ansible/oopen-server
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

update..

Browse Source
This commit is contained in:
Christoph 2022-05-24 02:46:25 +02:00
parent 3699bcc0e1
commit 1a0d330ce3
7 changed files with 403 additions and 116 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
host_vars/bbb-server.b3-bornim.netz.yml
View File

@ -179,6 +179,19 @@ samba_groups:
samba_user:
- name: b3-user
groups:
- buero
- team
- fnr
- praktikant
password: '20-buero_user-22!'
- name: b3-prakti
groups:
- praktikant
password: '20-b3_praktikant-22%'
- name: caroline
groups:

15
host_vars/file-blkr.blkr.netz.yml
View File

@ -75,6 +75,21 @@ sshd_macs:
- hmac-sha2-512-etm@openssh.com
- umac-128-etm@openssh.com
sshd_hostkeyalgorithms:
- ecdsa-sha2-nistp256-cert-v01@openssh.com
- ecdsa-sha2-nistp384-cert-v01@openssh.com
- ecdsa-sha2-nistp521-cert-v01@openssh.com
- ssh-ed25519-cert-v01@openssh.com
- rsa-sha2-512-cert-v01@openssh.com
- rsa-sha2-256-cert-v01@openssh.com
- ssh-rsa-cert-v01@openssh.com
- ecdsa-sha2-nistp256
- ecdsa-sha2-nistp384
- ecdsa-sha2-nistp521
- ssh-ed25519
- rsa-sha2-512
- rsa-sha2-256
- ssh-rsa
# ---
# vars used by roles/common/tasks/apt.yml

4
host_vars/ga-al-gw.oopen.de.yml
View File

@ -200,6 +200,10 @@ network_interfaces:
- /sbin/ip route add 172.16.11.0/24 via 172.16.111.254
- /sbin/ip route add 172.16.12.0/24 via 172.16.111.254
- /sbin/ip route add 172.16.13.0/24 via 172.16.111.254
# - FritzBox Novalishaus
- /sbin/ip route add 172.16.80.0/24 via 172.16.111.254
# - DigitBox Novalishaus
- /sbin/ip route add 172.16.81.0/24 via 172.16.111.254
- device: eth4

6
host_vars/zapata.opp.netz.yml
View File

@ -237,6 +237,12 @@ samba_user:
- beratung
password: '20_cristina_18!'
- name: dori
groups:
- buero
- beratung
password: 'K4lt3r_hUnD'
- name: drucker
groups:
- buero

12
hosts
View File

@ -34,7 +34,7 @@ gw-b3.oopen.de
gw-blkr.oopen.de
gw-d11.oopen.de
gw-flr.oopen.de
gw-irights.oopen.de
gw-irights.irights.netz
gw-km.oopen.de
gw-mbr.oopen.de
gw-opp.oopen.de
@ -53,7 +53,7 @@ gw-replacement2.local.netz
k1371.dyndns.org
ga-st-gw-ersatz.ga.netz
ga-st-gw.oopen.de
ga-st-gw-surf1.oopen.de
ga-al-gw.oopen.de
ga-nh-gw.oopen.de
ga-st-lxc1.ga.netz
@ -214,7 +214,7 @@ gw-blkr.oopen.de
gw-d11.oopen.de
gw-flr.oopen.de
gw-km.oopen.de
gw-irights.oopen.de
gw-irights.irights.netz
gw-mbr.oopen.de
gw-opp.oopen.de
gw-km.oopen.de
@ -236,7 +236,7 @@ gw-replacement2.local.netz
k1371.dyndns.org
ga-st-gw-ersatz.ga.netz
ga-st-gw.oopen.de
ga-st-gw-surf1.oopen.de
ga-al-gw.oopen.de
ga-nh-gw.oopen.de
@ -1529,7 +1529,7 @@ gw-ak.oopen.de
gw-akb.oopen.de
gw-ckubu.local.netz
gw-replacement.local.netz
gw-irights.oopen.de
gw-irights.irights.netz
gw-km.oopen.de
gw-mbr.oopen.de
gw-opp.oopen.de
@ -1540,7 +1540,7 @@ gw-kb.oopen.de
k1371.dyndns.org
ga-st-gw-ersatz.ga.netz
ga-st-gw.oopen.de
ga-st-gw-surf1.oopen.de
ga-al-gw.oopen.de
ga-nh-gw.oopen.de

