7 files changed, 343 insertions, 0 deletions

diff --git a/old/sliver-c2/tasks/apt_packages.yaml b/old/sliver-c2/tasks/apt_packages.yaml
new file mode 100644
index 0000000..3f600c2
--- /dev/null
+++ b/old/sliver-c2/tasks/apt_packages.yaml
@@ -0,0 +1,5 @@
+- name: install apt packages
+  apt:
+    name: "{{ apt_packages }}"
+    state: present
+    update_cache: true
diff --git a/old/sliver-c2/tasks/golang_install.yaml b/old/sliver-c2/tasks/golang_install.yaml
new file mode 100644
index 0000000..e67d508
--- /dev/null
+++ b/old/sliver-c2/tasks/golang_install.yaml
@@ -0,0 +1,33 @@
+- name: download and extract golang
+  block:
+    - name: get latest golang version
+      shell: |
+        curl -sSL https://golang.org/dl/ | awk -F '"' '/dl\/.*linux-amd64.*tar.gz/{print $(NF-1)}' | awk -F '/' '{print $3}' | head -1
+      register: latest_golang
+      changed_when: false
+
+    - name: download golang
+      get_url:
+        url: "https://golang.org/dl/{{ latest_golang.stdout }}"
+        dest: /tmp/golang.tar.gz
+
+    - name: extract golang to /usr/local
+      unarchive:
+        src: /tmp/golang.tar.gz
+        dest: /usr/local
+        remote_src: yes
+
+    - name: remove tarball
+      file:
+        path: /tmp/golang.tar.gz
+        state: absent
+
+    - name: set system-wide go environment variables
+      copy:
+        dest: /etc/profile.d/go_env.sh
+        content: |
+          export GOPATH=/root/go
+          export PATH=$PATH:/usr/local/go/bin:$GOPATH:$GOPATH/bin
+        owner: root
+        group: root
+        mode: '0644'
diff --git a/old/sliver-c2/tasks/harden.yaml b/old/sliver-c2/tasks/harden.yaml
new file mode 100644
index 0000000..ec09ea2
--- /dev/null
+++ b/old/sliver-c2/tasks/harden.yaml
@@ -0,0 +1,144 @@
+- name: fail if system is not debian/ubuntu
+  ansible.builtin.assert:
+    that: "'debian' in ansible_facts.os_family.lower() or 'ubuntu' in ansible_facts.distribution.lower()"
+    fail_msg: "this playbook supports only debian-based systems"
+
+- name: remove snap and snapd
+  apt:
+    name:
+      - snap
+      - snapd
+    state: absent
+    purge: true
+
+- name: clean apt cache
+  apt:
+    autoclean: true
+
+- name: clear /etc/issue and /etc/motd
+  copy:
+    content: ""
+    dest: "{{ item }}"
+  loop:
+    - /etc/issue
+    - /etc/motd
+
+- name: check if /etc/update-motd.d directory exists
+  stat:
+    path: /etc/update-motd.d
+  register: motd_dir
+
+- name: find files in /etc/update-motd.d
+  find:
+    paths: /etc/update-motd.d
+    file_type: file
+  register: motd_files
+  when: motd_dir.stat.exists
+
+- name: remove execute permissions from all files in /etc/update-motd.d
+  file:
+    path: "{{ item.path }}"
+    mode: u-x,g-x,o-x
+  loop: "{{ motd_files.files }}"
+  when: motd_dir.stat.exists
+
+- name: enforce root-only cron/at
+  file:
+    path: "{{ item }}"
+    state: touch
+    owner: root
+    group: root
+    mode: '0600'
+  loop:
+    - /etc/cron.allow
+    - /etc/at.allow
+
+- name: remove deny files for cron and at
+  file:
+    path: "{{ item }}"
+    state: absent
+  loop:
+    - /etc/cron.deny
+    - /etc/at.deny
+
+- name: backup sshd_config
+  copy:
+    src: /etc/ssh/sshd_config
+    dest: "/etc/ssh/sshd_config.bak_{{ ansible_date_time.iso8601_basic }}"
+    remote_src: yes
+
+- name: harden sshd_config
+  copy:
+    dest: /etc/ssh/sshd_config
