fossilfranv/set_ip_blacklist
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: fossilfranv:d2fab72ea22825bde403dd6a99af3ec9dd7dae9e
Branches Tags
fossilfranv:main
...
compare: fossilfranv:a323009a77b1370da5337e3ad59e1528d188fc1f
Branches Tags
fossilfranv:main

No commits in common. "d2fab72ea22825bde403dd6a99af3ec9dd7dae9e" and "a323009a77b1370da5337e3ad59e1528d188fc1f" have entirely different histories.
d2fab72ea2 ... a323009a77

6 changed files with 788 additions and 58 deletions
Show Stats Expand all files Collapse all files

5
.ansible.cfg Normal file
View File

@ -0,0 +1,5 @@
[defaults]
inventory = /home/xxx/ansible/hosts.yml
interpreter_python = auto

28
README.md
View File

@ -1,4 +1,26 @@
# set_ip_blacklist # setup_new_server
The first time lines starting with "##" git clone
IMPORTANT After first run return the "##"
generate ssh key on target for root
allow root login : PermitRootLogin prohibit-password
add host IP or name to local (ansible machine) /etc/hosts
ansible-vault create passwd.yml or ansible-vault edit passwd.yml
move and edit config to ~.ssh/config
ssh-copy-id to target
test connection: ansible -m ping --ask-vault-pass --extra-vars '@passwd.yml' TARGET_IP OR NAME -u root
run playbook: ansible-playbook --ask-vault-pass --extra-vars '@passwd.yml' ubuntu/setup-pb.yml -l TARGET_IP OR NAME -u root
Reference: https://www.vultr.com/docs/how-to-configure-a-new-ubuntu-server-with-ansible/
modify /etc/sysctl.conf, add the line:
net.ipv4.icmp_echo_ignore_all = 1 #don't respond to pings
and then: sudo sysctl -p

23
ansible/hosts.yml Normal file
View File

@ -0,0 +1,23 @@
all:
children:
my_host:
hosts:
HOST_IP OR NAME:
user: user_this
user_passwd: "{{ ap1_user_passwd }}"
ansible_sudo_passwd: "{{ ap1_sudo_passwd }}"
root_passwd: "{{ ap1_root_passwd }}"
ssh_port: "xxxx"
ssh_pub_key: "{{ lookup('file', '~/.ssh/id_rsa.pub') }}"
cfg_static_network: false