234
roles/modify-ipt-gateway-ro/tasks/main.yml
View File

@ -108,95 +108,219 @@
notify:
- Restart IPv6 Firewall
- name: addjust line 'adjust_kernel_parameters' (IPv6)
lineinfile:
path: /ro/etc/ipt-firewall/main_ipv6.conf
regexp: '^adjust_kernel_parameters='
line: '#adjust6_kernel_parameters=true'
when:
- main_ipv6_exists.stat.exists
notify:
- Restart IPv6 Firewall
- name: addjust line 'protect_against_several_attack' (IPv6)
lineinfile:
path: /ro/etc/ipt-firewall/main_ipv6.conf
regexp: '^protect_against_several_attacks='
line: '#protect6_against_several_attacks=true'
when:
- main_ipv6_exists.stat.exists
notify:
- Restart IPv6 Firewall
# ---
# Allow local services from ALL extern netwoks
# Block Routers
# ---
- name: Check if String 'allow_all_ext_traffic_to_local_service..' (IPv4) is present
shell: grep -q -E "^allow_all_ext_traffic_to_local_service=" /ro/etc/ipt-firewall/main_ipv4.conf
register: allow_all_ext_traffic_to_local_service_ipv4_present
- name: Check if String 'drop_syn_flood..' (IPv4) is present
shell: grep -q -E "^#?drop_syn_flood=" /ro/etc/ipt-firewall/main_ipv4.conf
register: drop_syn_flood_ipv4_present
when: main_ipv4_exists.stat.exists
failed_when: "allow_all_ext_traffic_to_local_service_ipv4_present.rc > 1"
changed_when: "allow_all_ext_traffic_to_local_service_ipv4_present.rc > 0"
failed_when: "drop_syn_flood_ipv4_present.rc > 1"
changed_when: "drop_syn_flood_ipv4_present.rc > 0"
- name: Adjust file '/ro/etc/ipt-firewall/main_ipv4.conf' (allow_all_ext_traffic_to_local_service)
- name: Adjust file '/ro/etc/ipt-firewall/main_ipv4.conf' (drop_syn_flood)
blockinfile:
path: /ro/etc/ipt-firewall/main_ipv4.conf
insertafter: '^#?\s*any_access_from_inet_networks'
insertafter: '^#?\s*protect_against_several_attacks=true'
block: |
# =============
# - Allow local services from ALL extern netwoks
# =============
# Protection against syn-flooding
#
#drop_syn_flood=false
# - allow_all_ext_traffic_to_local_service
# - I have to say that fragments scare me more than anything.
# - Sending lots of non-first fragments was what allowed Jolt2 to effectively "drown"
# - Firewall-1. Fragments can be overlapped, and the subsequent interpretation of such
# - fragments is very OS-dependent (see this paper for details).
# - I am not going to trust any fragments.
# - Log fragments just to see if we get any, and deny them too
# -
# - allow_all_ext_traffic_to_local_service="local-address:port:protocol [local-address:port:protocol] .."
# - !! 'drop_fragments' does not work within telekom mobile connections !!
# -
# - Note:
# - =====
# - - Only 'tcp' and 'udp' are allowed valuse for protocol.
# -
# - Example:
# - allow extern traffic to service at 83.223.73.210 on port 1036
# - allow extern traffic to https service at 83.223.73.204
# -
# - allow_ext_net_to_local_service="
# - 83.223.73.210:1036:tcp
# - 83.223.73.204:$standard_https_port:tcp
# - "
# -
# - Blank separated list
# -
allow_all_ext_traffic_to_local_service=""
