wallenstein/algo
1
0
Fork 0
mirror of https://github.com/trailofbits/algo.git synced 2025-04-26 19:14:01 +02:00
Code Issues Projects Releases Wiki Activity

fix

Browse source
This commit is contained in:
Jack Ivanov 2016-08-25 22:20:53 +03:00
commit cf08c5ff61
14 changed files with 178 additions and 183 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

27
digitalocean.yml
View file

@ -1,3 +1,4 @@
# vim:ft=ansible:
- name: Configure the server and install required software - name: Configure the server and install required software
hosts: localhost hosts: localhost
@ -50,27 +51,27 @@
private: no private: no
- name: "dns_enabled" - name: "dns_enabled"
prompt: "Do you want to install a local DNS resolver to block ads while surfing? (Y or N):\n" prompt: "Do you want to install a local DNS resolver to block ads while surfing? (y/n):\n"
default: "Y" default: "y"
private: no private: no
- name: "proxy_enabled" - name: "proxy_enabled"
prompt: "Do you want to install a proxy to block ads and decrease traffic usage while surfing? (Y or N):\n" prompt: "Do you want to install an HTTP proxy to block ads and decrease traffic usage while surfing? (y/n):\n"
default: "Y" default: "y"
private: no private: no
- name: "auditd_enabled" - name: "auditd_enabled"
prompt: "Do you want to use auditd ? (Y or N):\n" prompt: "Do you want to use auditd for security monitoring (see config.cfg)? (y/n):\n"
default: "Y" default: "y"
private: no private: no
- name: "ssh_tunneling_enabled" - name: "ssh_tunneling_enabled"
prompt: "Do you want to use SSH tunneling ? (Y or N):\n" prompt: "Do you want each user to have their own account for SSH tunneling? (y/n):\n"
default: "Y" default: "y"
private: no private: no
- name: "easyrsa_p12_export_password" - name: "easyrsa_p12_export_password"
prompt: "Enter the password for p12 certificates:\n" prompt: "Enter a password for p12 certificates:\n"
default: "vpn" default: "vpn"
private: yes private: yes
@ -131,10 +132,10 @@
- common - common
- security - security
- vpn - vpn
- { role: proxy, when: proxy_enabled is defined and proxy_enabled == "Y" } - { role: proxy, when: proxy_enabled is defined and proxy_enabled == "y" }
- { role: dns_adblocking, when: dns_enabled is defined and dns_enabled == "Y" } - { role: dns_adblocking, when: dns_enabled is defined and dns_enabled == "y" }
- { role: logging, when: auditd_enabled is defined and auditd_enabled == 'Y' } - { role: logging, when: auditd_enabled is defined and auditd_enabled == "y" }
- { role: ssh_tunneling, when: ssh_tunneling_enabled is defined and ssh_tunneling_enabled == "Y" } - { role: ssh_tunneling, when: ssh_tunneling_enabled is defined and ssh_tunneling_enabled == "y" }
handlers: handlers:
- name: reload eth0 - name: reload eth0

