From 00e4bcc1ec6e72fe449e5632ea2cff4fdb30ee2d Mon Sep 17 00:00:00 2001 From: Jack Ivanov Date: Fri, 26 Aug 2016 00:35:07 +0300 Subject: [PATCH] security role and SSH fixes #77 --- digitalocean.yml | 7 ++++++- ec2.yml | 7 ++++++- gce.yml | 7 ++++++- non-cloud.yml | 8 +++++++- roles/cloud-digitalocean/tasks/main.yml | 1 + roles/cloud-ec2/tasks/main.yml | 1 + roles/cloud-gce/tasks/main.yml | 1 + roles/common/handlers/main.yml | 3 --- roles/common/tasks/main.yml | 5 ----- roles/security/handlers/main.yml | 3 +++ roles/security/tasks/main.yml | 5 +++++ .../{common => security}/templates/sshd_config.j2 | 0 roles/ssh_tunneling/tasks/main.yml | 14 ++++++++++++++ roles/vpn/tasks/main.yml | 14 ++++++++++++++ 14 files changed, 64 insertions(+), 12 deletions(-) rename roles/{common => security}/templates/sshd_config.j2 (100%) diff --git a/digitalocean.yml b/digitalocean.yml index 687bfbc..fad6b34 100644 --- a/digitalocean.yml +++ b/digitalocean.yml @@ -70,6 +70,11 @@ default: "y" private: no + - name: "security_enabled" + prompt: "Do you want to enable the security role? (y/n):\n" + default: "y" + private: no + - name: "easyrsa_p12_export_password" prompt: "Enter a password for p12 certificates and SSH private keys: (minimum five characters)\n" default: "vpnpw" @@ -130,7 +135,7 @@ roles: - common - - security + - { role: security, when: security_enabled is defined and security_enabled == "y" } - { role: proxy, when: proxy_enabled is defined and proxy_enabled == "y" } - { role: dns_adblocking, when: dns_enabled is defined and dns_enabled == "y" } - { role: logging, when: auditd_enabled is defined and auditd_enabled == "y" } diff --git a/ec2.yml b/ec2.yml index a988be6..884e643 100644 --- a/ec2.yml +++ b/ec2.yml @@ -76,6 +76,11 @@ default: "y" private: no + - name: "security_enabled" + prompt: "Do you want to enable the security role? (y/n):\n" + default: "y" + private: no + - name: "easyrsa_p12_export_password" prompt: "Enter a password for p12 certificates and SSH private keys: (minimum five characters)\n" default: "vpnpw" @@ -99,7 +104,7 @@ roles: - common - - security + - { role: security, when: security_enabled is defined and security_enabled == "y" } - { role: proxy, when: proxy_enabled is defined and proxy_enabled == "y" } - { role: dns_adblocking , when: dns_enabled is defined and dns_enabled == "y" } - { role: logging, when: auditd_enabled is defined and auditd_enabled == "y" } diff --git a/gce.yml b/gce.yml index 24a0cb9..599855f 100644 --- a/gce.yml +++ b/gce.yml @@ -74,6 +74,11 @@ default: "y" private: no + - name: "security_enabled" + prompt: "Do you want to enable the security role? (y/n):\n" + default: "y" + private: no + - name: "easyrsa_p12_export_password" prompt: "Enter a password for p12 certificates and SSH private keys: (minimum five characters)\n" default: "vpnpw" @@ -97,7 +102,7 @@ roles: - common - - security + - { role: security, when: security_enabled is defined and security_enabled == "y" } - { role: proxy, when: proxy_enabled is defined and proxy_enabled == "y" } - { role: dns_adblocking , when: dns_enabled is defined and dns_enabled == "y" } - { role: logging, when: auditd_enabled is defined and auditd_enabled == "y" } diff --git a/non-cloud.yml b/non-cloud.yml index b1f9f65..8f5a33e 100644 --- a/non-cloud.yml +++ b/non-cloud.yml @@ -35,6 +35,11 @@ default: "y" private: no + - name: "security_enabled" + prompt: "Do you want to enable the security role? (y/n):\n" + default: "y" + private: no + - name: "easyrsa_p12_export_password" prompt: "Enter a password for p12 certificates and SSH private keys: (minimum five characters)\n" default: "vpnpw" @@ -54,6 +59,7 @@ dns_enabled: "{{ dns_enabled }}" proxy_enabled: "{{ proxy_enabled }}" ssh_tunneling_enabled: "{{ ssh_tunneling_enabled }}" + security_enabled: "{{ security_enabled }}" auditd_enabled: " {{ auditd_enabled }}" easyrsa_p12_export_password: "{{ easyrsa_p12_export_password }}" IP_subject: "{{ IP_subject }}" @@ -75,7 +81,7 @@ roles: - common - - security + - { role: security, when: security_enabled is defined and security_enabled == "y" } - { role: proxy, when: proxy_enabled is defined and proxy_enabled == "y" } - { role: dns_adblocking , when: dns_enabled is defined and dns_enabled == "y" } - { role: logging, when: auditd_enabled is defined and auditd_enabled == "y" } diff --git a/roles/cloud-digitalocean/tasks/main.yml b/roles/cloud-digitalocean/tasks/main.yml index 73e5c34..ca8d7de 100644 --- a/roles/cloud-digitalocean/tasks/main.yml +++ b/roles/cloud-digitalocean/tasks/main.yml @@ -34,6 +34,7 @@ dns_enabled: "{{ dns_enabled }}" proxy_enabled: "{{ proxy_enabled }}" ssh_tunneling_enabled: "{{ ssh_tunneling_enabled }}" + security_enabled: "{{ security_enabled }}" auditd_enabled: " {{ auditd_enabled }}" easyrsa_p12_export_password: "{{ easyrsa_p12_export_password }}" cloud_provider: digitalocean diff --git a/roles/cloud-ec2/tasks/main.yml b/roles/cloud-ec2/tasks/main.yml index cb21189..1bfb382 100644 --- a/roles/cloud-ec2/tasks/main.yml +++ b/roles/cloud-ec2/tasks/main.yml @@ -72,6 +72,7 @@ dns_enabled: "{{ dns_enabled }}" proxy_enabled: "{{ proxy_enabled }}" ssh_tunneling_enabled: "{{ ssh_tunneling_enabled }}" + security_enabled: "{{ security_enabled }}" auditd_enabled: " {{ auditd_enabled }}" easyrsa_p12_export_password: "{{ easyrsa_p12_export_password }}" cloud_provider: ec2 diff --git a/roles/cloud-gce/tasks/main.yml b/roles/cloud-gce/tasks/main.yml index 661d9cb..f96690d 100644 --- a/roles/cloud-gce/tasks/main.yml +++ b/roles/cloud-gce/tasks/main.yml @@ -24,6 +24,7 @@ proxy_enabled: "{{ proxy_enabled }}" ssh_tunneling_enabled: "{{ ssh_tunneling_enabled }}" auditd_enabled: " {{ auditd_enabled }}" + security_enabled: "{{ security_enabled }}" easyrsa_p12_export_password: "{{ easyrsa_p12_export_password }}" cloud_provider: gce ipv6_support: no diff --git a/roles/common/handlers/main.yml b/roles/common/handlers/main.yml index 6e249d7..c229685 100644 --- a/roles/common/handlers/main.yml +++ b/roles/common/handlers/main.yml @@ -1,9 +1,6 @@ - name: restart rsyslog service: name=rsyslog state=restarted -- name: restart ssh - service: name=ssh state=restarted - - name: flush routing cache shell: echo 1 > /proc/sys/net/ipv4/route/flush diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml index dc17b89..285fe6b 100644 --- a/roles/common/tasks/main.yml +++ b/roles/common/tasks/main.yml @@ -30,11 +30,6 @@ when: reboot_required is defined and reboot_required.stdout == 'required' become: false -- name: SSH config - template: src=sshd_config.j2 dest=/etc/ssh/sshd_config owner=root group=root mode=0644 - notify: - - restart ssh - - name: Disable MOTD on login and SSHD replace: dest="{{ item.file }}" regexp="{{ item.regexp }}" replace="{{ item.line }}" with_items: diff --git a/roles/security/handlers/main.yml b/roles/security/handlers/main.yml index ad1168b..efb7ca4 100644 --- a/roles/security/handlers/main.yml +++ b/roles/security/handlers/main.yml @@ -1,6 +1,9 @@ - name: restart rsyslog service: name=rsyslog state=restarted +- name: restart ssh + service: name=ssh state=restarted + - name: restart iptables service: name=netfilter-persistent state=restarted diff --git a/roles/security/tasks/main.yml b/roles/security/tasks/main.yml index a528896..0f7ca09 100644 --- a/roles/security/tasks/main.yml +++ b/roles/security/tasks/main.yml @@ -100,3 +100,8 @@ - { src: rules.v6.j2, dest: /etc/iptables/rules.v6 } notify: - restart iptables + +- name: SSH config + template: src=sshd_config.j2 dest=/etc/ssh/sshd_config owner=root group=root mode=0644 + notify: + - restart ssh diff --git a/roles/common/templates/sshd_config.j2 b/roles/security/templates/sshd_config.j2 similarity index 100% rename from roles/common/templates/sshd_config.j2 rename to roles/security/templates/sshd_config.j2 diff --git a/roles/ssh_tunneling/tasks/main.yml b/roles/ssh_tunneling/tasks/main.yml index d3f2f5a..ea4d086 100644 --- a/roles/ssh_tunneling/tasks/main.yml +++ b/roles/ssh_tunneling/tasks/main.yml @@ -1,5 +1,19 @@ --- +- name: Ensure that the sshd_config file has desired options + blockinfile: + dest: /etc/ssh/sshd_config + marker: '# ANSIBLE_MANAGED_ssh_tunneling_role' + block: | + Match Group algo + AllowTcpForwarding remote + AllowAgentForwarding no + AllowStreamLocalForwarding no + PermitTunnel no + X11Forwarding no + notify: + - restart ssh + - name: Ensure that the algo group exist group: name=algo state=present diff --git a/roles/vpn/tasks/main.yml b/roles/vpn/tasks/main.yml index 1fe08b9..f658228 100644 --- a/roles/vpn/tasks/main.yml +++ b/roles/vpn/tasks/main.yml @@ -20,6 +20,20 @@ - strongswan - netfilter-persistent +- name: Configure iptables so IPSec traffic can traverse the tunnel + iptables: table=nat chain=POSTROUTING source="{{ vpn_network }}" jump=MASQUERADE + when: (security_enabled is not defined) or + (security_enabled is defined and security_enabled != "y") + notify: + - save iptables + +- name: Configure ip6tables so IPSec traffic can traverse the tunnel + iptables: ip_version=ipv6 table=nat chain=POSTROUTING source="{{ vpn_network_ipv6 }}" jump=MASQUERADE + when: (security_enabled is not defined) or + (security_enabled is defined and security_enabled != "y") + notify: + - save iptables + - name: Ensure that the strongswan group exist group: name=strongswan state=present