189 lines
5 KiB
YAML
189 lines
5 KiB
YAML
# playbook.yml:
|
|
---
|
|
- name: "maplegrid"
|
|
hosts: localhost
|
|
connection: local
|
|
vars_files:
|
|
- maplegrid_variables.yml
|
|
|
|
###
|
|
|
|
tasks:
|
|
|
|
|
|
#Add elastic repo for v7.x
|
|
|
|
|
|
- name: Add elastic repo key
|
|
shell: curl -fsSL https://artifacts.elastic.co/GPG-KEY-elasticsearch | apt-key add -
|
|
|
|
- name: install packages
|
|
apt:
|
|
pkg:
|
|
- apt-transport-https
|
|
- python-pip
|
|
- python3-pip
|
|
|
|
- name: add repo for elastic v7.x
|
|
shell: echo "deb https://artifacts.elastic.co/packages/7.x/apt stable main" | tee /etc/apt/sources.list.d/elastic-7.x.list
|
|
|
|
- name: Install filebeat
|
|
apt:
|
|
name: filebeat
|
|
update_cache: yes
|
|
|
|
- name: Setup alternate SSH port
|
|
lineinfile:
|
|
dest: "/etc/ssh/sshd_config"
|
|
regexp: "^Port"
|
|
line: "Port 22222"
|
|
|
|
- name: Setup alternate SSH port in fail2ban jail
|
|
lineinfile:
|
|
dest: "/etc/fail2ban/jail.conf"
|
|
regexp: '^port = ssh'
|
|
line: "port = 22222"
|
|
|
|
- name: Restart fail2ban
|
|
service:
|
|
name: fail2ban
|
|
state: restarted
|
|
enabled: yes
|
|
|
|
#PSHITT:
|
|
|
|
- name: Install pip extensions
|
|
shell: pip install python-daemon argparse paramiko
|
|
|
|
- name: Git checkout
|
|
git:
|
|
repo: 'https://github.com/regit/pshitt'
|
|
dest: /srv/pshitt
|
|
|
|
- name: Add configuration block in /etc/systemd/system/pshitt.service
|
|
blockinfile:
|
|
create: yes
|
|
dest: /etc/systemd/system/pshitt.service
|
|
block: |
|
|
[Unit]
|
|
Description=pshitt service
|
|
Wants=network-online.target
|
|
After=network-online.target
|
|
|
|
[Service]
|
|
ExecStart=/srv/pshitt/pshitt.py -p 22 -k /etc/ssh/ssh_host_rsa_key -o /var/log/pshitt/data.json -l /var/log/pshitt/log.log
|
|
|
|
[Install]
|
|
WantedBy=multi-user.target
|
|
|
|
- name: Creates directory
|
|
file:
|
|
path: /var/log/pshitt
|
|
state: directory
|
|
|
|
#configure iptables:
|
|
|
|
- name: Creates directory
|
|
file:
|
|
path: /scripts
|
|
state: directory
|
|
|
|
- name: create rules.v4
|
|
blockinfile:
|
|
create: yes
|
|
state: present
|
|
dest: "/scripts/rules.v4"
|
|
marker: "# {mark} ANSIBLE MANAGED BLOCK #"
|
|
block: |
|
|
# Generated by iptables-save v1.4.21 on Tue Nov 19 22:41:29 2019
|
|
*filter
|
|
:INPUT DROP [0:0]
|
|
:FORWARD DROP [0:0]
|
|
:OUTPUT ACCEPT [372:91728]
|
|
:fail2ban-ssh - [0:0]
|
|
-A INPUT -i lo -j ACCEPT
|
|
-A INPUT -p tcp -m multiport --dports 22 -j fail2ban-ssh
|
|
-A INPUT -i {{ ansible_default_ipv4.interface }} -p tcp -m tcp --dport 22 -j ACCEPT
|
|
-A INPUT -i {{ ansible_default_ipv4.interface }} -p tcp -m tcp --dport 22222 -j ACCEPT
|
|
-A INPUT -i {{ ansible_default_ipv4.interface }} -p icmp -m icmp --icmp-type 8 -j ACCEPT
|
|
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
|
|
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
|
|
-A INPUT -j DROP
|
|
-A OUTPUT -o lo -j ACCEPT
|
|
-A fail2ban-ssh -j RETURN
|
|
COMMIT
|
|
# Completed on Tue Nov 19 22:41:29 2019
|
|
|
|
- name: reload iptables v4
|
|
action: shell /sbin/iptables-restore /scripts/rules.v4
|
|
|
|
- name: save iptables v4 rules
|
|
shell: iptables-save > /etc/iptables/rules.v4
|
|
|
|
#restart services on new ports:
|
|
|
|
- name: Restart pshitt
|
|
service:
|
|
name: pshitt
|
|
state: restarted
|
|
enabled: yes
|
|
|
|
- name: Restart sshd
|
|
service:
|
|
name: ssh
|
|
state: restarted
|
|
enabled: yes
|
|
|
|
#Filebeat:
|
|
|
|
- name: delete file
|
|
ignore_errors: yes
|
|
file:
|
|
state: absent
|
|
path: /etc/filebeat/filebeat.yml
|
|
|
|
- name: Ansible create file if it doesn't exist example
|
|
ignore_errors: yes
|
|
file:
|
|
path: "/etc/filebeat/filebeat.yml"
|
|
state: touch
|
|
|
|
- name: create rules.v4
|
|
blockinfile:
|
|
create: yes
|
|
state: present
|
|
dest: "/etc/filebeat/filebeat.yml"
|
|
marker: "# {mark} ANSIBLE MANAGED BLOCK #"
|
|
block: |
|
|
filebeat.inputs:
|
|
- type: log
|
|
enabled: true
|
|
paths:
|
|
- /var/log/pshitt/data.json
|
|
json.keys_under_root: true
|
|
|
|
processors:
|
|
- drop_fields:
|
|
fields: ["beat", "source", "prospector", "offset", "host", "log", "input", "event", "fileset" ]
|
|
- add_fields:
|
|
target: ''
|
|
fields:
|
|
pshitt_host: {{ filebeat_hostname }}
|
|
|
|
output.logstash:
|
|
hosts: ["{{ logstash_ip }}:{{ logstash_port }}"]
|
|
|
|
#Filebeat service logging:
|
|
logging.level: info
|
|
logging.to_files: true
|
|
logging.files:
|
|
path: /var/log/filebeat
|
|
name: filebeat
|
|
keepfiles: 7
|
|
permissions: 0640
|
|
|
|
- name: Restart filebeat
|
|
service:
|
|
name: filebeat
|
|
state: restarted
|
|
enabled: yes
|