang_install.yaml @@ -13,3 +12,5 @@ - import_tasks: tasks/go_tools.yaml - import_tasks: tasks/github_repos.yaml #- import_tasks: tasks/generate_readme.yaml + handlers: + - import_tasks: handlers/main.yaml diff --git a/attackbox/tasks/handlers.yaml b/attackbox/tasks/handlers.yaml deleted file mode 100644 index 540554f..0000000 --- a/attackbox/tasks/handlers.yaml +++ /dev/null @@ -1,8 +0,0 @@ -- name: update grub - command: update-grub - -- name: restart tor - systemd: - name: tor - state: restarted - when: ansible_facts['service_mgr'] == 'systemd' diff --git a/attackbox/tasks/harden.yaml b/attackbox/tasks/harden.yaml index ad55699..d45d5e3 100644 --- a/attackbox/tasks/harden.yaml +++ b/attackbox/tasks/harden.yaml @@ -57,7 +57,7 @@ UsePAM yes Protocol 2 Subsystem sftp /usr/libexec/openssh/sftp-server - LogLevel quiet + LogLevel verbose PrintMotd no AcceptEnv LANG LC_* MaxSessions 5 @@ -89,6 +89,7 @@ ssh-keygen -t rsa -b 4096 -f /etc/ssh/ssh_host_rsa_key -N "" args: creates: /etc/ssh/ssh_host_ed25519_key + notify: restart ssh - name: enable unattended-upgrades shell: dpkg-reconfigure --priority=low unattended-upgrades @@ -119,4 +120,19 @@ state: enabled policy: deny +- name: deploy custom fail2ban jail.local + template: + src: templates/jail.local.j2 + dest: /etc/fail2ban/jail.local + owner: root + group: root + mode: '0644' + notify: + - restart fail2ban + - reload fail2ban +- name: enable and start fail2ban + systemd: + name: fail2ban + enabled: true + state: started diff --git a/attackbox/templates/jail.local.j2 b/attackbox/templates/jail.local.j2 new file mode 100644 index 0000000..dd548df --- /dev/null +++ b/attackbox/templates/jail.local.j2 @@ -0,0 +1,46 @@ +[INCLUDES] +#before = paths-distro.conf +before = paths-debian.conf + +[DEFAULT] +#ignoreself = true +#ignoreip = 127.0.0.1/8 ::1 +ignorecommand = +bantime = 1h +findtime = 10m +maxretry = 3 +maxmatches = %(maxretry)s +backend = auto +usedns = warn +logencoding = auto +enabled = false +mode = normal +filter = %(__name__)s[mode=%(mode)s] +destemail = root@localhost +sender = root@<fq-hostname> +mta = sendmail +protocol = tcp +chain = <known/chain> +port = 0:65535 +fail2ban_agent = Fail2Ban/%(fail2ban_version)s +banaction = iptables-multiport +banaction_allports = iptables-allports +action_ = %(banaction)s[port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"] +action_mw = %(action_)s + %(mta)s-whois[sender="%(sender)s", dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s"] +action_mwl = %(action_)s + %(mta)s-whois-lines[sender="%(sender)s", dest="%(destemail)s", logpath="%(logpath)s", chain="%(chain)s"] +action_xarf = %(action_)s + xarf-login-attack[service=%(__name__)s, sender="%(sender)s", logpath="%(logpath)s", port="%(port)s"] +action_cf_mwl = cloudflare[cfuser="%(cfemail)s", cftoken="%(cfapikey)s"] + %(mta)s-whois-lines[sender="%(sender)s", dest="%(destemail)s", logpath="%(logpath)s", chain="%(chain)s"] +action_blocklist_de = blocklist_de[email="%(sender)s", service="%(__name__)s", apikey="%(blocklist_de_apikey)s", agent="%(fail2ban_agent)s"] +action_abuseipdb = abuseipdb +action = %(action_)s + +[sshd] +mode = aggressive +enabled = true +port = ssh +logpath = %(sshd_log)s +backend = %(sshd_backend)s diff --git a/attackbox/vars/packages.yaml b/attackbox/vars/packages.yaml index 4d06544..fc96103 100644 --- a/attackbox/vars/packages.yaml +++ b/attackbox/vars/packages.yaml @@ -78,3 +78,4 @@ apt_packages: - unattended-upgrades - ufw - tmux + - fail2ban |