marker: "# Marker set by modify-ipt-gateway.yml (allow_all_ext_traffic_to_local_service)"
#drop_fragments=true
# drop new packages without syn flag
#
#drop_new_not_sync=true
# drop invalid packages
#
#drop_invalid_state=true
# drop packages with unusal flags
#
#drop_invalid_flags=true
# Refuse private addresses on extern interfaces
#
# Refuse packets claiming to be from a
# Class A private network
# Class B private network
# Class C private network
# loopback interface
# Class D multicast address
# Class E reserved IP address
# broadcast address
#drop_spoofed=true
# Don't allow spoofing from that server
#
#drop_spoofed_out=true
# Refusing packets claiming to be to the loopback interface protects against
# source quench, whereby a machine can be told to slow itself down by an icmp source
# quench to the loopback.
#drop_ext_to_lo=true
marker: "# Marker set by modify-ipt-gateway.yml (drop_syn_flood)"
when:
- main_ipv4_exists.stat.exists
- allow_all_ext_traffic_to_local_service_ipv4_present is changed
- drop_syn_flood_ipv4_present is changed
- name: Check if String 'allow_all_ext_traffic_to_local_service..' (IPv6) is present
shell: grep -q -E "^allow_all_ext_traffic_to_local_service=" /ro/etc/ipt-firewall/main_ipv6.conf
register: allow_all_ext_traffic_to_local_service_ipv6_present
- name: Check if String 'drop6_syn_flood..' (IPv6) is present
shell: grep -q -E "^#?drop6_syn_flood=" /ro/etc/ipt-firewall/main_ipv6.conf
register: drop6_syn_flood_ipv6_present
when: main_ipv6_exists.stat.exists
failed_when: "allow_all_ext_traffic_to_local_service_ipv6_present.rc > 1"
changed_when: "allow_all_ext_traffic_to_local_service_ipv6_present.rc > 0"
failed_when: "drop6_syn_flood_ipv6_present.rc > 1"
changed_when: "drop6_syn_flood_ipv6_present.rc > 0"
- name: Adjust file '/ro/etc/ipt-firewall/main_ipv6.conf' (allow_all_ext_traffic_to_local_service)
- name: Adjust file '/ro/etc/ipt-firewall/main_ipv6.conf' (drop6_syn_flood)
blockinfile:
path: /ro/etc/ipt-firewall/main_ipv6.conf
insertafter: '^#?\s*any_access_from_inet_networks'
insertafter: '^#?\s*protect6_against_several_attacks=true'
block: |
# Protection against syn-flooding
#
#drop6_syn_flood=false
# drop new packages without syn flag
#
#drop6_new_not_sync=true
# drop invalid packages
#
#drop6_invalid_state=true
# drop packages with unusal flags
#
#drop6_invalid_flags=true
# Refuse spoofed packets pretending to be from your IP address.
#
#drop6_from_own_ip=true
# Refuse private addresses on extern interfaces
#
#drop6_spoofed=true
marker: "# Marker set by modify-ipt-gateway.yml (drop6_syn_flood)"
when:
- main_ipv6_exists.stat.exists
- drop6_syn_flood_ipv6_present is changed
# ---
# Block UDP/TCP Ports out
# ---
- name: Check if String 'block_udp_extern_out_ports..' (IPv4) is present