+    content: |
+      Port 22
+      Banner /etc/issue
+      UsePAM yes
+      Protocol 2
+      Subsystem sftp /usr/lib/openssh/sftp-server
+      LogLevel verbose
+      PrintMotd no
+      AcceptEnv LANG LC_*
+      MaxSessions 5
+      StrictModes yes
+      Compression no
+      MaxAuthTries 3
+      IgnoreRhosts yes
+      PrintLastLog yes
+      AddressFamily inet
+      X11Forwarding no
+      PermitRootLogin yes
+      AllowTcpForwarding no
+      ClientAliveInterval 1200
+      AllowAgentForwarding no
+      PermitEmptyPasswords no
+      ClientAliveCountMax 0
+      GSSAPIAuthentication no
+      KerberosAuthentication no
+      IgnoreUserKnownHosts yes
+      PermitUserEnvironment no
+      ChallengeResponseAuthentication no
+      MACs hmac-sha2-512,hmac-sha2-256
+      Ciphers aes128-ctr,aes192-ctr,aes256-ctr
+
+- name: regenerate SSH host keys
+  shell: |
+    rm -f /etc/ssh/ssh_host_*key*
+    ssh-keygen -t ed25519 -f /etc/ssh/ssh_host_ed25519_key -N ""
+    ssh-keygen -t rsa -b 4096 -f /etc/ssh/ssh_host_rsa_key -N ""
+  args:
+    creates: /etc/ssh/ssh_host_ed25519_key
+  notify: restart ssh
+
+- name: enable unattended-upgrades
+  shell: dpkg-reconfigure --priority=low unattended-upgrades
+  args:
+    creates: /etc/apt/apt.conf.d/50unattended-upgrades
+  notify: restart unattended-upgrades
+
+- name: disable ipv6 in grub
+  lineinfile:
+    path: /etc/default/grub
+    regexp: '^GRUB_CMDLINE_LINUX='
+    line: 'GRUB_CMDLINE_LINUX="ipv6.disable=1"'
+  notify: update grub
+
+- name: allow ssh port and enable ufw
+  ufw:
+    rule: allow
+    port: 22
+    proto: tcp
+  notify:
+    - reload ufw
+    - restart ufw
+
+- name: deploy custom fail2ban jail.local
+  template:
+    src: templates/jail.local.j2
+    dest: /etc/fail2ban/jail.local
+    owner: root
+    group: root
+    mode: '0644'
+  notify:
+    - restart fail2ban
+    - reload fail2ban
diff --git a/old/sliver-c2/tasks/sliver_configure.yaml b/old/sliver-c2/tasks/sliver_configure.yaml
new file mode 100644
index 0000000..bf4797e
--- /dev/null
+++ b/old/sliver-c2/tasks/sliver_configure.yaml
@@ -0,0 +1,40 @@
+- name: ensure .sliver config directory exists
+  file:
+    path: "{{ install_path }}/.sliver/configs"
+    state: directory
+    owner: root
+    group: root
+    mode: '0700'
+
+- name: deploy custom server.json config
+  template:
+    src: server.json.j2
+    dest: "{{ install_path }}/.sliver/configs/server.json"
+    owner: root
+    group: root
+    mode: '0600'
+    force: true
+
+- name: ensure sliver client config directory exists
+  file:
+    path: "{{ install_path }}/.sliver-client/configs"
+    state: directory
+    owner: root
+    group: root
+    mode: '0700'
+
+- name: generate sliver operator profiles
+  loop: "{{ sliver_operators }}"
+  loop_control:
+    loop_var: operator
+  command: /opt/sliver/sliver-server operator --name {{ operator }} --lhost {{ sliver_server }} --save /root/.sliver-client/configs
+  notify: sliver systemd handler
+
+- name: fix permissions for .sliver-client directory
+  file:
+    path: /root/.sliver-client
+    state: directory
+    recurse: true
+    owner: root
+    group: root
+
diff --git a/old/sliver-c2/tasks/sliver_install.yaml b/old/sliver-c2/tasks/sliver_install.yaml
new file mode 100644
index 0000000..3f0e029
--- /dev/null
+++ b/old/sliver-c2/tasks/sliver_install.yaml