715
ansible/ubuntu/setup-pb.yml Normal file
View File

@ -0,0 +1,715 @@
# Initial server setup
#
---
- hosts: all
become: yes
vars:
my_client_ip: 192.168.1.75
tmzone: America/Vancouver
sudo_timeout: 60
# Set ufw logging: on | off | low | medium | high | full
ufw_log: off
# SSH socket config used for 22.10 and later.
# Disable any existing listen steam and enable the new stream.
ssh_socket_cfg: |
[Socket]
ListenStream=
ListenStream={{ ssh_port }}
resolved_cfg: |
[Resolve]
DNSStubListener=no
DNS=127.0.0.1
f2b_jail_local: |
[DEFAULT]
ignoreip = 127.0.0.1/8 ::1 {{ my_client_ip }}
findtime = 15m
bantime = 2h
maxretry = 5
[sshd]
enabled = true
maxretry = 3
port = {{ ssh_port }}
tasks:
- name: Get datestamp from the system
shell: date +"%Y%m%d"
register: dstamp
- name: Set current date stamp variable
set_fact:
cur_date: "{{ dstamp.stdout }}"
# Update and install the base software
- name: Update apt package cache
apt:
update_cache: yes
cache_valid_time: 3600
- name: Upgrade installed apt packages
apt:
upgrade: dist
register: upgrade
retries: 15
delay: 5
until: upgrade is success
- name: Ensure that a base set of software packages are installed
apt:
pkg:
- apt-transport-https
- build-essential
- fail2ban
- pwgen
- unbound
- unzip
- docker
- docker-compose
- net-tools
- traceroute
state: latest
- name: Create a local systemd-resolved configuration directory.
file:
path: /etc/systemd/resolved.conf.d
state: directory
owner: root
group: root
mode: 0755
- name: Create a local systemd-resolved configuration that works with unbound.
copy:
dest: /etc/systemd/resolved.conf.d/local.conf
content: "{{ resolved_cfg }}"
owner: root
group: root
mode: 0644
- name: Update the systemd-resolved /etc/resolv.conf symbolic link.
file:
src: /run/systemd/resolve/resolv.conf
dest: /etc/resolv.conf
state: link
owner: root
group: root
- name: Restart systemd-resolved
service:
name: systemd-resolved
state: restarted
- name: Check if a reboot is needed for Debian-based systems
stat:
path: /var/run/reboot-required
register: reboot_required
# Host Setup
- name: Set static hostname
hostname:
name: "{{ inventory_hostname_short }}"
- name: Add FQDN to /etc/hosts
lineinfile:
dest: /etc/hosts
regexp: '^127\.0\.1\.1'
line: '127.0.1.1 {{ inventory_hostname }} {{ inventory_hostname_short }}'
state: present
- name: Check if cloud init is installed.
stat: path="/etc/cloud/templates/hosts.debian.tmpl"
register: cloud_installed
- name: Add FQDN to /etc/cloud/templates/hosts.debian.tmpl
lineinfile:
dest: /etc/cloud/templates/hosts.debian.tmpl
regexp: '^127\.0\.1\.1'
line: "127.0.1.1 {{ inventory_hostname }} {{ inventory_hostname_short }}"
state: present
when: cloud_installed.stat.exists
- name: set timezone
timezone:
name: "{{ tmzone }}"
# Set sudo password timeout (default is 15 minutes)
- name: Set sudo password timeout.
lineinfile:
path: /etc/sudoers
state: present
regexp: '^Defaults\tenv_reset'
line: 'Defaults env_reset, timestamp_timeout={{ sudo_timeout }}'
validate: '/usr/sbin/visudo -cf %s'
- name: Create/update regular user with sudo privileges
user:
name: "{{ user }}"
password: "{{ user_passwd | password_hash('sha512') }}"
state: present
groups: sudo
append: true
shell: /bin/bash
- name: Ensure ansible_sudo_passwd matches the [new] user password
set_fact:
ansible_sudo_passwd: "{{ user_passwd }}"
- name: Ensure authorized keys for remote user is installed
authorized_key:
user: "{{ user }}"
state: present
key: "{{ ssh_pub_key }}"
- name: Ensure authorized key for root user is installed
authorized_key:
user: root
state: present
key: "{{ ssh_pub_key }}"
- name: Update root user password.
user:
name: root
password: "{{ root_passwd | password_hash('sha512') }}"
- name: Disable password authentication for root
lineinfile:
path: /etc/ssh/sshd_config
state: present
regexp: '^#?PermitRootLogin'
line: 'PermitRootLogin prohibit-password'
- name: Disable tunneled clear-text passwords
