diff options
| author | heqnx <root@heqnx.com> | 2025-05-29 19:34:32 +0300 |
|---|---|---|
| committer | heqnx <root@heqnx.com> | 2025-05-29 19:34:32 +0300 |
| commit | b8f1d76bd38d03e68fbc51f8e7340a9963a4104d (patch) | |
| tree | 1cf7347b862e4c6059463ea6b811f44a0d37c41c /roles | |
| parent | 0e9c8dc71a87b86a9d99c82b5f9aaa37dffeb9bd (diff) | |
| download | ansible-playbooks-b8f1d76bd38d03e68fbc51f8e7340a9963a4104d.tar.gz ansible-playbooks-b8f1d76bd38d03e68fbc51f8e7340a9963a4104d.zip | |
removed handlers, need to run all the time
Diffstat (limited to 'roles')
| -rw-r--r-- | roles/harden/handlers/main.yaml | 38 | ||||
| -rw-r--r-- | roles/harden/tasks/harden.yaml | 139 | ||||
| -rw-r--r-- | roles/harden/tasks/main.yaml | 170 | ||||
| -rw-r--r-- | roles/sliver-c2/tasks/sliver_configure.yaml | 8 | ||||
| -rw-r--r-- | roles/sliver-c2/tasks/sliver_systemd.yaml | 11 | ||||
| -rw-r--r-- | roles/ssh-nginx-multiplex/handlers/main.yaml | 25 | ||||
| -rw-r--r-- | roles/ssh-nginx-multiplex/tasks/ssh_nginx_setup.yaml | 31 | ||||
| -rw-r--r-- | roles/ssh-port-fwd-user/handlers/main.yaml | 6 | ||||
| -rw-r--r-- | roles/ssh-port-fwd-user/tasks/main.yaml | 9 | ||||
| -rw-r--r-- | roles/tor/handlers/main.yaml | 6 | ||||
| -rw-r--r-- | roles/tor/tasks/ssh_hidden_service.yaml | 8 | ||||
| -rw-r--r-- | roles/tor/tasks/tor_install.yaml | 8 | ||||
| -rw-r--r-- | roles/xrdp/handlers/main.yaml | 13 | ||||
| -rw-r--r-- | roles/xrdp/tasks/main.yaml | 17 |
14 files changed, 248 insertions, 241 deletions
diff --git a/roles/harden/handlers/main.yaml b/roles/harden/handlers/main.yaml deleted file mode 100644 index e25c78f..0000000 --- a/roles/harden/handlers/main.yaml +++ /dev/null @@ -1,38 +0,0 @@ -- name: update grub - command: update-grub - -- name: reload fail2ban - command: fail2ban-client reload - -- name: enable ufw - ufw: - state: enabled - policy: deny - -- name: restart ufw - systemd: - name: ufw - state: restarted - enabled: true - when: ansible_facts['service_mgr'] == 'systemd' - -- name: restart ssh - systemd: - name: ssh - state: restarted - enabled: true - when: ansible_facts['service_mgr'] == 'systemd' - -- name: restart unattended-upgrades - systemd: - name: unattended-upgrades - state: restarted - enabled: true - when: ansible_facts['service_mgr'] == 'systemd' - -- name: restart fail2ban - systemd: - name: fail2ban - state: restarted - enabled: true - when: ansible_facts['service_mgr'] == 'systemd' diff --git a/roles/harden/tasks/harden.yaml b/roles/harden/tasks/harden.yaml deleted file mode 100644 index fe1807a..0000000 --- a/roles/harden/tasks/harden.yaml +++ /dev/null @@ -1,139 +0,0 @@ -- name: remove snap and snapd - apt: - name: - - snap - - snapd - state: absent - purge: true - -- name: clean apt cache - apt: - autoclean: true - -- name: clear /etc/issue and /etc/motd - copy: - content: "" - dest: "{{ item }}" - loop: - - /etc/issue - - /etc/motd - -- name: check if /etc/update-motd.d directory exists - stat: - path: /etc/update-motd.d - register: motd_dir - -- name: find files in /etc/update-motd.d - find: - paths: /etc/update-motd.d - file_type: file - register: motd_files - when: motd_dir.stat.exists - -- name: remove execute permissions from all files in /etc/update-motd.d - file: - path: "{{ item.path }}" - mode: u-x,g-x,o-x - loop: "{{ motd_files.files }}" - when: motd_dir.stat.exists - -- name: enforce root-only cron/at - file: - path: "{{ item }}" - state: touch - owner: root - group: root - mode: '0600' - loop: - - /etc/cron.allow - - /etc/at.allow - -- name: remove deny files for cron and at - file: - path: "{{ item }}" - state: absent - loop: - - /etc/cron.deny - - /etc/at.deny - -- name: backup sshd_config - copy: - src: /etc/ssh/sshd_config - dest: "/etc/ssh/sshd_config.bak_{{ ansible_date_time.iso8601_basic }}" - remote_src: true - -- name: harden sshd_config - copy: - dest: /etc/ssh/sshd_config - content: | - Port 22 - Banner /etc/issue - UsePAM yes - Protocol 2 - Subsystem sftp /usr/lib/openssh/sftp-server - LogLevel verbose - PrintMotd no - AcceptEnv LANG LC_* - MaxSessions 5 - StrictModes yes - Compression no - MaxAuthTries 3 - IgnoreRhosts yes - PrintLastLog yes - AddressFamily inet - X11Forwarding no - PermitRootLogin yes - AllowTcpForwarding no - ClientAliveInterval 1200 - AllowAgentForwarding no - PermitEmptyPasswords no - ClientAliveCountMax 0 - GSSAPIAuthentication no - KerberosAuthentication no - IgnoreUserKnownHosts yes - PermitUserEnvironment no - ChallengeResponseAuthentication no - MACs hmac-sha2-512,hmac-sha2-256 - Ciphers aes128-ctr,aes192-ctr,aes256-ctr - -- name: regenerate SSH host keys - shell: | - rm -f /etc/ssh/ssh_host_*key* - ssh-keygen -t ed25519 -f /etc/ssh/ssh_host_ed25519_key -N "" - ssh-keygen -t rsa -b 4096 -f /etc/ssh/ssh_host_rsa_key -N "" - args: - creates: /etc/ssh/ssh_host_ed25519_key - notify: restart ssh - -- name: enable unattended-upgrades - shell: dpkg-reconfigure --priority=low unattended-upgrades - args: - creates: /etc/apt/apt.conf.d/50unattended-upgrades - notify: restart unattended-upgrades - -- name: disable ipv6 in grub - lineinfile: - path: /etc/default/grub - regexp: '^GRUB_CMDLINE_LINUX=' - line: 'GRUB_CMDLINE_LINUX="ipv6.disable=1"' - notify: update grub - -- name: allow ssh port and enable ufw - ufw: - rule: allow - port: 22 - proto: tcp - notify: - - enable ufw - - restart ufw - -- name: deploy custom fail2ban jail.local - template: - src: templates/jail.local.j2 - dest: /etc/fail2ban/jail.local - owner: root - group: root - mode: '0644' - notify: - - restart fail2ban - - reload fail2ban diff --git a/roles/harden/tasks/main.yaml b/roles/harden/tasks/main.yaml index 95fdd29..b6a80a9 100644 --- a/roles/harden/tasks/main.yaml +++ b/roles/harden/tasks/main.yaml @@ -1 +1,169 @@ -- import_tasks: tasks/harden.yaml +- name: remove snap and snapd + apt: + name: + - snap + - snapd + state: absent + purge: true + +- name: clean apt cache + apt: + autoclean: true + +- name: clear /etc/issue and /etc/motd + copy: + content: "" + dest: "{{ item }}" + loop: + - /etc/issue + - /etc/motd + +- name: check if /etc/update-motd.d directory exists + stat: + path: /etc/update-motd.d + register: motd_dir + +- name: find files in /etc/update-motd.d + find: + paths: /etc/update-motd.d + file_type: file + register: motd_files + when: