| 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130 |
- # playbook.yml:
- ---
- - name: "common config"
- hosts: thismachine
- connection: local
- vars:
- users:
- - panda
- tasks:
- - name: Set timezone to Europe/Rome
- timezone:
- name: Europe/Rome
- - name: Update repositories cache
- apt:
- update_cache: yes
- - name: Install a list of packages
- apt:
- pkg:
- - htop
- - iotop
- - glances
- - screen
- - sysstat
- - git
- - nmap
- - ntp
- - tinc
- - fail2ban
- - iptables-persistent
- - debug:
- msg: The main interface is {{ ansible_default_ipv4.interface }}
- - name: Create a directory if it does not exist
- file:
- path: /scripts
- state: directory
- mode: '0755'
- - name: "Create user accounts and add users to groups"
- user:
- name: "{{ item }}"
- shell: "/bin/bash"
- with_items: "{{ users }}"
- - name: "Add authorized keys"
- authorized_key:
- user: "{{ item }}"
- key: "{{ lookup('file', 'keys/'+ item + '.key.pub') }}"
- with_items: "{{ users }}"
- - name: create rules.v4
- blockinfile:
- create: yes
- state: present
- # path: "/scripts/rules.v4"
- dest: "/scripts/rules.v4"
- marker: "# {mark} ANSIBLE MANAGED BLOCK #"
- block: |
- # Generated by iptables-save v1.4.21 on Tue Nov 19 22:41:29 2019
- *filter
- :INPUT DROP [0:0]
- :FORWARD DROP [0:0]
- :OUTPUT ACCEPT [372:91728]
- :fail2ban-ssh - [0:0]
- -A INPUT -i lo -j ACCEPT
- -A INPUT -p tcp -m multiport --dports 22 -j fail2ban-ssh
- -A INPUT -i {{ ansible_default_ipv4.interface }} -p tcp -m tcp --dport 22 -j ACCEPT
- -A INPUT -i {{ ansible_default_ipv4.interface }} -p icmp -m icmp --icmp-type 8 -j ACCEPT
- -A INPUT -i vcn -p icmp -m icmp --icmp-type 8 -j ACCEPT
- -A INPUT -s 172.20.1.125/32 -i vcn -p tcp -m tcp --dport 22 -m comment --comment "panda blackfox" -j ACCEPT
- -A INPUT -s 172.20.1.65/32 -i vcn -p tcp -m tcp --dport 22 -m comment --comment "panda kiwi" -j ACCEPT
- -A INPUT -s 172.20.1.90/32 -i vcn -p tcp -m tcp --dport 22 -m comment --comment "panda scass1" -j ACCEPT
- #-A INPUT -s 172.20.1.82/32 -i vcn -p tcp -m tcp --dport 22 -m comment --comment davide -j ACCEPT
- #-A INPUT -s 172.20.1.15/32 -i vcn -p tcp -m tcp --dport 22 -m comment --comment encrypt -j ACCEPT
- -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
- -A INPUT -j DROP
- -A OUTPUT -o lo -j ACCEPT
- -A fail2ban-ssh -j RETURN
- COMMIT
- # Completed on Tue Nov 19 22:41:29 2019
- - name: create rules.v6
- blockinfile:
- create: yes
- state: present
- # path: "/scripts/rules.v4"
- dest: "/scripts/rules.v6"
- marker: "# {mark} ANSIBLE MANAGED BLOCK #"
- block: |
- # Generated by ip6tables-save v1.4.21 on Tue Nov 19 22:58:08 2019
- *filter
- :INPUT DROP [0:0]
- :FORWARD DROP [0:0]
- :OUTPUT DROP [0:0]
- COMMIT
- # Completed on Tue Nov 19 22:58:08 2019
- - name: reload iptables v4
- action: shell /sbin/iptables-restore -! < /scripts/rules.v4
- - name: reload iptables v4
- action: shell /sbin/ip6tables-restore -! < /scripts/rules.v6
- - name: save iptables v4 rules
- shell: iptables-save > /etc/iptables/rules.v4
- - name: save iptables v6 rules
- shell: ip6tables-save > /etc/iptables/rules.v6
- - name: "Copy file with owner and permissions"
- copy:
- backup: yes
- src: "{{ playbook_dir }}/repo/bashrc"
- dest: /root/.bashrc
- owner: root
- group: root
- mode: '0644'
- - name: "ssh_hardening"
- hosts: thismachine
- connection: local
- roles:
- - ssh_hardening
|
