added xrdp, added example configs, removing main ones

9 files changed, 280 insertions, 0 deletions

diff --git a/.gitignore b/.gitignore
index ede3ba4..84b1ed2 100644
--- a/.gitignore
+++ b/.gitignore
@@ -2,3 +2,8 @@
 *.pub
 *id_rsa*
 *ed25519*
+inventory.yaml
+inventory.yml
+inventory.ini
+playbook.yaml
+playbook.yml
diff --git a/README.md b/README.md
index 938bc9f..3200b09 100644
--- a/README.md
+++ b/README.md
@@ -38,10 +38,27 @@ This repository contains a collection of Ansible roles and playbooks designed to
 - Deploys necessary systemd services for SSH multiplexing.
 - Provides a SSH access method over HTTP/S.
 
+### `roles/ssh-port-fwd-user/` - SSH port forwarding limited user
+- Creates a restricted user intended solely for SSH port forwarding.
+- Disables shell access (/bin/false) to prevent interactive logins.
+- Allows only ssh -L, ssh -R, or ssh -D forwarding operations.
+- Sets up .ssh/authorized_keys with optional key-based access.
+- Configures sshd Match blocks to enforce restrictions for the user.
+- Prevents execution of arbitrary commands or shell escapes.
+
 ### `roles/tor/` - Tor installation and configuration
 - Installs and configures the Tor service.
 - Ensures Tor is routing traffic correctly.
 
+### `roles/xrdp/` - Lightweight RDP access via xrdp
+- Installs and configures the xrdp remote desktop server.
+- Optionally binds RDP service to localhost only.
+- Applies TCP optimizations in /etc/sysctl.conf for smooth RDP performance.
+- Configures xrdp.ini with enhanced settings for single-user scenarios.
+- Installs supporting packages (xorg, tigervnc-standalone-server, etc.).
+- Disables root login over RDP.
+- Installs custom Polkit rules to allow common user actions (e.g., color profile changes, reboot).
+
 ## Usage
 