motd_dir.stat.exists + +- name: remove execute permissions from all files in /etc/update-motd.d + file: + path: "{{ item.path }}" + mode: u-x,g-x,o-x + loop: "{{ motd_files.files }}" + when: motd_dir.stat.exists + +- name: enforce root-only cron/at + file: + path: "{{ item }}" + state: touch + owner: root + group: root + mode: '0600' + loop: + - /etc/cron.allow + - /etc/at.allow + +- name: remove deny files for cron and at + file: + path: "{{ item }}" + state: absent + loop: + - /etc/cron.deny + - /etc/at.deny + +- name: backup sshd_config + copy: + src: /etc/ssh/sshd_config + dest: "/etc/ssh/sshd_config.bak_{{ ansible_date_time.iso8601_basic }}" + remote_src: true + +- name: harden sshd_config + copy: + dest: /etc/ssh/sshd_config + content: | + Port 22 + Banner /etc/issue + UsePAM yes + Protocol 2 + Subsystem sftp /usr/lib/openssh/sftp-server + LogLevel verbose + PrintMotd no + AcceptEnv LANG LC_* + MaxSessions 5 + StrictModes yes + Compression no + MaxAuthTries 3 + IgnoreRhosts yes + PrintLastLog yes + AddressFamily inet + X11Forwarding no + PermitRootLogin yes + AllowTcpForwarding no + ClientAliveInterval 1200 + AllowAgentForwarding no + PermitEmptyPasswords no + ClientAliveCountMax 0 + GSSAPIAuthentication no + KerberosAuthentication no + IgnoreUserKnownHosts yes + PermitUserEnvironment no + ChallengeResponseAuthentication no + MACs hmac-sha2-512,hmac-sha2-256 + Ciphers aes128-ctr,aes192-ctr,aes256-ctr + +- name: regenerate SSH host keys + shell: | + rm -f /etc/ssh/ssh_host_*key* + ssh-keygen -t ed25519 -f /etc/ssh/ssh_host_ed25519_key -N "" + ssh-keygen -t rsa -b 4096 -f /etc/ssh/ssh_host_rsa_key -N "" + args: + creates: /etc/ssh/ssh_host_ed25519_key + +- name: restart ssh + systemd: + name: ssh + state: restarted + enabled: true + when: ansible_service_mgr == 'systemd' + +- name: enable unattended-upgrades + shell: dpkg-reconfigure --priority=low unattended-upgrades + args: + creates: /etc/apt/apt.conf.d/50unattended-upgrades + +- name: restart unattended-upgrades + systemd: + name: unattended-upgrades + state: restarted + enabled: true + when: ansible_service_mgr == 'systemd' + +- name: disable ipv6 in grub + lineinfile: + path: /etc/default/grub + regexp: '^GRUB_CMDLINE_LINUX=' + line: 'GRUB_CMDLINE_LINUX="ipv6.disable=1"' + +- name: update grub + command: update-grub + +- name: allow ssh port and enable ufw + ufw: + rule: allow + port: 22 + proto: tcp + +- name: enable ufw + ufw: + state: enabled + policy: deny + +- name: restart ufw + systemd: + name: ufw + state: restarted + enabled: true + when: ansible_service_mgr == 'systemd' + +- name: deploy custom fail2ban jail.local + template: + src: templates/jail.local.j2 + dest: /etc/fail2ban/jail.local + owner: root + group: root + mode: '0644' + +- name: restart fail2ban + systemd: + name: fail2ban + state: restarted + enabled: true + when: ansible_service_mgr == 'systemd' + +- name: reload fail2ban + command: fail2ban-client reload diff --git a/roles/sliver-c2/tasks/sliver_configure.yaml b/roles/sliver-c2/tasks/sliver_configure.yaml index b90d955..cd3fa04 100644 --- a/roles/sliver-c2/tasks/sliver_configure.yaml +++ b/roles/sliver-c2/tasks/sliver_configure.yaml @@ -28,7 +28,13 @@ loop_control: loop_var: operator command: /opt/sliver/sliver-server operator --name {{ operator }} --lhost {{ sliver_server }} --save /root/.sliver-client/configs - notify: sliver systemd handler + +- name: sliver systemd handler + systemd: + name: sliver + state: restarted + enabled: true + when: ansible_service_mgr == 'systemd' - name: fix permissions for .sliver-client directory file: diff --git a/roles/sliver-c2/tasks/sliver_systemd.yaml b/roles/sliver-c2/tasks/sliver_systemd.yaml index 3b29f0f..40ff890 100644 --- a/roles/sliver-c2/tasks/sliver_systemd.yaml +++ b/roles/sliver-c2/tasks/sliver_systemd.yaml @@ -8,3 +8,14 @@ notify: - reload systemd - sliver systemd handler + +- name: reload systemd + command: systemctl daemon-reload + when: ansible_service_mgr == 'systemd' + +- name: sliver systemd handler + systemd: + name: sliver + state: restarted + enabled: true + when: ansible_service_mgr == 'systemd' diff --git a/roles/ssh-nginx-multiplex/handlers/main.yaml b/roles/ssh-nginx-multiplex/handlers/main.yaml deleted file mode 100644 index 58c218b..0000000 --- a/roles/ssh-nginx-multiplex/handlers/main.yaml +++ /dev/null @@ -1,25 +0,0 @@ -- name: enable ufw - ufw: - state: enabled - policy: deny - -- name: restart ufw - systemd: - name: ufw - state: restarted - enabled: true - when: ansible_facts['service_mgr'] == 'systemd' - -- name: restart nginx - systemd: - name: nginx - state: restarted - enabled: true - when: ansible_facts['service_mgr'] == 'systemd' - -- name: restart sslh - systemd: - name: sslh - state: restarted - enabled: true - when: ansible_facts['service_mgr'] == 'systemd' diff --git a/roles/ssh-nginx-multiplex/tasks/ssh_nginx_setup.yaml b/roles/ssh-nginx-multiplex/tasks/ssh_nginx_setup.yaml index beb0910..75a790c 100644 --- a/roles/ssh-nginx-multiplex/tasks/ssh_nginx_setup.yaml +++ b/roles/ssh-nginx-multiplex/tasks/ssh_nginx_setup.yaml @@ -41,7 +41,13 @@ owner: root group: root mode: '0644' - notify: restart nginx + + - name: restart nginx + systemd: + name: nginx + state: restarted + enabled: true + when: ansible_service_mgr == 'systemd' - name: deploy sslh config file template: @@ -50,16 +56,19 @@ owner: root group: root mode: '0644' - notify: restart sslh + + - name: restart sslh + systemd: + name: sslh + state: restarted + enabled: true + when: ansible_service_mgr == 'systemd' - name: allow ssh port and enable ufw ufw: rule: allow port: "{{ internal_sshd_port }}" proto: tcp - notify: - - enable ufw - - restart ufw - name: allow http port and enable ufw ufw: @@ -70,6 +79,18 @@ - enable ufw - restart ufw + - name: enable ufw + ufw: + state: enabled + policy: deny + + - name: restart ufw + systemd: + name: ufw + state: restarted + enabled: true + when: ansible_service_mgr == 'systemd' + when: - public_sslh_port is defined - internal_nginx_port is defined diff --git a/roles/ssh-port-fwd-user/handlers/main.yaml b/roles/ssh-port-fwd-user/handlers/main.yaml deleted file mode 100644 index 8c5ef88..0000000 --- a/roles/ssh-port-fwd-user/handlers/main.yaml +++ /dev/null @@ -1,6 +0,0 @@ -- name: restart ssh - systemd: - name: ssh - state: restarted - enabled: true - when: ansible_facts['service_mgr'] == 'systemd' diff --git a/roles/ssh-port-fwd-user/tasks/main.yaml b/roles/ssh-port-fwd-user/tasks/main.yaml index 85d7a97..de6b9b8 100644 --- a/roles/ssh-port-fwd-user/tasks/main.yaml +++ b/roles/ssh-port-fwd-user/tasks/main.yaml @@ -64,7 +64,6 @@ owner: root group: root mode: '0644' - notify: restart ssh - name: ensure /etc/ssh/sshd_config includes .d directory lineinfile: @@ -72,7 +71,13 @@ regexp: '^Include /etc/ssh/sshd_config\.d/\*\.conf' line: 'Include /etc/ssh/sshd_config.d/*.conf' insertafter: EOF - notify: restart ssh + +- name: restart ssh + systemd: + name: ssh + state: restarted + enabled: true + when: ansible_service_mgr == 'systemd' - name: fetch private key to control node fetch: diff --git a/roles/tor/handlers/main.yaml b/roles/tor/handlers/main.yaml deleted file mode 100644 index 8903ad6..0000000 --- a/roles/tor/handlers/main.yaml +++ /dev/null @@ -1,6 +0,0 @@ -- name: restart tor - systemd: - name: tor - state: restarted - enabled: true - when: ansible_facts['service_mgr'] == 'systemd' diff --git a/roles/tor/tasks/ssh_hidden_service.yaml b/roles/tor/tasks/ssh_hidden_service.yaml index cbac7fa..e757aa1 100644 --- a/roles/tor/tasks/ssh_hidden_service.yaml +++ b/roles/tor/tasks/ssh_hidden_service.yaml @@ -13,7 +13,13 @@ block: | HiddenServiceDir /var/lib/tor/ssh HiddenServicePort 22 127.0.0.1:22 - notify: restart tor + +- name: restart tor + systemd: + name: tor + state: restarted + enabled: true + when: ansible_service_mgr == 'systemd' - name: wait for hidden service hostname file wait_for: diff --git a/roles/tor/tasks/tor_install.yaml b/roles/tor/tasks/tor_install.yaml index 96cf98e..3a053e6 100644 --- a/roles/tor/tasks/tor_install.yaml +++ b/roles/tor/tasks/tor_install.yaml @@ -31,7 +31,13 @@ owner: debian-tor group: debian-tor mode: '0644' - notify: restart tor + +- name: restart tor + systemd: + name: tor + state: restarted + enabled: true + when: ansible_service_mgr == 'systemd' - name: check if tor is routing traffic correctly command: curl --socks5-hostname 127.0.0.1:9050 https://check.torproject.org/api/ip diff --git a/roles/xrdp/handlers/main.yaml b/roles/xrdp/handlers/main.yaml deleted file mode 100644 index 5790f8b..0000000 --- a/roles/xrdp/handlers/main.yaml +++ /dev/null @@ -1,13 +0,0 @@ -- name: restart xrdp - systemd: - name: xrdp - state: restarted - enabled: true - when: ansible_facts['service_mgr'] == 'systemd' - -- name: restart xrdp-sesman - systemd: - name: xrdp-sesman - state: restarted - enabled: true - when: ansible_facts['service_mgr'] == 'systemd' diff --git a/roles/xrdp/tasks/main.yaml b/roles/xrdp/tasks/main.yaml index ed95fbb..ce89dd5 100644 --- a/roles/xrdp/tasks/main.yaml +++ b/roles/xrdp/tasks/main.yaml @@ -58,6 +58,17 @@ src: xrdp.ini.j2 dest: /etc/xrdp/xrdp.ini mode: '0644' - notify: - - restart xrdp - - restart xrdp-sesman + +- name: restart xrdp + systemd: + name: xrdp + state: restarted + enabled: true + when: ansible_service_mgr == 'systemd' + +- name: restart xrdp-sesman + systemd: + name: xrdp-sesman + state: restarted + enabled: true + when: ansible_service_mgr == 'systemd' |