109
ec2.yml
View file

@ -21,66 +21,65 @@
"11": "sa-east-1" "11": "sa-east-1"
vars_prompt: vars_prompt:
- name: "aws_access_key"
prompt: "Enter your aws_access_key (http://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSGettingStartedGuide/AWSCredentials.html):\n"
private: yes
- name: "aws_access_key" - name: "aws_secret_key"
prompt: "Enter your aws_access_key (http://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSGettingStartedGuide/AWSCredentials.html):\n" prompt: "Enter your aws_secret_key (http://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSGettingStartedGuide/AWSCredentials.html):\n"
private: yes private: yes
- name: "aws_secret_key" - name: "region"
prompt: "Enter your aws_secret_key (http://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSGettingStartedGuide/AWSCredentials.html):\n" prompt: >
private: yes What region should the server be located in?
1. us-east-1 US East (N. Virginia)
2. us-west-1 US West (N. California)
3. us-west-2 US West (Oregon)
4. ap-south-1 Asia Pacific (Mumbai)
5. ap-northeast-2 Asia Pacific (Seoul)
6. ap-southeast-1 Asia Pacific (Singapore)
7. ap-southeast-2 Asia Pacific (Sydney)
8. ap-northeast-1 Asia Pacific (Tokyo)
9. eu-central-1 EU (Frankfurt)
10. eu-west-1 EU (Ireland)
11. sa-east-1 South America (São Paulo)
default: "1"
private: no
- name: "region" - name: "aws_server_name"
prompt: > prompt: "Name the vpn server:\n"
What region should the server be located in? default: "algo.local"
1. us-east-1 US East (N. Virginia) private: no
2. us-west-1 US West (N. California)
3. us-west-2 US West (Oregon)
4. ap-south-1 Asia Pacific (Mumbai)
5. ap-northeast-2 Asia Pacific (Seoul)
6. ap-southeast-1 Asia Pacific (Singapore)
7. ap-southeast-2 Asia Pacific (Sydney)
8. ap-northeast-1 Asia Pacific (Tokyo)
9. eu-central-1 EU (Frankfurt)
10. eu-west-1 EU (Ireland)
11. sa-east-1 South America (São Paulo)
default: "1"
private: no
- name: "aws_server_name" - name: "ssh_public_key"
prompt: "Name the vpn server:\n" prompt: "Enter the local path to your SSH public key:\n"
default: "algo.local" default: "~/.ssh/id_rsa.pub"
private: no private: no
- name: "ssh_public_key" - name: "dns_enabled"
prompt: "Enter the local path to your SSH public key:\n" prompt: "Do you want to install a local DNS resolver to block ads while surfing? (y/n):\n"
default: "~/.ssh/id_rsa.pub" default: "y"
private: no private: no
- name: "dns_enabled" - name: "proxy_enabled"
prompt: "Do you want to install a local DNS resolver to block ads while surfing? (Y or N):\n" prompt: "Do you want to install an HTTP proxy to block ads and decrease traffic usage while surfing? (y/n):\n"
default: "Y" default: "y"
private: no private: no
- name: "proxy_enabled" - name: "auditd_enabled"
prompt: "Do you want to install a proxy to block ads and decrease traffic usage while surfing? (Y or N):\n" prompt: "Do you want to use auditd for security monitoring (see config.cfg)? (y/n):\n"
default: "Y" default: "y"
private: no private: no
- name: "auditd_enabled" - name: "ssh_tunneling_enabled"
prompt: "Do you want to use auditd ? (Y or N):\n" prompt: "Do you want each user to have their own account for SSH tunneling? (y/n):\n"
default: "Y" default: "y"
private: no private: no
- name: "ssh_tunneling_enabled" - name: "easyrsa_p12_export_password"
prompt: "Do you want to use SSH tunneling ? (Y or N):\n" prompt: "Enter a password for p12 certificates:\n"
default: "Y" default: "vpn"
private: no private: yes
- name: "easyrsa_p12_export_password"
prompt: "Enter the password for p12 certificates:\n"
default: "vpn"
private: yes
roles: roles:
- cloud-ec2 - cloud-ec2
@ -102,7 +101,7 @@
- common - common
- security - security
- vpn - vpn
- { role: proxy, when: proxy_enabled is defined and proxy_enabled == "Y" } - { role: proxy, when: proxy_enabled is defined and proxy_enabled == "y" }
- { role: dns_adblocking , when: dns_enabled is defined and dns_enabled == "Y" } - { role: dns_adblocking , when: dns_enabled is defined and dns_enabled == "y" }
- { role: logging, when: auditd_enabled is defined and auditd_enabled == 'Y' } - { role: logging, when: auditd_enabled is defined and auditd_enabled == "y" }
- { role: ssh_tunneling, when: ssh_tunneling_enabled is defined and ssh_tunneling_enabled == "Y" } - { role: ssh_tunneling, when: ssh_tunneling_enabled is defined and ssh_tunneling_enabled == "y" }