shell: grep -q -E "^block_udp_extern_out_ports=" /ro/etc/ipt-firewall/main_ipv4.conf
register: block_udp_extern_out_ports_ipv4_present
when: main_ipv4_exists.stat.exists
failed_when: "block_udp_extern_out_ports_ipv4_present.rc > 1"
changed_when: "block_udp_extern_out_ports_ipv4_present.rc > 0"
- name: Adjust file '/ro/etc/ipt-firewall/main_ipv4.conf' (block_udp_extern_out_ports)
blockinfile:
path: /ro/etc/ipt-firewall/main_ipv4.conf
insertafter: '^#?\s*block_upnp_traffic_out'
block: |
# =============
# - Allow local services from ALL extern netwoks
# --- Block UDP Ports out
# =============
# - allow_all_ext_traffic_to_local_service
# - UDP Ports to block (only extern out)
# -
# - allow_all_ext_traffic_to_local_service="local-address,port,protocol [local-address,port,protocol] .."
# - Comma separated list of udp ports
# -
# - Note:
# - =====
# - - Only 'tcp' and 'udp' are allowed valuse for protocol.
block_udp_extern_out_ports=""
# =============
# --- Block TCP Ports out
# =============
# - TCP Ports to block (only extern out)
# -
# - Example:
# - allow extern traffic to service at 2a01:30:1fff:fd00::210 on port 1036
# - allow extern traffic to https service at 2a01:30:1fff:fd00::204
# - Comma separated list of tcp ports
# -
# - allow_ext_net_to_local_service="
# - 2a01:30:1fff:fd00::210,1036,tcp
# - 2a01:30:1fff:fd00::204,$standard_https_port,tcp
# - "
block_tcp_extern_out_ports=""
marker: "# Marker set by modify-ipt-gateway.yml (block_udp_extern_out_ports)"
when:
- main_ipv4_exists.stat.exists
- block_udp_extern_out_ports_ipv4_present is changed
- name: Check if String 'block_udp_extern_out_ports..' (IPv6) is present
shell: grep -q -E "^block_udp_extern_out_ports=" /ro/etc/ipt-firewall/main_ipv6.conf
register: block_udp_extern_out_ports_ipv6_present
when: main_ipv6_exists.stat.exists
failed_when: "block_udp_extern_out_ports_ipv6_present.rc > 1"
changed_when: "block_udp_extern_out_ports_ipv6_present.rc > 0"
- name: Adjust file '/ro/etc/ipt-firewall/main_ipv6.conf' (block_udp_extern_out_ports)
blockinfile:
path: /ro/etc/ipt-firewall/main_ipv6.conf
insertafter: '^#?\s*block_upnp_traffic_out'
block: |
# =============
# --- Block UDP Ports out
# =============
# - UDP Ports to block (only extern out)
# -
# - Blank separated list
# - Comma separated list of udp ports
# -
allow_all_ext_traffic_to_local_service=""
marker: "# Marker set by modify-ipt-gateway.yml (allow_all_ext_traffic_to_local_service)"
block_udp_extern_out_ports=""
# =============
# --- Block TCP Ports out
# =============
# - TCP Ports to block (only extern out)
# -
# - Comma separated list of tcp ports
# -
block_tcp_extern_out_ports=""
marker: "# Marker set by modify-ipt-gateway.yml (block_udp_extern_out_ports)"
when:
- main_ipv6_exists.stat.exists
- allow_all_ext_traffic_to_local_service_ipv6_present is changed
- block_udp_extern_out_ports_ipv6_present is changed