lineinfile:
path: /etc/ssh/sshd_config
state: present
regexp: '^PasswordAuthentication yes'
line: 'PasswordAuthentication no'
- name: Set user PS1 to a two-line prompt
lineinfile:
dest: "/home/{{ user }}/.bashrc"
insertafter: EOF
line: "PS1='${debian_chroot:+($debian_chroot)}\\[\\033[01;32m\\]\\u@\\h\\[\\033[00m\\]:\\[\\033[01;34m\\]\\w\\[\\033[00m\\]\\n\\$ '"
state: present
- name: Set root PS1 to a two-line prompt
lineinfile:
path: '/root/.bashrc'
state: present
insertafter: EOF
line: PS1='${debian_chroot:+($debian_chroot)}\u@\h:\w\n\$ '
# Configure the UFW firewall
- name: Disable and reset ufw firewall to installation defaults.
ufw:
state: reset
- name: Find backup rules to delete
find:
paths: /etc/ufw
patterns: "*.{{ cur_date }}_*"
use_regex: no
register: files_to_delete
- name: Delete ufw backup rules
file:
path: "{{ item.path }}"
state: absent
with_items: "{{ files_to_delete.files }}"
- name: Set the ssh '{{ ssh_port }}' port number in sshd_config (ver < 22.10).
lineinfile:
dest: /etc/ssh/sshd_config
regexp: '^#Port '
line: 'Port {{ ssh_port }}'
state: present
when: ansible_facts['distribution_version'] < '22.10'
- name: Create a ssh.socket.d configuration directory (ver >= 22.10).
file:
path: /etc/systemd/system/ssh.socket.d
state: directory
owner: root
group: root
mode: 0755
when: ansible_facts['distribution_version'] >= '22.10'
- name: Create a local SSH socket stream configuration (ver >= 22.10).
copy:
dest: /etc/systemd/system/ssh.socket.d/listen.conf
content: "{{ ssh_socket_cfg }}"
owner: root
group: root
mode: 0644
when: ansible_facts['distribution_version'] >= '22.10'
- name: daemon-reload (ver >= 22.10)
systemd:
daemon_reload: yes
when: ansible_facts['distribution_version'] >= '22.10'
- name: Restart the ssh service after updating the SSH port number (ver < 22.10).
service:
name: ssh
state: restarted
when: ansible_facts['distribution_version'] < '22.10'
- name: Restart the ssh socket unit after updating the SSH port number (ver >= 22.10).
systemd:
name: ssh.socket
state: restarted
when: ansible_facts['distribution_version'] >= '22.10'
- name: Change the ansible ssh port to '{{ ssh_port }}'
set_fact:
ansible_port: '{{ ssh_port }}'
- name: Allow ssh port '{{ ssh_port }}'.
ufw:
rule: allow
proto: tcp
port: '{{ ssh_port }}'
state: enabled
- name: Set the UFW log level.
ufw:
logging: '{{ ufw_log }}'
- name: configure fail2ban for ssh
copy:
dest: /etc/fail2ban/jail.local
content: "{{ f2b_jail_local }}"
owner: root
group: root
mode: 0644
notify:
- restart fail2ban
- name: enable fail2ban service on boot
service:
name: fail2ban
enabled: true
state: started
# simple shell script to display fail2ban-client status info; usage:
# f2bst
# f2bst sshd
- name: Configure f2bst
copy:
dest: /usr/local/bin/f2bst
content: |
#!/bin/sh
fail2ban-client status $*
owner: root
group: root
mode: 0750
- name: run needrestart
command: needrestart -r a
when: not reboot_required.stat.exists and upgrade.changed
- name: Configure static networking
copy:
src: etc/netplan/50-cloud-init.yaml
dest: /etc/netplan/50-cloud-init.yaml
owner: root
group: root
mode: 0644
notify:
- netplan apply
when: cfg_static_network == true
- name: Report if reboot is needed.
debug:
msg: Rebooting the server, please wait.
when: reboot_required.stat.exists
- name: Reboot the server if needed
reboot:
msg: "Reboot initiated by Ansible because of reboot required file."
connect_timeout: 5
reboot_timeout: 600
pre_reboot_delay: 0
post_reboot_delay: 30
test_command: whoami
when: reboot_required.stat.exists
- name: Remove old packages from the cache
apt:
autoclean: yes
- name: Remove dependencies that are no longer needed
apt:
autoremove: yes
purge: yes
handlers:
- name: restart fail2ban
service:
name: fail2ban
state: restarted
when: reboot_required.stat.exists == false
- name: netplan apply
command: netplan apply
when: cfg_static_network == true