27
gce.yml
View file

@ -1,3 +1,4 @@
# vim:ft=ansible:
- name: Configure the server and install required software - name: Configure the server and install required software
hosts: localhost hosts: localhost
gather_facts: false gather_facts: false
@ -54,27 +55,27 @@
private: no private: no
- name: "dns_enabled" - name: "dns_enabled"
prompt: "Do you want to install a local DNS resolver to block ads while surfing? (Y or N):\n" prompt: "Do you want to install a local DNS resolver to block ads while surfing? (y/n):\n"
default: "Y" default: "y"
private: no private: no
- name: "proxy_enabled" - name: "proxy_enabled"
prompt: "Do you want to install a proxy to block ads and decrease traffic usage while surfing? (Y or N):\n" prompt: "Do you want to install an HTTP proxy to block ads and decrease traffic usage while surfing? (y/n):\n"
default: "Y" default: "y"
private: no private: no
- name: "auditd_enabled" - name: "auditd_enabled"
prompt: "Do you want to use auditd ? (Y or N):\n" prompt: "Do you want to use auditd for security monitoring (see config.cfg)? (y/n):\n"
default: "Y" default: "y"
private: no private: no
- name: "ssh_tunneling_enabled" - name: "ssh_tunneling_enabled"
prompt: "Do you want to use SSH tunneling ? (Y or N):\n" prompt: "Do you want each user to have their own account for SSH tunneling? (y/n):\n"
default: "Y" default: "y"
private: no private: no
- name: "easyrsa_p12_export_password" - name: "easyrsa_p12_export_password"
prompt: "Enter the password for p12 certificates:\n" prompt: "Enter a password for p12 certificates:\n"
default: "vpn" default: "vpn"
private: yes private: yes
@ -98,7 +99,7 @@
- common - common
- security - security
- vpn - vpn
- { role: proxy, when: proxy_enabled is defined and proxy_enabled == "Y" } - { role: proxy, when: proxy_enabled is defined and proxy_enabled == "y" }
- { role: dns_adblocking , when: dns_enabled is defined and dns_enabled == "Y" } - { role: dns_adblocking , when: dns_enabled is defined and dns_enabled == "y" }
- { role: logging, when: auditd_enabled is defined and auditd_enabled == 'Y' } - { role: logging, when: auditd_enabled is defined and auditd_enabled == "y" }
- { role: ssh_tunneling, when: ssh_tunneling_enabled is defined and ssh_tunneling_enabled == "Y" } - { role: ssh_tunneling, when: ssh_tunneling_enabled is defined and ssh_tunneling_enabled == "y" }

73
non-cloud.yml
View file

@ -1,47 +1,48 @@
# vim:ft=ansible:
- hosts: localhost - hosts: localhost
gather_facts: False gather_facts: False
vars_files: vars_files:
- config.cfg - config.cfg
vars_prompt: vars_prompt:
- name: "server_ip"
prompt: "Enter IP address of your server: (use localhost for local installation)\n"
default: localhost
private: no
- name: "server_ip" - name: "server_user"
prompt: "Enter IP address of your server: (use localhost for local installation)\n" prompt: "What user should we use to login on the server? (ignore if you're deploying to localhost):\n"
default: localhost default: "root"
private: no private: no
- name: "server_user" - name: "dns_enabled"
prompt: "What user should we use to login on the server? (ignore if you're deploying to localhost):\n" prompt: "Do you want to install a local DNS resolver to block ads while surfing? (y/n):\n"
default: "root" default: "y"
private: no private: no
- name: "dns_enabled" - name: "proxy_enabled"
prompt: "Do you want to install a local DNS resolver to block ads while surfing? (Y or N):\n" prompt: "Do you want to install an HTTP proxy to block ads and decrease traffic usage while surfing? (y/n):\n"
default: "Y" default: "y"
private: no private: no
- name: "proxy_enabled" - name: "auditd_enabled"
prompt: "Do you want to install a proxy to block ads and decrease traffic usage while surfing? (Y or N):\n" prompt: "Do you want to use auditd for security monitoring (see config.cfg)? (y/n):\n"
default: "Y" default: "y"
private: no private: no
- name: "auditd_enabled" - name: "ssh_tunneling_enabled"
prompt: "Do you want to use auditd ? (Y or N):\n" prompt: "Do you want each user to have their own account for SSH tunneling? (y/n):\n"
default: "Y" default: "y"
private: no private: no
- name: "ssh_tunneling_enabled" - name: "easyrsa_p12_export_password"
prompt: "Do you want to use SSH tunneling ? (Y or N):\n" prompt: "Enter a password for p12 certificates:\n"
default: "Y" default: "vpn"
private: no private: yes
- name: "easyrsa_p12_export_password" - name: "IP_subject"
prompt: "Enter the password for p12 certificates:\n" prompt: "Enter the public IP address of your server: (IMPORTANT! This IP is used to verify the certificate)\n"
default: "vpn" private: no
private: yes
- name: "IP_subject"
prompt: "Enter public IP address of your server: (IMPORTANT! This IP is used to verify the certificate)\n"
private: no
tasks: tasks:
- name: Add the server to the vpn-host group - name: Add the server to the vpn-host group
@ -76,7 +77,7 @@
- common - common
- security - security
- vpn - vpn
- { role: proxy, when: proxy_enabled is defined and proxy_enabled == "Y" } - { role: proxy, when: proxy_enabled is defined and proxy_enabled == "y" }
- { role: dns_adblocking , when: dns_enabled is defined and dns_enabled == "Y" } - { role: dns_adblocking , when: dns_enabled is defined and dns_enabled == "y" }
- { role: logging, when: auditd_enabled is defined and auditd_enabled == 'Y' } - { role: logging, when: auditd_enabled is defined and auditd_enabled == "y" }
- { role: ssh_tunneling, when: ssh_tunneling_enabled is defined and ssh_tunneling_enabled == "Y" } - { role: ssh_tunneling, when: ssh_tunneling_enabled is defined and ssh_tunneling_enabled == "y" }

