From 80752bb548df863a5de9d5a9720db2327ea02cf8 Mon Sep 17 00:00:00 2001 From: Alex Date: Wed, 8 Apr 2020 01:50:04 +0200 Subject: [PATCH] Add iptables rules, git and sed for setup, disable root account and add ssh key and unpriviledge account --- files/iptables-rules/rules.v4 | 28 ++++++++++++++++++++++++ files/ssh.pub | 1 + handlers/main.yml | 5 +++++ tasks/main.yml | 40 +++++++++++++++++++++++++++++++++++ 4 files changed, 74 insertions(+) create mode 100644 files/iptables-rules/rules.v4 create mode 100644 files/ssh.pub create mode 100644 handlers/main.yml diff --git a/files/iptables-rules/rules.v4 b/files/iptables-rules/rules.v4 new file mode 100644 index 0000000..33478d5 --- /dev/null +++ b/files/iptables-rules/rules.v4 @@ -0,0 +1,28 @@ +*filter +:INPUT DROP [0:0] +:FORWARD ACCEPT [0:0] +:OUTPUT ACCEPT [10:1692] +-A INPUT -i lo -j ACCEPT +-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT +-A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP +-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP +-A INPUT -p icmp -m icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT +-A INPUT -m conntrack --ctstate INVALID -j DROP +-A INPUT -p tcp -m multiport --dports 22 -j ACCEPT +-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT +COMMIT +*nat +:PREROUTING ACCEPT [2:162] +:INPUT ACCEPT [1:110] +:OUTPUT ACCEPT [1:110] +:POSTROUTING ACCEPT [1:110] +COMMIT +*mangle +:PREROUTING ACCEPT [8:1024] +:INPUT ACCEPT [8:1024] +:FORWARD ACCEPT [0:0] +:OUTPUT ACCEPT [11:1802] +:POSTROUTING ACCEPT [11:1802] +-A OUTPUT -j TOS --set-tos 0x10/0xff +-A OUTPUT -j DSCP --set-dscp 0x22 +COMMIT diff --git a/files/ssh.pub b/files/ssh.pub new file mode 100644 index 0000000..8c36a33 --- /dev/null +++ b/files/ssh.pub @@ -0,0 +1 @@ +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCyzEllhePOhNp1R8QElQmISJad6nj0hVSTrfnufVLyWR8pWwIKoQasxhadiJHyFOb9TILzQLxKmxw++5FtzuHQnML0+Yp9T9QqtnIefsMZD1FXmU/6V09PcLYKo+EcFe5s9OHOhNqbRnTZZZZ6+W80m0lLjSDyuUP2hNxUJxrbwhPyhsTyS+0vMaxx0JsnQer+gI6iltQV4LjSmx/RsEOOIcEgUCCpnJnNd03DZFniZ7SS6QDAFYxKCGXBoQ5ZY9JQSI+6AGTfqCZFZNhZkJ7HHLR0qtN/opARQYtjmRUmA7Z7Jd9zSMpywoW56sMdv9LQojr2NWVZ8lPQkPSM77Mk0rKI9nT23Hfu9PG1autx+hOmRZyHse55AX6SsKvg6JNZsbC7Ofnd4rPHinBj2FT0fR6CvIJGhyYiak06wfJE54z4VnLxvBdfsOsgS2hbVoFHye7o3Zkf84FWCqBGFicydDY8iOHdZJNGSPRP7wqwfIWenbQqv5klvpZRWC4J9795lmOlG87vzavfqSFM6lWvM7YuITSmZvkN71+1PK17X735jB6QZNSZjffDCUMgQchBpclRGEzu7r5+7UnoLVKNfmFw4hIPzqGz4Yf5hh3ASZwYg+sPLJshTbB+RwhgSrY/2YO8djL8xmbhzuJUVhm+Fz0hCkvxR71hbJaoCY2sXQ== 1A4E6AED12A550CCDD65F90E8DE0E9DF1BDBBD80 diff --git a/handlers/main.yml b/handlers/main.yml new file mode 100644 index 0000000..db92bcc --- /dev/null +++ b/handlers/main.yml @@ -0,0 +1,5 @@ +- name: Enable and restart iptables + systemd: + daemon_reload: yes + name: netfilter-persistent + state: restart diff --git a/tasks/main.yml b/tasks/main.yml index f92a231..ca6bbd6 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -2,6 +2,9 @@ apt: install_recommends: no name: + - netfilter-persistent + - sed + - git - zsh - vim - sudo @@ -15,3 +18,40 @@ apt: autoremove: yes autoclean: yes +- name: Create unpriviledged user + user: + name: '{{ username }}' + password: "{{ password | password_hash('sha512') }}" + shell: /bin/zsh + groups: sudo + append: yes +- name: Copy ssh key for unpriviledged user + authorized_key: + key: "{{lookup('file', '{{ role_path }}/files/ssh.pub')}}" + follow: yes + user: '{{ username }}' +- name: Disable the root account + user: + name: root + password: '!' + password_lock: yes +- name: Disable SSH login for root + replace: + path: /etc/ssh/sshd_config + regexp: "^.*PermitRootLogin.*$" + replace: "PermitRootLogin no" +- name: Disable SSH password authentication + replace: + path: /etc/ssh/sshd_config + regexp: "^.*PasswordAuthentication.*$" + replace: "PasswordAuthentication no" +- name: Reload SSH service + systemd: + name: ssh + state: reloaded +- name: Set base iptables filter + copy: + src: '{{ role_path }}/files/iptables-rules/' + dest: '/etc/iptables/' + notify: + - Enable and restart iptables