diff options
Diffstat (limited to 'roles')
| -rw-r--r-- | roles/attackbox/tasks/apt_packages.yaml | 3 | ||||
| -rw-r--r-- | roles/attackbox/tasks/chrome_install.yaml | 1 | ||||
| -rw-r--r-- | roles/harden/handlers/main.yaml | 38 | ||||
| -rw-r--r-- | roles/harden/tasks/harden.yaml | 139 | ||||
| -rw-r--r-- | roles/harden/tasks/main.yaml | 170 | ||||
| -rw-r--r-- | roles/icewm/tasks/main.yaml | 1 | ||||
| -rw-r--r-- | roles/sliver-c2/tasks/apt_install.yaml | 3 | ||||
| -rw-r--r-- | roles/sliver-c2/tasks/sliver_configure.yaml | 8 | ||||
| -rw-r--r-- | roles/sliver-c2/tasks/sliver_systemd.yaml | 11 | ||||
| -rw-r--r-- | roles/ssh-nginx-multiplex/handlers/main.yaml | 25 | ||||
| -rw-r--r-- | roles/ssh-nginx-multiplex/tasks/ssh_nginx_setup.yaml | 32 | ||||
| -rw-r--r-- | roles/ssh-port-fwd-user/handlers/main.yaml | 6 | ||||
| -rw-r--r-- | roles/ssh-port-fwd-user/tasks/main.yaml | 9 | ||||
| -rw-r--r-- | roles/tigervnc/files/vnc-server-wrapper | 51 | ||||
| -rw-r--r-- | roles/tigervnc/tasks/main.yaml | 18 | ||||
| -rw-r--r-- | roles/tor/handlers/main.yaml | 6 | ||||
| -rw-r--r-- | roles/tor/tasks/ssh_hidden_service.yaml | 14 | ||||
| -rw-r--r-- | roles/tor/tasks/tor_install.yaml | 9 | ||||
| -rw-r--r-- | roles/xrdp/handlers/main.yaml | 13 | ||||
| -rw-r--r-- | roles/xrdp/tasks/main.yaml | 18 |
20 files changed, 329 insertions, 246 deletions
diff --git a/roles/attackbox/tasks/apt_packages.yaml b/roles/attackbox/tasks/apt_packages.yaml index 8910e04..3e118bc 100644 --- a/roles/attackbox/tasks/apt_packages.yaml +++ b/roles/attackbox/tasks/apt_packages.yaml @@ -2,4 +2,5 @@ apt: name: "{{ apt_packages }}" state: present - update_cache: true
\ No newline at end of file + update_cache: true + cache_valid_time: 86400 diff --git a/roles/attackbox/tasks/chrome_install.yaml b/roles/attackbox/tasks/chrome_install.yaml index a237b81..1bf272f 100644 --- a/roles/attackbox/tasks/chrome_install.yaml +++ b/roles/attackbox/tasks/chrome_install.yaml @@ -16,6 +16,7 @@ - name: update apt cache apt: update_cache: true + cache_valid_time: 86400 - name: install google chrome apt: diff --git a/roles/harden/handlers/main.yaml b/roles/harden/handlers/main.yaml deleted file mode 100644 index e25c78f..0000000 --- a/roles/harden/handlers/main.yaml +++ /dev/null @@ -1,38 +0,0 @@ -- name: update grub - command: update-grub - -- name: reload fail2ban - command: fail2ban-client reload - -- name: enable ufw - ufw: - state: enabled - policy: deny - -- name: restart ufw - systemd: - name: ufw - state: restarted - enabled: true - when: ansible_facts['service_mgr'] == 'systemd' - -- name: restart ssh - systemd: - name: ssh - state: restarted - enabled: true - when: ansible_facts['service_mgr'] == 'systemd' - -- name: restart unattended-upgrades - systemd: - name: unattended-upgrades - state: restarted - enabled: true - when: ansible_facts['service_mgr'] == 'systemd' - -- name: restart fail2ban - systemd: - name: fail2ban - state: restarted - enabled: true - when: ansible_facts['service_mgr'] == 'systemd' diff --git a/roles/harden/tasks/harden.yaml b/roles/harden/tasks/harden.yaml deleted file mode 100644 index fe1807a..0000000 --- a/roles/harden/tasks/harden.yaml +++ /dev/null @@ -1,139 +0,0 @@ -- name: remove snap and snapd - apt: - name: - - snap - - snapd - state: absent - purge: true - -- name: clean apt cache - apt: - autoclean: true - -- name: clear /etc/issue and /etc/motd - copy: - content: "" - dest: "{{ item }}" - loop: - - /etc/issue - - /etc/motd - -- name: check if /etc/update-motd.d directory exists - stat: - path: /etc/update-motd.d - register: motd_dir - -- name: find files in /etc/update-motd.d - find: - paths: /etc/update-motd.d - file_type: file - register: motd_files - when: motd_dir.stat.exists - -- name: remove execute permissions from all files in /etc/update-motd.d - file: - path: "{{ item.path }}" - mode: u-x,g-x,o-x - loop: "{{ motd_files.files }}" - when: motd_dir.stat.exists - -- name: enforce root-only cron/at - file: - path: "{{ item }}" - state: touch - owner: root - group: root - mode: '0600' - loop: - - /etc/cron.allow - - /etc/at.allow - -- name: remove deny files for cron and at - file: - path: "{{ item }}" - state: absent - loop: - - /etc/cron.deny - - /etc/at.deny - -- name: backup sshd_config - copy: - src: /etc/ssh/sshd_config - dest: "/etc/ssh/sshd_config.bak_{{ ansible_date_time.iso8601_basic }}" - remote_src: true - -- name: harden sshd_config - copy: - dest: /etc/ssh/sshd_config - content: | - Port 22 - Banner /etc/issue - UsePAM yes - Protocol 2 - Subsystem sftp /usr/lib/openssh/sftp-server - LogLevel verbose - PrintMotd no - AcceptEnv LANG LC_* - MaxSessions 5 - StrictModes yes - Compression no - MaxAuthTries 3 - IgnoreRhosts yes - PrintLastLog yes - AddressFamily inet - X11Forwarding no - PermitRootLogin yes - AllowTcpForwarding no - ClientAliveInterval 1200 - AllowAgentForwarding no - PermitEmptyPasswords no - ClientAliveCountMax 0 - GSSAPIAuthentication no - KerberosAuthentication no - IgnoreUserKnownHosts yes - PermitUserEnvironment no - ChallengeResponseAuthentication no - MACs hmac-sha2-512,hmac-sha2-256 - Ciphers aes128-ctr,aes192-ctr,aes256-ctr - -- name: regenerate SSH host keys - shell: | - rm -f /etc/ssh/ssh_host_*key* - ssh-keygen -t ed25519 -f /etc/ssh/ssh_host_ed25519_key -N "" - ssh-keygen -t rsa -b 4096 -f /etc/ssh/ssh_host_rsa_key -N "" - args: - creates: /etc/ssh/ssh_host_ed25519_key - notify: restart ssh - -- name: enable unattended-upgrades - shell: dpkg-reconfigure --priority=low unattended-upgrades - args: - creates: /etc/apt/apt.conf.d/50unattended-upgrades - notify: restart unattended-upgrades - -- name: disable ipv6 in grub - lineinfile: - path: /etc/default/grub - regexp: '^GRUB_CMDLINE_LINUX=' - line: 'GRUB_CMDLINE_LINUX="ipv6.disable=1"' - notify: update grub - -- name: allow ssh port and enable ufw - ufw: - rule: allow - port: 22 - proto: tcp - notify: - - enable ufw - - restart ufw - -- name: deploy custom fail2ban jail.local - template: - src: templates/jail.local.j2 - dest: /etc/fail2ban/jail.local - owner: root - group: root - mode: '0644' - notify: - - restart fail2ban - - reload fail2ban diff --git a/roles/harden/tasks/main.yaml b/roles/harden/tasks/main.yaml index 95fdd29..b6a80a9 100644 --- a/roles/harden/tasks/main.yaml +++ b/roles/harden/tasks/main.yaml @@ -1 +1,169 @@ -- import_tasks: tasks/harden.yaml +- name: remove snap and snapd + apt: + name: + - snap + - snapd + state: absent + purge: true + +- name: clean apt cache + apt: + autoclean: true + +- name: clear /etc/issue and /etc/motd + copy: + content: "" + dest: "{{ item }}" + loop: + - /etc/issue + - /etc/motd + +- name: check if /etc/update-motd.d directory exists + stat: + path: /etc/update-motd.d + register: motd_dir + +- name: find files in /etc/update-motd.d + find: + paths: /etc/update-motd.d + file_type: file + register: motd_files + when: motd_dir.stat.exists + +- name: remove execute permissions from all files in /etc/update-motd.d + file: + path: "{{ item.path }}" + mode: u-x,g-x,o-x + loop: "{{ motd_files.files }}" + when: motd_dir.stat.exists + +- name: enforce root-only cron/at + file: + path: "{{ item }}" + state: touch + owner: root + group: root + mode: '0600' + loop: + - /etc/cron.allow + - /etc/at.allow + +- name: remove deny files for cron and at + file: + path: "{{ item }}" + state: absent + loop: + - /etc/cron.deny + - /etc/at.deny + +- name: backup sshd_config + copy: + src: /etc/ssh/sshd_config + dest: "/etc/ssh/sshd_config.bak_{{ ansible_date_time.iso8601_basic }}" + remote_src: true + +- name: harden sshd_config + copy: + dest: /etc/ssh/sshd_config + content: | + Port 22 + Banner /etc/issue + UsePAM yes + Protocol 2 + Subsystem sftp /usr/lib/openssh/sftp-server + LogLevel verbose + PrintMotd no + AcceptEnv LANG LC_* + MaxSessions 5 + StrictModes yes + Compression no + MaxAuthTries 3 + IgnoreRhosts yes + PrintLastLog yes + AddressFamily inet + X11Forwarding no + PermitRootLogin yes + AllowTcpForwarding no + ClientAliveInterval 1200 + AllowAgentForwarding no + PermitEmptyPasswords no + ClientAliveCountMax 0 + GSSAPIAuthentication no + KerberosAuthentication no + IgnoreUserKnownHosts yes + PermitUserEnvironment no + ChallengeResponseAuthentication no + MACs hmac-sha2-512,hmac-sha2-256 + Ciphers aes128-ctr,aes192-ctr,aes256-ctr + +- name: regenerate SSH host keys + shell: | + rm -f /etc/ssh/ssh_host_*key* + ssh-keygen -t ed25519 -f /etc/ssh/ssh_host_ed25519_key -N "" + ssh-keygen -t rsa -b 4096 -f /etc/ssh/ssh_host_rsa_key -N "" + args: + creates: /etc/ssh/ssh_host_ed25519_key + +- name: restart ssh + systemd: + name: ssh + state: restarted + enabled: true + when: ansible_service_mgr == 'systemd' + +- name: enable unattended-upgrades + shell: dpkg-reconfigure --priority=low unattended-upgrades + args: + creates: /etc/apt/apt.conf.d/50unattended-upgrades + +- name: restart unattended-upgrades + systemd: + name: unattended-upgrades + state: restarted + enabled: true + when: ansible_service_mgr == 'systemd' + +- name: disable ipv6 in grub + lineinfile: + path: /etc/default/grub + regexp: '^GRUB_CMDLINE_LINUX=' + line: 'GRUB_CMDLINE_LINUX="ipv6.disable=1"' + +- name: update grub + command: update-grub + +- name: allow ssh port and enable ufw + ufw: + rule: allow + port: 22 + proto: tcp + +- name: enable ufw + ufw: + state: enabled + policy: deny + +- name: restart ufw + systemd: + name: ufw + state: restarted + enabled: true + when: ansible_service_mgr == 'systemd' + +- name: deploy custom fail2ban jail.local + template: + src: templates/jail.local.j2 + dest: /etc/fail2ban/jail.local + owner: root + group: root + mode: '0644' + +- name: restart fail2ban + systemd: + name: fail2ban + state: restarted + enabled: true + when: ansible_service_mgr == 'systemd' + +- name: reload fail2ban + command: fail2ban-client reload diff --git a/roles/icewm/tasks/main.yaml b/roles/icewm/tasks/main.yaml index 7e6987d..d4738fc 100644 --- a/roles/icewm/tasks/main.yaml +++ b/roles/icewm/tasks/main.yaml @@ -9,6 +9,7 @@ - thunar state: present update_cache: true + cache_valid_time: 86400 - name: copy system-wide icewm config files copy: diff --git a/roles/sliver-c2/tasks/apt_install.yaml b/roles/sliver-c2/tasks/apt_install.yaml index 8910e04..3e118bc 100644 --- a/roles/sliver-c2/tasks/apt_install.yaml +++ b/roles/sliver-c2/tasks/apt_install.yaml @@ -2,4 +2,5 @@ apt: name: "{{ apt_packages }}" state: present - update_cache: true
