123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189 |
- # playbook.yml:
- ---
- - name: "maplegrid"
- hosts: localhost
- connection: local
- vars_files:
- - maplegrid_variables.yml
- ###
- tasks:
- #Add elastic repo for v7.x
- - name: Add elastic repo key
- shell: curl -fsSL https://artifacts.elastic.co/GPG-KEY-elasticsearch | apt-key add -
-
- - name: install packages
- apt:
- pkg:
- - apt-transport-https
- - python-pip
- - python3-pip
- - name: add repo for elastic v7.x
- shell: echo "deb https://artifacts.elastic.co/packages/7.x/apt stable main" | tee /etc/apt/sources.list.d/elastic-7.x.list
-
- - name: Install filebeat
- apt:
- name: filebeat
- update_cache: yes
-
- - name: Setup alternate SSH port
- lineinfile:
- dest: "/etc/ssh/sshd_config"
- regexp: "^Port"
- line: "Port 22222"
-
- - name: Setup alternate SSH port in fail2ban jail
- lineinfile:
- dest: "/etc/fail2ban/jail.conf"
- regexp: '^port = ssh'
- line: "port = 22222"
-
- - name: Restart fail2ban
- service:
- name: fail2ban
- state: restarted
- enabled: yes
-
- #PSHITT:
-
- - name: Install pip extensions
- shell: pip install python-daemon argparse paramiko
-
- - name: Git checkout
- git:
- repo: 'https://github.com/regit/pshitt'
- dest: /srv/pshitt
-
- - name: Add configuration block in /etc/systemd/system/pshitt.service
- blockinfile:
- create: yes
- dest: /etc/systemd/system/pshitt.service
- block: |
- [Unit]
- Description=pshitt service
- Wants=network-online.target
- After=network-online.target
-
- [Service]
- ExecStart=/srv/pshitt/pshitt.py -p 22 -k /etc/ssh/ssh_host_rsa_key -o /var/log/pshitt/data.json -l /var/log/pshitt/log.log
-
- [Install]
- WantedBy=multi-user.target
-
- - name: Creates directory
- file:
- path: /var/log/pshitt
- state: directory
-
- #configure iptables:
- - name: Creates directory
- file:
- path: /scripts
- state: directory
-
- - name: create rules.v4
- blockinfile:
- create: yes
- state: present
- dest: "/scripts/rules.v4"
- marker: "# {mark} ANSIBLE MANAGED BLOCK #"
- block: |
- # Generated by iptables-save v1.4.21 on Tue Nov 19 22:41:29 2019
- *filter
- :INPUT DROP [0:0]
- :FORWARD DROP [0:0]
- :OUTPUT ACCEPT [372:91728]
- :fail2ban-ssh - [0:0]
- -A INPUT -i lo -j ACCEPT
- -A INPUT -p tcp -m multiport --dports 22 -j fail2ban-ssh
- -A INPUT -i {{ ansible_default_ipv4.interface }} -p tcp -m tcp --dport 22 -j ACCEPT
- -A INPUT -i {{ ansible_default_ipv4.interface }} -p tcp -m tcp --dport 22222 -j ACCEPT
- -A INPUT -i {{ ansible_default_ipv4.interface }} -p icmp -m icmp --icmp-type 8 -j ACCEPT
- -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
- -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
- -A INPUT -j DROP
- -A OUTPUT -o lo -j ACCEPT
- -A fail2ban-ssh -j RETURN
- COMMIT
- # Completed on Tue Nov 19 22:41:29 2019
- - name: reload iptables v4
- action: shell /sbin/iptables-restore /scripts/rules.v4
-
- - name: save iptables v4 rules
- shell: iptables-save > /etc/iptables/rules.v4
-
- #restart services on new ports:
- - name: Restart pshitt
- service:
- name: pshitt
- state: restarted
- enabled: yes
-
- - name: Restart sshd
- service:
- name: ssh
- state: restarted
- enabled: yes
- #Filebeat:
- - name: delete file
- ignore_errors: yes
- file:
- state: absent
- path: /etc/filebeat/filebeat.yml
-
- - name: Ansible create file if it doesn't exist example
- ignore_errors: yes
- file:
- path: "/etc/filebeat/filebeat.yml"
- state: touch
-
- - name: create rules.v4
- blockinfile:
- create: yes
- state: present
- dest: "/etc/filebeat/filebeat.yml"
- marker: "# {mark} ANSIBLE MANAGED BLOCK #"
- block: |
- filebeat.inputs:
- - type: log
- enabled: true
- paths:
- - /var/log/pshitt/data.json
- json.keys_under_root: true
-
- processors:
- - drop_fields:
- fields: ["beat", "source", "prospector", "offset", "host", "log", "input", "event", "fileset" ]
- - add_fields:
- target: ''
- fields:
- pshitt_host: {{ filebeat_hostname }}
-
- output.logstash:
- hosts: ["{{ logstash_ip }}:{{ logstash_port }}"]
-
- #Filebeat service logging:
- logging.level: info
- logging.to_files: true
- logging.files:
- path: /var/log/filebeat
- name: filebeat
- keepfiles: 7
- permissions: 0640
- - name: Restart filebeat
- service:
- name: filebeat
- state: restarted
- enabled: yes
|