 - Clone this repository onto your control machine.
diff --git a/inventory.yaml.example b/inventory.yaml.example
new file mode 100644
index 0000000..9097f34
--- /dev/null
+++ b/inventory.yaml.example
@@ -0,0 +1,39 @@
+all:
+  hosts:
+    server01:
+      ansible_host: 10.11.12.13
+      ansible_user: root
+      ansible_ssh_private_key_file: id_rsa
+
+      # set this for the sliver-c2 role
+      # sliver_server: 127.0.0.1
+
+      # set these for the ssh-nginx-multiplex role
+      # public_sslh_port: 443
+      # internal_nginx_port: 8080
+      # internal_sshd_port: 22
+
+      # set this for the ssh-port-fwd-user role
+      # port_fwd_user: proxyuser
+
+    #server02:
+    #   ansible_host: 10.11.12.14
+    #   ansible_user: root
+    #   ansible_ssh_private_key_file: id_rsa
+
+    # set this for the sliver-c2 role
+    # sliver_server: 127.0.0.1
+
+    # set these for the ssh-nginx-multiplex role
+    # public_sslh_port: 443
+    # internal_nginx_port: 8080
+    # internal_sshd_port: 22
+
+    # set this for the ssh-port-fwd-user role
+    # port_fwd_user: proxyuser
+
+  children:
+    servers:
+      hosts:
+        server01: {}
+        #server02: {}
diff --git a/playbook.yaml.example b/playbook.yaml.example
new file mode 100644
index 0000000..2274bdf
--- /dev/null
+++ b/playbook.yaml.example
@@ -0,0 +1,31 @@
+- name: fail if system is not debian/ubuntu
+  hosts: all
+  gather_facts: true
+  tasks:
+    - name: check os family or distribution
+      ansible.builtin.assert:
+        that:
+          - "'debian' in ansible_facts.os_family.lower() or 'ubuntu' in ansible_facts.distribution.lower()"
+        fail_msg: "this playbook supports only debian-based systems"
+
+- name: setup server01
+  hosts: server01
+  become: true
+  roles:
+    - harden
+    - tor
+    - attackbox
+    - sliver-c2
+    - ssh-nginx-multiplex
+    - ssh-port-fwd-user
+    - xrdp
+
+#- name: setup server02
+#  hosts: server02
+#  become: true
+#  roles:
+#    - harden
+#    - tor
+#    - attackbox
+#    - sliver-c2
+#    - ssh-nginx-multiplex
diff --git a/roles/xrdp/defaults/main.yaml b/roles/xrdp/defaults/main.yaml
new file mode 100644
index 0000000..bb60448
--- /dev/null
+++ b/roles/xrdp/defaults/main.yaml
@@ -0,0 +1 @@
+xrdp_listen_local: false
diff --git a/roles/xrdp/files/logo.bmp b/roles/xrdp/files/logo.bmp
new file mode 100644
index 0000000..b26c0eb
--- /dev/null
+++ b/roles/xrdp/files/logo.bmp
diff --git a/roles/xrdp/files/xrdp_polkit.rules b/roles/xrdp/files/xrdp_polkit.rules
new file mode 100644
index 0000000..c1fecde
--- /dev/null
+++ b/roles/xrdp/files/xrdp_polkit.rules
@@ -0,0 +1,31 @@
+polkit.addRule(function(action, subject) {
+    if (subject.user && subject.user !== "root" &&
+        (action.id == "org.freedesktop.color-manager.create-device" ||
+         action.id == "org.freedesktop.color-manager.create-profile" ||
+         action.id == "org.freedesktop.color-manager.delete-device" ||
+         action.id == "org.freedesktop.color-manager.delete-profile" ||
+         action.id == "org.freedesktop.color-manager.modify-device" ||
+         action.id == "org.freedesktop.color-manager.modify-profile" ||
+         action.id == "org.debian.apt.update-cache")) {
+        return polkit.Result.YES;
+    }
+});
+
+polkit.addRule(function(action, subject) {
+    if (subject.user && subject.user !== "root" &&
+        (action.id == "org.freedesktop.NetworkManager.settings.modify.system" ||
+         action.id == "org.freedesktop.NetworkManager.network-control")) {
+        return polkit.Result.YES;
+    }
+});
+
+polkit.addRule(function(action, subject) {
+    if (subject.user && subject.user !== "root" &&
+        action.id.match(/^org\.freedesktop\.login1\.(reboot|power-off|suspend)/)) {
