|
@@ -0,0 +1,193 @@
|
|
|
+# playbook.yml:
|
|
|
+---
|
|
|
+- name: "maplegrid"
|
|
|
+ hosts: localhost
|
|
|
+ connection: local
|
|
|
+ vars_files:
|
|
|
+ - maplegrid_variables.yml
|
|
|
+
|
|
|
+###
|
|
|
+
|
|
|
+ tasks:
|
|
|
+
|
|
|
+
|
|
|
+#Add elastic repo for v7.x
|
|
|
+
|
|
|
+
|
|
|
+ - name: Add elastic repo key
|
|
|
+ shell: curl -fsSL https://artifacts.elastic.co/GPG-KEY-elasticsearch | apt-key add -
|
|
|
+
|
|
|
+ - name: install packages
|
|
|
+ apt:
|
|
|
+ pkg:
|
|
|
+ - apt-transport-https
|
|
|
+ - python-pip
|
|
|
+ - python3-pip
|
|
|
+
|
|
|
+ - name: add repo for elastic v7.x
|
|
|
+ shell: echo "deb https://artifacts.elastic.co/packages/7.x/apt stable main" | tee /etc/apt/sources.list.d/elastic-7.x.list
|
|
|
+
|
|
|
+ - name: Install filebeat
|
|
|
+ apt:
|
|
|
+ name: filebeat
|
|
|
+ update_cache: yes
|
|
|
+
|
|
|
+ - name: Setup alternate SSH port
|
|
|
+ lineinfile:
|
|
|
+ dest: "/etc/ssh/sshd_config"
|
|
|
+ regexp: "^Port"
|
|
|
+ line: "Port 22222"
|
|
|
+
|
|
|
+ - name: Setup alternate SSH port in fail2ban jail
|
|
|
+ lineinfile:
|
|
|
+ dest: "/etc/fail2ban/jail.conf"
|
|
|
+ regexp: '^port = ssh'
|
|
|
+ line: "port = 22222"
|
|
|
+
|
|
|
+ - name: Restart fail2ban
|
|
|
+ service:
|
|
|
+ name: fail2ban
|
|
|
+ state: restarted
|
|
|
+ enabled: yes
|
|
|
+
|
|
|
+ #PSHITT:
|
|
|
+
|
|
|
+ - name: Install multi python packages with version specifiers
|
|
|
+ pip:
|
|
|
+ name:
|
|
|
+ - python-daemon
|
|
|
+ - argparse
|
|
|
+ - paramiko
|
|
|
+
|
|
|
+ - name: Git checkout
|
|
|
+ git:
|
|
|
+ repo: 'https://github.com/regit/pshitt'
|
|
|
+ dest: /srv/pshitt
|
|
|
+
|
|
|
+ - name: Add configuration block in /etc/systemd/system/pshitt.service
|
|
|
+ blockinfile:
|
|
|
+ create: yes
|
|
|
+ dest: /etc/systemd/system/pshitt.service
|
|
|
+ block: |
|
|
|
+ [Unit]
|
|
|
+ Description=pshitt service
|
|
|
+ Wants=network-online.target
|
|
|
+ After=network-online.target
|
|
|
+
|
|
|
+ [Service]
|
|
|
+ ExecStart=/srv/pshitt/pshitt.py -p 22 -k /etc/ssh/ssh_host_rsa_key -o /var/log/pshitt/data.json -l /var/log/pshitt/log.log
|
|
|
+
|
|
|
+ [Install]
|
|
|
+ WantedBy=multi-user.target
|
|
|
+
|
|
|
+ - name: Creates directory
|
|
|
+ file:
|
|
|
+ path: /var/log/pshitt
|
|
|
+ state: directory
|
|
|
+
|
|
|
+ #configure iptables:
|
|
|
+
|
|
|
+ - name: Creates directory
|
|
|
+ file:
|
|
|
+ path: /scripts
|
|
|
+ state: directory
|
|
|
+
|
|
|
+ - name: create rules.v4
|
|
|
+ blockinfile:
|
|
|
+ create: yes
|
|
|
+ state: present
|
|
|
+ dest: "/scripts/rules.v4"
|
|
|
+ marker: "# {mark} ANSIBLE MANAGED BLOCK #"
|
|
|
+ block: |
|
|
|
+ # Generated by iptables-save v1.4.21 on Tue Nov 19 22:41:29 2019
|
|
|