20
config Normal file
View File

@ -0,0 +1,20 @@
Host *
AddKeysToAgent yes
IdentitiesOnly yes
AddressFamily inet
Host 192.168.1.73 temp
Hostname 192.168.1.73
Port 22
User franv
IdentityFile ~/.ssh/temp_ed25519

55
set_ip_blacklist.sh
View File

@ -1,55 +0,0 @@
#!/bin/bash
rm /tmp/testlog.txt
exec >/tmp/testlog.txt 2>&1
set -x
#The next line only the first time the script is run
##/sbin/ipset -q create ipsum hash:net
/sbin/ipset -q flush ipsum
/bin/bash -c 'for ip in $(/usr/bin/curl --compressed https://raw.githubusercontent.com/stamparm/ipsum/master/ipsum.txt 2>/dev/null | grep -v "#" | grep -v -E "\s[1-2]$" | cut -f 1); do /sbin/ipset add ipsum $ip; done'
##/sbin/iptables -I INPUT -m set --match-set ipsum src -j DROP
##/sbin/iptables -A FORWARD -p tcp --dport 443 -m set --match-set ipsum dst -j DROP
##/sbin/iptables -A FORWARD -p tcp --dport 80 -m set --match-set ipsum dst -j DROP
##/sbin/ipset -q create fireh hash:net
rm firehol_level3.netset
wget https://iplists.firehol.org/files/firehol_level3.netset
my_file=$(cat firehol_level3.netset |grep -v "#")
/sbin/ipset -q flush fireh
for row_data in $my_file; do /sbin/ipset add fireh ${row_data}; done
##/sbin/iptables -I INPUT -m set --match-set fireh src -j DROP
##/sbin/iptables -A FORWARD -p tcp --dport 443 -m set --match-set fireh dst -j DROP
##/sbin/iptables -A FORWARD -p tcp --dport 80 -m set --match-set fireh dst -j DROP
##/sbin/ipset -q create blockde hash:net
/sbin/ipset -q flush blockde
rm blocklist.de
# wget -O blocklist.de http://lists.blocklist.de/lists/all.txt
wget -O blocklist.de https://iplists.firehol.org/files/blocklist_de.ipset
my_file=$(awk 'length($1) < 16 { print $1 }' blocklist.de)
for row_data in $my_file; do /sbin/ipset add blockde ${row_data}; done
##/sbin/iptables -I INPUT -m set --match-set blockde src -j DROP
##/sbin/iptables -A FORWARD -p tcp --dport 443 -m set --match-set blockde dst -j DROP
##/sbin/iptables -A FORWARD -p tcp --dport 80 -m set --match-set blockde dst -j DROP
##/sbin/ipset -q create blockde6 hash:net family inet6
/sbin/ipset -q flush blockde6
my_file=$(awk 'length($1) > 16 { print $1 }' blocklist.de)
echo setting ipv6...
for row_data in $my_file; do /sbin/ipset add blockde6 ${row_data}; done
##/sbin/ip6tables -I INPUT -m set --match-set blockde6 src -j DROP
##/sbin/ip6tables -A FORWARD -p tcp --dport 443 -m set --match-set blockde6 dst -j DROP
##/sbin/ip6tables -A FORWARD -p tcp --dport 80 -m set --match-set blockde6 dst -j DROP
##/sbin/ipset -q create tornodes hash:net
wget -O tornodes.lst https://raw.githubusercontent.com/SecOps-Institute/Tor-IP-Addresses/master/tor-exit-nodes.lst
/sbin/ipset -q flush tornodes
my_file=$(awk 'length($1) < 16 { print $1 }' tornodes.lst)
for row_data in $my_file; do /sbin/ipset add tornodes ${row_data}; done
##/sbin/iptables -I INPUT -m set --match-set tornodes src -j DROP
##/sbin/iptables -A FORWARD -p tcp --dport 443 -m set --match-set tornodes dst -j DROP
##/sbin/iptables -A FORWARD -p tcp --dport 80 -m set --match-set tornodes dst -j DROP