\ No newline at end of file + update_cache: true + cache_valid_time: 86400 diff --git a/roles/sliver-c2/tasks/sliver_configure.yaml b/roles/sliver-c2/tasks/sliver_configure.yaml index b90d955..cd3fa04 100644 --- a/roles/sliver-c2/tasks/sliver_configure.yaml +++ b/roles/sliver-c2/tasks/sliver_configure.yaml @@ -28,7 +28,13 @@ loop_control: loop_var: operator command: /opt/sliver/sliver-server operator --name {{ operator }} --lhost {{ sliver_server }} --save /root/.sliver-client/configs - notify: sliver systemd handler + +- name: sliver systemd handler + systemd: + name: sliver + state: restarted + enabled: true + when: ansible_service_mgr == 'systemd' - name: fix permissions for .sliver-client directory file: diff --git a/roles/sliver-c2/tasks/sliver_systemd.yaml b/roles/sliver-c2/tasks/sliver_systemd.yaml index 3b29f0f..40ff890 100644 --- a/roles/sliver-c2/tasks/sliver_systemd.yaml +++ b/roles/sliver-c2/tasks/sliver_systemd.yaml @@ -8,3 +8,14 @@ notify: - reload systemd - sliver systemd handler + +- name: reload systemd + command: systemctl daemon-reload + when: ansible_service_mgr == 'systemd' + +- name: sliver systemd handler + systemd: + name: sliver + state: restarted + enabled: true + when: ansible_service_mgr == 'systemd' diff --git a/roles/ssh-nginx-multiplex/handlers/main.yaml b/roles/ssh-nginx-multiplex/handlers/main.yaml deleted file mode 100644 index 58c218b..0000000 --- a/roles/ssh-nginx-multiplex/handlers/main.yaml +++ /dev/null @@ -1,25 +0,0 @@ -- name: enable ufw - ufw: - state: enabled - policy: deny - -- name: restart ufw - systemd: - name: ufw - state: restarted - enabled: true - when: ansible_facts['service_mgr'] == 'systemd' - -- name: restart nginx - systemd: - name: nginx - state: restarted - enabled: true - when: ansible_facts['service_mgr'] == 'systemd' - -- name: restart sslh - systemd: - name: sslh - state: restarted - enabled: true - when: ansible_facts['service_mgr'] == 'systemd' diff --git a/roles/ssh-nginx-multiplex/tasks/ssh_nginx_setup.yaml b/roles/ssh-nginx-multiplex/tasks/ssh_nginx_setup.yaml index beb0910..4f614f3 100644 --- a/roles/ssh-nginx-multiplex/tasks/ssh_nginx_setup.yaml +++ b/roles/ssh-nginx-multiplex/tasks/ssh_nginx_setup.yaml @@ -8,6 +8,7 @@ - ufw state: present update_cache: true + cache_valid_time: 86400 - name: deploy index.html template: @@ -41,7 +42,13 @@ owner: root group: root mode: '0644' - notify: restart nginx + + - name: restart nginx + systemd: + name: nginx + state: restarted + enabled: true + when: ansible_service_mgr == 'systemd' - name: deploy sslh config file template: @@ -50,16 +57,19 @@ owner: root group: root mode: '0644' - notify: restart sslh + + - name: restart sslh + systemd: + name: sslh + state: restarted + enabled: true + when: ansible_service_mgr == 'systemd' - name: allow ssh port and enable ufw ufw: rule: allow port: "{{ internal_sshd_port }}" proto: tcp - notify: - - enable ufw - - restart ufw - name: allow http port and enable ufw ufw: @@ -70,6 +80,18 @@ - enable ufw - restart