+        if (subject.active) {
+            return polkit.Result.YES;
+        } else {
+            return polkit.Result.NO;
+        }
+    }
+});
diff --git a/roles/xrdp/tasks/main.yaml b/roles/xrdp/tasks/main.yaml
new file mode 100644
index 0000000..d0708c2
--- /dev/null
+++ b/roles/xrdp/tasks/main.yaml
@@ -0,0 +1,69 @@
+- name: ensure xrdp and dependencies are installed
+  apt:
+    name:
+      - xrdp
+      - xorg
+      - tigervnc-xorg-extension
+      - tigervnc-standalone-server
+    state: present
+    update_cache: yes
+
+- name: backup sesman.ini
+  copy:
+    src: /etc/xrdp/sesman.ini
+    dest: /etc/xrdp/sesman.ini.bak
+    remote_src: yes
+
+- name: disable root login in sesman.ini
+  lineinfile:
+    path: /etc/xrdp/sesman.ini
+    regexp: '^AllowRootLogin='
+    line: 'AllowRootLogin=false'
+
+- name: deploy custom xrdp.ini from template
+  template:
+    src: xrdp.ini.j2
+    dest: /etc/xrdp/xrdp.ini
+    mode: '0644'
+
+- name: install xrdp logo
+  copy:
+    src: logo.bmp
+    dest: /etc/xrdp/logo.bmp
+    mode: '0644'
+
+- name: configure polkit rules for xrdp sessions
+  copy:
+    src: xrdp_polkit.rules
+    dest: /etc/polkit-1/rules.d/50-xrdp-session.rules
+    mode: '0644'
+
+- name: apply sysctl optimizations for rdp
+  blockinfile:
+    path: /etc/sysctl.conf
+    block: |
+      net.ipv4.tcp_wmem = 4096 262144 33554432
+      net.ipv4.tcp_rmem = 4096 262144 33554432
+      net.core.wmem_max = 33554432
+      net.core.rmem_max = 33554432
+      net.ipv4.tcp_window_scaling = 1
+      net.ipv4.tcp_fastopen = 3
+      net.core.netdev_max_backlog = 3000
+      net.core.somaxconn = 2048
+      net.ipv4.tcp_slow_start_after_idle = 0
+      net.ipv4.tcp_adv_win_scale = 1
+      net.core.default_qdisc = fq
+      net.ipv4.tcp_congestion_control = bbr
+
+- name: apply sysctl settings
+  command: sysctl -p
+  changed_when: false
+
+- name: ensure xrdp services are enabled and started
+  systemd:
+    name: "{{ item }}"
+    enabled: true
+    state: started
+  loop:
+    - xrdp
+    - xrdp-sesman
diff --git a/roles/xrdp/templates/xrdp.ini.j2 b/roles/xrdp/templates/xrdp.ini.j2
new file mode 100644
index 0000000..2afb769
--- /dev/null
+++ b/roles/xrdp/templates/xrdp.ini.j2
@@ -0,0 +1,87 @@
+[Globals]
+tcp_send_buffer_bytes=33554432
+tcp_recv_buffer_bytes=33554432
+ini_version=1
+fork=true
+port={{ 'tcp://.:3389' if xrdp_listen_local else 'tcp://:3389' }}
+use_vsock=false
+tcp_nodelay=true
+tcp_keepalive=true
+security_layer=negotiate
+crypt_level=medium
+key_file=
+ssl_protocols=TLSv1.2, TLSv1.3
+autorun=
+allow_channels=true
+allow_multimon=true
+bitmap_cache=true
+bitmap_compression=true
+bulk_compression=true
+max_bpp=32
+new_cursors=true
+use_fastpath=both
+grey=ffffff
+black=555555
+dark_grey=ffffff
+blue=19315a
+dark_blue=2777ff
+white=eeeeee
+ls_title=Remote Desktop Protocol (xRDP)
+ls_top_window_bg_color=2f2f2f
+ls_width=350
+ls_height=180
+ls_bg_color=dedede
+ls_logo_filename=/etc/xrdp/logo.bmp
+ls_logo_x_pos=0
+ls_logo_y_pos=0
+ls_label_x_pos=30
+ls_label_width=65
+ls_input_x_pos=110
+ls_input_y_pos=50
+ls_input_width=210
+ls_btn_ok_x_pos=142
+ls_btn_ok_y_pos=135
+ls_btn_ok_width=85
+ls_btn_ok_height=30
+ls_btn_cancel_x_pos=235
+ls_btn_cancel_y_pos=135
+ls_btn_cancel_width=85
+ls_btn_cancel_height=30
+
+[Logging]
+LogFile=xrdp.log
+LogLevel=INFO
+EnableSyslog=true
+
+[LoggingPerLogger]
+#xrdp.c=INFO
+#main()=INFO
+
+[Channels]
+rdpdr=true
+drdynvc=true
+cliprdr=true
+rdpsnd=false
+rail=false
+xrdpvr=false
+tcutils=false
+
+[Xorg]
+name=Xorg
+lib=libxup.so
+username=ask
+password=ask
+ip=127.0.0.1
+port=-1
+code=20
+
+#[Xvnc]
+#name=Xvnc
+#lib=libvnc.so
+#username=ask
+#password=ask
+#ip=127.0.0.1
+#port=-1
+#xserverbpp=24
+#delay_ms=2000
+#disabled_encodings_mask=0