235
roles/modify-ipt-gateway/tasks/main.yml
View File

@ -100,96 +100,221 @@
notify:
- Restart IPv6 Firewall
- name: addjust line 'adjust_kernel_parameters' (IPv6)
lineinfile:
path: /etc/ipt-firewall/main_ipv6.conf
regexp: '^adjust_kernel_parameters='
line: '#adjust6_kernel_parameters=true'
when:
- main_ipv6_exists.stat.exists
notify:
- Restart IPv6 Firewall
- name: addjust line 'protect_against_several_attack' (IPv6)
lineinfile:
path: /etc/ipt-firewall/main_ipv6.conf
regexp: '^protect_against_several_attacks='
line: '#protect6_against_several_attacks=true'
when:
- main_ipv6_exists.stat.exists
notify:
- Restart IPv6 Firewall
# ---
# Allow local services from ALL extern netwoks
# Block Routers
# ---
- name: Check if String 'allow_all_ext_traffic_to_local_service..' (IPv4) is present
shell: grep -q -E "^allow_all_ext_traffic_to_local_service=" /etc/ipt-firewall/main_ipv4.conf
register: allow_all_ext_traffic_to_local_service_ipv4_present
- name: Check if String 'drop_syn_flood..' (IPv4) is present
shell: grep -q -E "^#?drop_syn_flood=" /etc/ipt-firewall/main_ipv4.conf
register: drop_syn_flood_ipv4_present
when: main_ipv4_exists.stat.exists
failed_when: "allow_all_ext_traffic_to_local_service_ipv4_present.rc > 1"
changed_when: "allow_all_ext_traffic_to_local_service_ipv4_present.rc > 0"
failed_when: "drop_syn_flood_ipv4_present.rc > 1"
changed_when: "drop_syn_flood_ipv4_present.rc > 0"
- name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (allow_all_ext_traffic_to_local_service)
- name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (drop_syn_flood)
blockinfile:
path: /etc/ipt-firewall/main_ipv4.conf
insertafter: '^#?\s*any_access_from_inet_networks'
insertafter: '^#?\s*protect_against_several_attacks=true'
block: |
# =============
# - Allow local services from ALL extern netwoks
# =============
# Protection against syn-flooding
#
#drop_syn_flood=false
# - allow_all_ext_traffic_to_local_service
# - I have to say that fragments scare me more than anything.
# - Sending lots of non-first fragments was what allowed Jolt2 to effectively "drown"
# - Firewall-1. Fragments can be overlapped, and the subsequent interpretation of such
# - fragments is very OS-dependent (see this paper for details).
# - I am not going to trust any fragments.
# - Log fragments just to see if we get any, and deny them too
# -
# - allow_all_ext_traffic_to_local_service="local-address:port:protocol [local-address:port:protocol] .."
# - !! 'drop_fragments' does not work within telekom mobile connections !!
# -
# - Note:
# - =====
# - - Only 'tcp' and 'udp' are allowed valuse for protocol.
# -
# - Example:
# - allow extern traffic to service at 83.223.73.210 on port 1036
# - allow extern traffic to https service at 83.223.73.204
# -
# - allow_ext_net_to_local_service="
# - 83.223.73.210:1036:tcp
# - 83.223.73.204:$standard_https_port:tcp
# - "
# -
# - Blank separated list
# -
allow_all_ext_traffic_to_local_service=""
marker: "# Marker set by modify-ipt-gateway.yml (allow_all_ext_traffic_to_local_service)"
#drop_fragments=true
# drop new packages without syn flag
#
#drop_new_not_sync=true
# drop invalid packages
#
#drop_invalid_state=true
# drop packages with unusal flags
#
#drop_invalid_flags=true
# Refuse private addresses on extern interfaces
#
# Refuse packets claiming to be from a
# Class A private network
# Class B private network
# Class C private network
# loopback interface
# Class D multicast address
# Class E reserved IP address
# broadcast address
#drop_spoofed=true
# Don't allow spoofing from that server
#
#drop_spoofed_out=true
# Refusing packets claiming to be to the loopback interface protects against
# source quench, whereby a machine can be told to slow itself down by an icmp source
# quench to the loopback.
#drop_ext_to_lo=true
marker: "# Marker set by modify-ipt-gateway.yml (drop_syn_flood)"
when:
- main_ipv4_exists.stat.exists
- allow_all_ext_traffic_to_local_service_ipv4_present is changed
- drop_syn_flood_ipv4_present is changed
- name: Check if String 'allow_all_ext_traffic_to_local_service..' (IPv6) is present
shell: grep -q -E "^allow_all_ext_traffic_to_local_service=" /etc/ipt-firewall/main_ipv6.conf
register: allow_all_ext_traffic_to_local_service_ipv6_present
- name: Check if String 'drop6_syn_flood..' (IPv6) is present
