From 8deddf3c0b9cb12b2831cf1f9bc80e2811018a46 Mon Sep 17 00:00:00 2001 From: Massaki Archambault Date: Fri, 17 Dec 2021 18:17:18 -0500 Subject: [PATCH] add bastion fail2ban config --- group_vars/{lb.yml => bastions.yml} | 6 +++++ hosts | 7 ++--- playbook.yml | 3 ++- roles/bastion/files/fail2ban/jail.local | 10 ++++++++ roles/bastion/handlers/main.yml | 11 ++++++++ roles/bastion/tasks/main.yml | 34 +++++++++++++++++++++++++ roles/common/defaults/main.yml | 3 ++- roles/common/tasks/user.yml | 2 +- roles/haproxy/templates/haproxy.cfg | 7 ++--- 9 files changed, 74 insertions(+), 9 deletions(-) rename group_vars/{lb.yml => bastions.yml} (90%) create mode 100644 roles/bastion/files/fail2ban/jail.local create mode 100644 roles/bastion/handlers/main.yml create mode 100644 roles/bastion/tasks/main.yml diff --git a/group_vars/lb.yml b/group_vars/bastions.yml similarity index 90% rename from group_vars/lb.yml rename to group_vars/bastions.yml index e57a709..8e415da 100644 --- a/group_vars/lb.yml +++ b/group_vars/bastions.yml @@ -12,6 +12,11 @@ haproxy: - 192.168.20.22 - 192.168.20.23 - 192.168.20.24 + - src: + - s3.badjware.dev + dst: + - 192.168.20.30:9000 + ssl: false # - src: # - kubernetes-dashboard.badjnet.home # - traefik.badjnet.home @@ -26,6 +31,7 @@ haproxy: tcp: - src: "30022" dst: + - 192.168.20.20:30022 - 192.168.20.21:30022 - 192.168.20.22:30022 - 192.168.20.23:30022 diff --git a/hosts b/hosts index a4cb54a..078b1b3 100644 --- a/hosts +++ b/hosts @@ -35,10 +35,11 @@ all: ansible_host: 192.168.10.11 vfio_pci_ids: - '1000:0086' # Broadcom / LSI SAS2308 PCI-Express Fusion-MPT SAS-2 - lb: + bastions: hosts: - lb: + bastion: ansible_host: 192.168.20.10 + users_enable_sudo: false k3s: children: k3s-server: @@ -69,7 +70,7 @@ all: ansible_host: 192.168.20.2 children: proxmox: - lb: + bastions: k3s: vars: <<: *user_config \ No newline at end of file diff --git a/playbook.yml b/playbook.yml index 43d6e75..ac38250 100644 --- a/playbook.yml +++ b/playbook.yml @@ -6,9 +6,10 @@ roles: - common -- hosts: lb +- hosts: bastion roles: - haproxy + - bastion - hosts: k3s-server roles: diff --git a/roles/bastion/files/fail2ban/jail.local b/roles/bastion/files/fail2ban/jail.local new file mode 100644 index 0000000..c38be31 --- /dev/null +++ b/roles/bastion/files/fail2ban/jail.local @@ -0,0 +1,10 @@ +[DEFAULT] +bantime = 1h +findtime = 5m +maxretry = 3 + +ignoreip = 192.168.0.0/16 + +[sshd] +enabled = true +mode = aggressive \ No newline at end of file diff --git a/roles/bastion/handlers/main.yml b/roles/bastion/handlers/main.yml new file mode 100644 index 0000000..dc9a2f7 --- /dev/null +++ b/roles/bastion/handlers/main.yml @@ -0,0 +1,11 @@ +- name: Restart fail2ban + service: + name: fail2ban + enabled: true + state: reloaded + +- name: Restart sshd + service: + name: sshd + enabled: true + state: reloaded \ No newline at end of file diff --git a/roles/bastion/tasks/main.yml b/roles/bastion/tasks/main.yml new file mode 100644 index 0000000..ad1d6da --- /dev/null +++ b/roles/bastion/tasks/main.yml @@ -0,0 +1,34 @@ +- name: Install fail2ban + apt: + name: + - fail2ban + +- name: Configure fail2ban + copy: + src: fail2ban/jail.local + dest: /etc/fail2ban/jail.local + notify: Restart fail2ban + +- name: Disable ssh password authentication for all but user of ansible + blockinfile: + path: /etc/ssh/sshd_config + block: | + Match User {{ ansible_user }} + PasswordAuthentication yes + Match all + PasswordAuthentication no + notify: Restart sshd + +- name: Configure sshd ClientAliveInterval + lineinfile: + path: /etc/ssh/sshd_config + regexp: '^#?ClientAliveInterval' + line: ClientAliveInterval 5m + notify: Restart sshd + +- name: Configure sshd ClientAliveCountMax + lineinfile: + path: /etc/ssh/sshd_config + regexp: '^#?ClientAliveCountMax' + line: ClientAliveCountMax 3 + notify: Restart sshd diff --git a/roles/common/defaults/main.yml b/roles/common/defaults/main.yml index 53edca8..93b8f14 100644 --- a/roles/common/defaults/main.yml +++ b/roles/common/defaults/main.yml @@ -1 +1,2 @@ -users: {} \ No newline at end of file +users: {} +users_enable_sudo: true \ No newline at end of file diff --git a/roles/common/tasks/user.yml b/roles/common/tasks/user.yml index 6f06d33..3229c05 100644 --- a/roles/common/tasks/user.yml +++ b/roles/common/tasks/user.yml @@ -4,7 +4,7 @@ password: '{{ item.value.default_password }}' update_password: on_create shell: /bin/bash - groups: sudo + groups: '{{["sudo"] if users_enable_sudo else []}}' - name: '{{ item.key }}: Configure ssh public keys' authorized_key: diff --git a/roles/haproxy/templates/haproxy.cfg b/roles/haproxy/templates/haproxy.cfg index 54fb584..4a9287c 100644 --- a/roles/haproxy/templates/haproxy.cfg +++ b/roles/haproxy/templates/haproxy.cfg @@ -79,14 +79,15 @@ backend haproxy_metrics http-request use-service prometheus-exporter {% for http_route in https_routing %} -# backend for {{ http_route.src[0] }} +# backend for {{ ', '.join(http_route.src) }} backend https_{{ http_route.src[0]|replace('.','_') }} mode http balance roundrobin {% for dst in http_route.dst %} - server {{ dst }} {{ dst }}{% if ':' not in dst %}:443{% endif %} check ssl verify none alpn h2 - #server {{ dst }} {{ dst }}{% if ':' not in dst %}:80{% endif %} check + server {{ dst }} {{ dst }}{% if ':' not in dst %}:443{% endif %} check {% if http_route.ssl|default(true) %}ssl verify none alpn h2{% endif %} + {% endfor %} + {% endfor %} ## TCP ##