From 571ee1e6eebb74d86cd1f9ea10bf44ac4615cc92 Mon Sep 17 00:00:00 2001 From: Christoph Date: Thu, 4 Apr 2024 20:11:06 +0200 Subject: [PATCH] update.. --- roles/modify-ipt-server/tasks/ipt-server.yml | 116 ++++--------------- 1 file changed, 23 insertions(+), 93 deletions(-) diff --git a/roles/modify-ipt-server/tasks/ipt-server.yml b/roles/modify-ipt-server/tasks/ipt-server.yml index e978d27..ab83cb2 100644 --- a/roles/modify-ipt-server/tasks/ipt-server.yml +++ b/roles/modify-ipt-server/tasks/ipt-server.yml @@ -299,7 +299,7 @@ # --- -# Mattermost (MM) Service +# Mattermost (MM) Service (add a block) # --- - name: Check if String 'mm_server_ips=..' is present @@ -366,113 +366,43 @@ # --- -# Protection against and Limit Connections settings +# Per IP Connection Limit (add a line) # --- -- name: Check if String 'protection_against_syn_flooding=..' is present - shell: grep -q -E "^protection_against_syn_flooding=" /etc/ipt-firewall/main_ipv4.conf - register: protect_settings_ipv4_present +- name: Check if String 'per_IP_connection_limit=..' is present + shell: grep -q -E "^per_IP_connection_limit=" /etc/ipt-firewall/main_ipv4.conf + register: per_ip_connection_limit_settings_ipv4_present when: main_ipv4_exists.stat.exists - failed_when: "protect_settings_ipv4_present.rc > 1" - changed_when: "protect_settings_ipv4_present.rc > 0" + failed_when: "per_ip_connection_limit_settings_ipv4_present.rc > 1" + changed_when: "per_ip_connection_limit_settings_ipv4_present.rc > 0" - name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (protect_settings) - blockinfile: + lineinfile: path: /etc/ipt-firewall/main_ipv4.conf - insertafter: '^#?\s*create_iperf_rules' - block: | - - # ------------- - # - Protection against ... - # ------------- - - # - Protection against syn-flooding - # - - protection_against_syn_flooding=true - - # - Protection against port scanning - # - - protection_against_port_scanning=true - - # - Protection against SSH brute-force attacks - # - - protection_against_ssh_brute_force_attacks=true - - - # ------------- - # - Limit Connections - # ------------- - - # - Limit connections per source IP - # - - limit_connections_per_source_IP=true - - # - Limit RST packets - # - - limit_rst_packets=true - - # - Limit new TCP connections per second per source IP - # - - limit_new_tcp_connections_per_seconds_per_source_IP=true - - marker: "# Marker set by modify-ipt-server.yml (protect_settings)" + insertafter: '^#?\s*limit_connections_per_source_IP' + line: per_IP_connection_limit=$default_per_IP_connection_limit when: - main_ipv4_exists.stat.exists - - protect_settings_ipv4_present is changed + - per_ip_connection_limit_settings_ipv4_present is changed notify: - Restart IPv4 Firewall -- name: Check if String 'protection_against_syn_flooding=..' is present - shell: grep -q -E "^protection_against_syn_flooding=" /etc/ipt-firewall/main_ipv6.conf - register: protect_settings_ipv6_present +- name: Check if String 'per_IP_connection_limit=..' is present + shell: grep -q -E "^per_IP_connection_limit=" /etc/ipt-firewall/main_ipv6.conf + register: per_ip_connection_limit_settings_ipv6_present when: main_ipv6_exists.stat.exists - failed_when: "protect_settings_ipv6_present.rc > 1" - changed_when: "protect_settings_ipv6_present.rc > 0" + failed_when: "per_ip_connection_limit_settings_ipv6_present.rc > 1" + changed_when: "per_ip_connection_limit_settings_ipv6_present.rc > 0" - name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (protect_settings) - blockinfile: - path: /etc/ipt-firewall/main_ipv6.conf - insertafter: '^#?\s*create_iperf_rules' - block: | - - # ------------- - # - Protection against ... - # ------------- - - # - Protection against syn-flooding - # - - protection_against_syn_flooding=true - - # - Protection against port scanning - # - - protection_against_port_scanning=true - - # - Protection against SSH brute-force attacks - # - - protection_against_ssh_brute_force_attacks=true - - - # ------------- - # - Limit Connections - # ------------- - - # - Limit connections per source IP - # - - limit_connections_per_source_IP=true - - # - Limit RST packets - # - - limit_rst_packets=true - - # - Limit new TCP connections per second per source IP - # - - limit_new_tcp_connections_per_seconds_per_source_IP=true - - marker: "# Marker set by modify-ipt-server.yml (protect_settings)" + lineinfile: + dest: /etc/ipt-firewall/main_ipv6.conf + insertafter: '^#?\s*limit_connections_per_source_IP' + line: per_IP_connection_limit=$default_per_IP_connection_limit when: - main_ipv6_exists.stat.exists - - protect_settings_ipv6_present is changed + - per_ip_connection_limit_settings_ipv6_present is changed notify: - Restart IPv6 Firewall @@ -534,7 +464,7 @@ when: - git_firewall_repository is defined and git_firewall_repository|length > 0 loop: - - default_ports.conf + - default_settings.conf - include_functions.conf - load_modules_ipv4.conf - load_modules_ipv6.conf @@ -546,7 +476,7 @@ - name: Ensure configuration files are latest command: cp {{ git_firewall_repository.dest }}/conf/{{ item }} /etc/ipt-firewall/{{ item }} loop: - - default_ports.conf + - default_settings.conf - include_functions.conf - load_modules_ipv4.conf - load_modules_ipv6.conf