13
roles/common/templates/sshd_config.j2
View file

@ -24,7 +24,6 @@ PubkeyAuthentication yes
AcceptEnv LANG LC_* AcceptEnv LANG LC_*
# Turn off a lot of features # Turn off a lot of features
AllowAgentForwarding no
IgnoreRhosts yes IgnoreRhosts yes
RhostsRSAAuthentication no RhostsRSAAuthentication no
RSAAuthentication no RSAAuthentication no
@ -33,7 +32,6 @@ PermitEmptyPasswords no
ChallengeResponseAuthentication no ChallengeResponseAuthentication no
PasswordAuthentication no PasswordAuthentication no
UseDNS no UseDNS no
X11Forwarding no
# Do not enable sftp # Do not enable sftp
# If you DO enable it, use this line to log which files sftp users read/write # If you DO enable it, use this line to log which files sftp users read/write
@ -51,21 +49,16 @@ HostKey /etc/ssh/ssh_host_ed25519_key
KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256 KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com
###
# TODO: I haven't seen anyone review these yet # TODO: I haven't seen anyone review these yet
# HostKeyAlgorithms ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519 # HostKeyAlgorithms ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519
# TODO: I haven't seen anyone review these yet # TODO: I haven't seen anyone review these yet
# PubkeyAcceptedKeyTypes ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519 # PubkeyAcceptedKeyTypes ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519
# TODO: I think we want to enable tunnels but disable stream local fowarding?
# PermitTunnel yes
# AllowStreamLocalForwarding no
{% if ssh_tunneling_enabled is defined and ssh_tunneling_enabled == "Y" %} {% if ssh_tunneling_enabled is defined and ssh_tunneling_enabled == "Y" %}
Match Group algo Match Group algo
AllowTcpForwarding remote AllowTcpForwarding remote
AllowAgentForwarding no
AllowStreamLocalForwarding no AllowStreamLocalForwarding no
PermitTunnel no
X11Forwarding no
{% endif %} {% endif %}

2
roles/dns_adblocking/tasks/main.yml
View file

@ -10,7 +10,7 @@
- restart dnsmasq - restart dnsmasq
- name: The dnsmasq directory created - name: The dnsmasq directory created
file: dest=/var/lib/dnsmasq state=directory mode=755 owner=dnsmasq group=nogroup file: dest=/var/lib/dnsmasq state=directory mode=0755 owner=dnsmasq group=nogroup
- name: Enforce the dnsmasq AppArmor policy - name: Enforce the dnsmasq AppArmor policy
shell: aa-enforce usr.sbin.dnsmasq shell: aa-enforce usr.sbin.dnsmasq