shell: grep -q -E "^#?drop6_syn_flood=" /etc/ipt-firewall/main_ipv6.conf
register: drop6_syn_flood_ipv6_present
when: main_ipv6_exists.stat.exists
failed_when: "allow_all_ext_traffic_to_local_service_ipv6_present.rc > 1"
changed_when: "allow_all_ext_traffic_to_local_service_ipv6_present.rc > 0"
failed_when: "drop6_syn_flood_ipv6_present.rc > 1"
changed_when: "drop6_syn_flood_ipv6_present.rc > 0"
- name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (allow_all_ext_traffic_to_local_service)
- name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (drop6_syn_flood)
blockinfile:
path: /etc/ipt-firewall/main_ipv6.conf
insertafter: '^#?\s*any_access_from_inet_networks'
insertafter: '^#?\s*protect6_against_several_attacks=true'
block: |
# Protection against syn-flooding
#
#drop6_syn_flood=false
# drop new packages without syn flag
#
#drop6_new_not_sync=true
# drop invalid packages
#
#drop6_invalid_state=true
# drop packages with unusal flags
#
#drop6_invalid_flags=true
# Refuse spoofed packets pretending to be from your IP address.
#
#drop6_from_own_ip=true
# Refuse private addresses on extern interfaces
#
#drop6_spoofed=true
marker: "# Marker set by modify-ipt-gateway.yml (drop6_syn_flood)"
when:
- main_ipv6_exists.stat.exists
- drop6_syn_flood_ipv6_present is changed
# ---
# Block UDP/TCP Ports out
# ---
- name: Check if String 'block_udp_extern_out_ports..' (IPv4) is present
shell: grep -q -E "^block_udp_extern_out_ports=" /etc/ipt-firewall/main_ipv4.conf
register: block_udp_extern_out_ports_ipv4_present
when: main_ipv4_exists.stat.exists
failed_when: "block_udp_extern_out_ports_ipv4_present.rc > 1"
changed_when: "block_udp_extern_out_ports_ipv4_present.rc > 0"
- name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (block_udp_extern_out_ports)
blockinfile:
path: /etc/ipt-firewall/main_ipv4.conf
insertafter: '^#?\s*block_upnp_traffic_out'
block: |
# =============
# - Allow local services from ALL extern netwoks
# --- Block UDP Ports out
# =============
# - allow_all_ext_traffic_to_local_service
# - UDP Ports to block (only extern out)
# -
# - allow_all_ext_traffic_to_local_service="local-address,port,protocol [local-address,port,protocol] .."
# - Comma separated list of udp ports
# -
# - Note:
# - =====
# - - Only 'tcp' and 'udp' are allowed valuse for protocol.
block_udp_extern_out_ports=""
# =============
# --- Block TCP Ports out
# =============
# - TCP Ports to block (only extern out)
# -
# - Example:
# - allow extern traffic to service at 2a01:30:1fff:fd00::210 on port 1036
# - allow extern traffic to https service at 2a01:30:1fff:fd00::204
# - Comma separated list of tcp ports
# -
# - allow_ext_net_to_local_service="
# - 2a01:30:1fff:fd00::210,1036,tcp
# - 2a01:30:1fff:fd00::204,$standard_https_port,tcp
# - "
block_tcp_extern_out_ports="${standard_turn_service_ports}"
marker: "# Marker set by modify-ipt-gateway.yml (block_udp_extern_out_ports)"
when:
- main_ipv4_exists.stat.exists
- block_udp_extern_out_ports_ipv4_present is changed
- name: Check if String 'block_udp_extern_out_ports..' (IPv6) is present
shell: grep -q -E "^block_udp_extern_out_ports=" /etc/ipt-firewall/main_ipv6.conf
register: block_udp_extern_out_ports_ipv6_present
when: main_ipv6_exists.stat.exists
failed_when: "block_udp_extern_out_ports_ipv6_present.rc > 1"
changed_when: "block_udp_extern_out_ports_ipv6_present.rc > 0"
- name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (block_udp_extern_out_ports)
blockinfile:
path: /etc/ipt-firewall/main_ipv6.conf
insertafter: '^#?\s*block_upnp_traffic_out'
block: |
# =============
# --- Block UDP Ports out
# =============
# - UDP Ports to block (only extern out)
# -
# - Blank separated list
# - Comma separated list of udp ports
# -
allow_all_ext_traffic_to_local_service=""
marker: "# Marker set by modify-ipt-gateway.yml (allow_all_ext_traffic_to_local_service)"
block_udp_extern_out_ports=""
# =============
# --- Block TCP Ports out
# =============
# - TCP Ports to block (only extern out)
# -
# - Comma separated list of tcp ports
# -
block_tcp_extern_out_ports=""
marker: "# Marker set by modify-ipt-gateway.yml (block_udp_extern_out_ports)"
when:
- main_ipv6_exists.stat.exists
- allow_all_ext_traffic_to_local_service_ipv6_present is changed
- block_udp_extern_out_ports_ipv6_present is changed
# ---