ufw + - name: enable ufw + ufw: + state: enabled + policy: deny + + - name: restart ufw + systemd: + name: ufw + state: restarted + enabled: true + when: ansible_service_mgr == 'systemd' + when: - public_sslh_port is defined - internal_nginx_port is defined diff --git a/roles/ssh-port-fwd-user/handlers/main.yaml b/roles/ssh-port-fwd-user/handlers/main.yaml deleted file mode 100644 index 8c5ef88..0000000 --- a/roles/ssh-port-fwd-user/handlers/main.yaml +++ /dev/null @@ -1,6 +0,0 @@ -- name: restart ssh - systemd: - name: ssh - state: restarted - enabled: true - when: ansible_facts['service_mgr'] == 'systemd' diff --git a/roles/ssh-port-fwd-user/tasks/main.yaml b/roles/ssh-port-fwd-user/tasks/main.yaml index 85d7a97..de6b9b8 100644 --- a/roles/ssh-port-fwd-user/tasks/main.yaml +++ b/roles/ssh-port-fwd-user/tasks/main.yaml @@ -64,7 +64,6 @@ owner: root group: root mode: '0644' - notify: restart ssh - name: ensure /etc/ssh/sshd_config includes .d directory lineinfile: @@ -72,7 +71,13 @@ regexp: '^Include /etc/ssh/sshd_config\.d/\*\.conf' line: 'Include /etc/ssh/sshd_config.d/*.conf' insertafter: EOF - notify: restart ssh + +- name: restart ssh + systemd: + name: ssh + state: restarted + enabled: true + when: ansible_service_mgr == 'systemd' - name: fetch private key to control node fetch: diff --git a/roles/tigervnc/files/vnc-server-wrapper b/roles/tigervnc/files/vnc-server-wrapper new file mode 100644 index 0000000..ee25926 --- /dev/null +++ b/roles/tigervnc/files/vnc-server-wrapper @@ -0,0 +1,51 @@ +#!/bin/bash +set -euo pipefail + +VNC_PORT=5901 +DISP_NUM=1 +LOGFILE="/tmp/vnc-${USER}.log" + +usage() { + printf "%s\n" \ + "wrapper script to manage tigervnc server sessions" \ + "usage: $(basename $0) <start | stop | list>" \ + "" \ + "start start tigervnc on port ${VNC_PORT}" \ + "stop loop 1 through 10 and kill any tigervnc server displays" \ + "list list running tigervnc servers" + exit 1 +} + +case "${1:-}" in + start) + printf "%s\n" \ + "linux connection options:" \ + " ssh -fL ${VNC_PORT}:localhost:${VNC_PORT} user@server sleep 10; vncviewer localhost:${VNC_PORT}" \ + " vncviewer -via user@server localhost::${VNC_PORT}" \ + "" \ + "windows connection options:" \ + " PLINK.EXE -no-antispoof -N -L ${VNC_PORT}:localhost:${VNC_PORT} user@server" \ + " \"C:\\Program Files (x86)\\TigerVNC\\vncviewer.exe\" localhost:${VNC_PORT}" + + printf "%s\n" "[inf] starting tigervnc on :${DISP_NUM}, localhost-only" + vncserver :${DISP_NUM} \ + -localhost yes \ + -rfbport ${VNC_PORT} \ + -securitytypes none \ + -geometry 1280x800 \ + -cleanstale &> "${LOGFILE}" + printf "%s\n" "[inf] vnc started, log: ${LOGFILE}" + ;; + stop) + printf "%s\n" "[inf] stopping all running tigervnc sessions" + for i in $(seq 1 10); do + vncserver -kill :$i -clean 2>/dev/null || true + done + ;; + list) + vncserver -list + ;; + *) + usage + ;; +esac diff --git a/roles/tigervnc/tasks/main.yaml b/roles/tigervnc/tasks/main.yaml new file mode 100644 index 0000000..edd3862 --- /dev/null +++ b/roles/tigervnc/tasks/main.yaml @@ -0,0 +1,18 @@ +- name: install tigervnc server and dependencies + apt: + name: + - tigervnc-standalone-server + - tigervnc-common + - autocutsel + state: present + update_cache: true + cache_valid_time: 86400 + +- name: deploy vnc-server script to /usr/local/bin + copy: + src: vnc-server-wrapper + dest: /usr/local/bin/vnc-server-wrapper + owner: root + group: root + mode: '0755' + diff --git a/roles/tor/handlers/main.yaml b/roles/tor/handlers/main.yaml deleted file mode 100644 index 8903ad6..0000000 --- a/roles/tor/handlers/main.yaml +++ /dev/null @@ -1,6 +0,0 @@ -- name: restart tor - systemd: - name: tor - state: restarted - enabled: true - when: ansible_facts['service_mgr'] == 'systemd' diff --git a/roles/tor/tasks/ssh_hidden_service.yaml b/roles/tor/tasks/ssh_hidden_service.yaml index cbac7fa..d2415f2 100644 --- a/roles/tor/tasks/ssh_hidden_service.yaml +++ b/roles/tor/tasks/ssh_hidden_service.yaml @@ -13,7 +13,13 @@ block: | HiddenServiceDir /var/lib/tor/ssh HiddenServicePort 22 127.0.0.1:22 - notify: restart tor + +- name: restart tor + systemd: + name: tor + state: restarted + enabled: true + when: ansible_service_mgr == 'systemd' - name: wait for hidden service hostname file wait_for: @@ -78,7 +84,7 @@ fetch: src: /root/.ssh/id_ed25519_onion dest: "./{{ onion_address }}/{{ onion_address }}_id_ed25519" - flat: yes + flat: true - name: set correct permissions on fetched hidden service private key file: @@ -90,13 +96,13 @@ fetch: src: /root/.ssh/id_ed25519_onion.pub dest: "./{{ onion_address }}/{{ onion_address }}_id_ed25519.pub" - flat: yes + flat: true - name: fetch hidden service private key fetch: src: "/var/lib/tor/ssh/hs_ed25519_secret_key" dest: "./{{ onion_address }}/hs_ed25519_secret_key" - flat: yes + flat: true mode: '0600' - name: generate onion-specific ssh config snippet diff --git a/roles/tor/tasks/tor_install.yaml b/roles/tor/tasks/tor_install.yaml index 96cf98e..f1fc92f 100644 --- a/roles/tor/tasks/tor_install.yaml +++ b/roles/tor/tasks/tor_install.yaml @@ -9,6 +9,7 @@ - netcat-openbsd state: present update_cache: true + cache_valid_time: 86400 - name: check if /etc/tor/torrc exists stat: @@ -31,7 +32,13 @@ owner: debian-tor group: debian-tor mode: '0644' - notify: restart tor + +- name: restart tor + systemd: + name: tor + state: restarted + enabled: true + when: ansible_service_mgr == 'systemd' - name: check if tor is routing traffic correctly command: curl --socks5-hostname 127.0.0.1:9050 https://check.torproject.org/api/ip diff --git a/roles/xrdp/handlers/main.yaml b/roles/xrdp/handlers/main.yaml deleted file mode 100644 index 5790f8b..0000000 --- a/roles/xrdp/handlers/main.yaml +++ /dev/null @@ -1,13 +0,0 @@ -- name: restart xrdp - systemd: - name: xrdp - state: restarted - enabled: true - when: ansible_facts['service_mgr'] == 'systemd' - -- name: restart xrdp-sesman - systemd: - name: xrdp-sesman - state: restarted - enabled: true - when: ansible_facts['service_mgr'] == 'systemd' diff --git a/roles/xrdp/tasks/main.yaml b/roles/xrdp/tasks/main.yaml index ed95fbb..6b092c8 100644 --- a/roles/xrdp/tasks/main.yaml +++ b/roles/xrdp/tasks/main.yaml @@ -7,6 +7,7 @@ - tigervnc-standalone-server state: present update_cache: true + cache_valid_time: 86400 - name: configure polkit rules for xrdp sessions copy: @@ -58,6 +59,17 @@ src: xrdp.ini.j2 dest: /etc/xrdp/xrdp.ini mode: '0644' - notify: - - restart xrdp - - restart xrdp-sesman + +- name: restart xrdp + systemd: + name: xrdp + state: restarted + enabled: true + when: ansible_service_mgr == 'systemd' + +- name: restart xrdp-sesman + systemd: + name: xrdp-sesman + state: restarted + enabled: true + when: ansible_service_mgr == 'systemd' |