@@ -0,0 +1,35 @@
+- name: import sliver gpg key
+  shell: |
+    gpg --keyserver hkps://keyserver.ubuntu.com --recv-keys 4449039C
+
+- name: get latest sliver-server binary URL
+  shell: |
+    curl -sSLf https://api.github.com/repos/BishopFox/sliver/releases/latest \
+    | grep -i browser_download_url \
+    | grep -i sliver-server_linux \
+    | grep -v sig \
+    | head -1 \
+    | cut -d '"' -f 4
+  register: sliver_url
+  changed_when: false
+
+- name: create sliver directory
+  file:
+    path: "{{ install_path }}"
+    state: directory
+    mode: '0755'
+
+- name: download sliver-server binary
+  get_url:
+    url: "{{ sliver_url.stdout }}"
+    dest: "{{ install_path }}/sliver-server"
+    mode: '0755'
+
+- name: symlink sliver binaries
+  file:
+    src: "{{ install_path }}/{{ item }}"
+    dest: "/usr/local/bin/{{ item }}"
+    state: link
+    force: true
+  loop:
+    - sliver-server
diff --git a/old/sliver-c2/tasks/sliver_systemd.yaml b/old/sliver-c2/tasks/sliver_systemd.yaml
new file mode 100644
index 0000000..3b29f0f
--- /dev/null
+++ b/old/sliver-c2/tasks/sliver_systemd.yaml
@@ -0,0 +1,10 @@
+- name: copy sliver systemd service template
+  template:
+    src: sliver.service.j2
+    dest: /etc/systemd/system/sliver.service
+    owner: root
+    group: root
+    mode: '0600'
+  notify:
+    - reload systemd
+    - sliver systemd handler
diff --git a/old/sliver-c2/tasks/ssh_nginx_setup.yaml b/old/sliver-c2/tasks/ssh_nginx_setup.yaml
new file mode 100644
index 0000000..beb0910
--- /dev/null
+++ b/old/sliver-c2/tasks/ssh_nginx_setup.yaml
@@ -0,0 +1,76 @@
+- block: 
+  - name: install required packages
+    apt:
+      name:
+        - openssl
+        - nginx
+        - sslh
+        - ufw
+      state: present
+      update_cache: true
+  
+  - name: deploy index.html
+    template:
+      src: index.html.j2
+      dest: /var/www/html/index.html
+      owner: www-data
+      group: www-data
+      mode: '0644'
+  
+  - name: ensure /var/www/html directory permissions
+    file:
+      path: /var/www/html
+      state: directory
+      owner: www-data
+      group: www-data
+      mode: '0755'
+
+  - name: generate self-signed ssl certificate
+    command: >
+      openssl req -x509 -nodes -days 365 -newkey rsa:2048
+      -keyout /etc/ssl/private/nginx-selfsigned.key
+      -out /etc/ssl/certs/nginx-selfsigned.crt
+      -subj "/CN=localhost"
+    args:
+      creates: /etc/ssl/certs/nginx-selfsigned.crt
+  
+  - name: deploy nginx.conf
+    template:
+      src: nginx.conf.j2
+      dest: /etc/nginx/nginx.conf
+      owner: root
+      group: root
+      mode: '0644'
+    notify: restart nginx
+  
+  - name: deploy sslh config file
+    template:
+      src: sslh.j2
+      dest: /etc/default/sslh
+      owner: root
+      group: root
+      mode: '0644'
+    notify: restart sslh
+
+  - name: allow ssh port and enable ufw
+    ufw:
+      rule: allow
+      port: "{{ internal_sshd_port }}"
+      proto: tcp
+    notify: 
+      - enable ufw
+      - restart ufw
+  
+  - name: allow http port and enable ufw
+    ufw:
+      rule: allow
+      port: "{{ public_sslh_port }}"
+      proto: tcp
+    notify:
+      - enable ufw
+      - restart ufw
+
+  when:
+    - public_sslh_port is defined
+    - internal_nginx_port is defined
+    - internal_sshd_port is defined