+ *filter
|
|
|
+ :INPUT DROP [0:0]
|
|
|
+ :FORWARD DROP [0:0]
|
|
|
+ :OUTPUT ACCEPT [372:91728]
|
|
|
+ :fail2ban-ssh - [0:0]
|
|
|
+ -A INPUT -i lo -j ACCEPT
|
|
|
+ -A INPUT -p tcp -m multiport --dports 22 -j fail2ban-ssh
|
|
|
+ -A INPUT -i {{ ansible_default_ipv4.interface }} -p tcp -m tcp --dport 22 -j ACCEPT
|
|
|
+ -A INPUT -i {{ ansible_default_ipv4.interface }} -p tcp -m tcp --dport 22222 -j ACCEPT
|
|
|
+ -A INPUT -i {{ ansible_default_ipv4.interface }} -p icmp -m icmp --icmp-type 8 -j ACCEPT
|
|
|
+ -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
|
|
|
+ -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
|
|
|
+ -A INPUT -j DROP
|
|
|
+ -A OUTPUT -o lo -j ACCEPT
|
|
|
+ -A fail2ban-ssh -j RETURN
|
|
|
+ COMMIT
|
|
|
+ # Completed on Tue Nov 19 22:41:29 2019
|
|
|
+
|
|
|
+ - name: reload iptables v4
|
|
|
+ action: shell /sbin/iptables-restore /scripts/rules.v4
|
|
|
+
|
|
|
+ - name: save iptables v4 rules
|
|
|
+ shell: iptables-save > /etc/iptables/rules.v4
|
|
|
+
|
|
|
+ #restart services on new ports:
|
|
|
+
|
|
|
+ - name: Restart pshitt
|
|
|
+ service:
|
|
|
+ name: pshitt
|
|
|
+ state: restarted
|
|
|
+ enabled: yes
|
|
|
+
|
|
|
+ - name: Restart sshd
|
|
|
+ service:
|
|
|
+ name: ssh
|
|
|
+ state: restarted
|
|
|
+ enabled: yes
|
|
|
+
|
|
|
+ #Filebeat:
|
|
|
+
|
|
|
+ - name: delete file
|
|
|
+ ignore_errors: yes
|
|
|
+ file:
|
|
|
+ state: absent
|
|
|
+ path: /etc/filebeat/filebeat.yml
|
|
|
+
|
|
|
+ - name: Ansible create file if it doesn't exist example
|
|
|
+ ignore_errors: yes
|
|
|
+ file:
|
|
|
+ path: "/etc/filebeat/filebeat.yml"
|
|
|
+ state: touch
|
|
|
+
|
|
|
+ - name: create rules.v4
|
|
|
+ blockinfile:
|
|
|
+ create: yes
|
|
|
+ state: present
|
|
|
+ dest: "/etc/filebeat/filebeat.yml"
|
|
|
+ marker: "# {mark} ANSIBLE MANAGED BLOCK #"
|
|
|
+ block: |
|
|
|
+ filebeat.inputs:
|
|
|
+ - type: log
|
|
|
+ enabled: true
|
|
|
+ paths:
|
|
|
+ - /var/log/pshitt/data.json
|
|
|
+ json.keys_under_root: true
|
|
|
+
|
|
|
+ processors:
|
|
|
+ - drop_fields:
|
|
|
+ fields: ["beat", "source", "prospector", "offset", "host", "log", "input", "event", "fileset" ]
|
|
|
+ - add_fields:
|
|
|
+ target: ''
|
|
|
+ fields:
|
|
|
+ pshitt_host: {{ filebeat_hostname }}
|
|
|
+
|
|
|
+ output.logstash:
|
|
|
+ hosts: ["{{ logstash_ip }}:{{ logstash_port }}"]
|
|
|
+
|
|
|
+ #Filebeat service logging:
|
|
|
+ logging.level: info
|
|
|
+ logging.to_files: true
|
|
|
+ logging.files:
|
|
|
+ path: /var/log/filebeat
|
|
|
+ name: filebeat
|
|
|
+ keepfiles: 7
|
|
|
+ permissions: 0640
|
|
|
+
|
|
|
+ - name: Restart filebeat
|
|
|
+ service:
|
|
|
+ name: filebeat
|
|
|
+ state: restarted
|
|
|
+ enabled: yes
|