ENG - Ansible Common Role
May 2024 (323 Words, 2 Minutes)
Ansible role for common stuff.
Introduction
This work shall be included into an ansible playbook as ansible role. This role is intented as a container for all tools and configuration needed as base on a debian system.
Topic covered:
- basic tools
- users
- basic firewall policies
- ssh server enforcement
Basic tools
This role install the following packages:
rsync
tmux
vim
net-tools
iptables-persistent
fail2ban
sudo
Basic firewall policies
Firewall i managed direclty using the ansible plugin.
The idea come from DebianFirewall page.
Default Pilycies
| IP version | Chain | Policy |
|---|---|---|
| ipv4 | INPUT | DROP |
| ipv4 | FORWARD | DROP |
| ipv4 | OUTPUT | DROP |
| ipv6 | INPUT | DROP |
| ipv6 | FORWARD | DROP |
| ipv6 | OUTPUT | DROP |
Additional Rules
| Rule Name | Chain | Port/Protocol | Policy | Notes |
|---|---|---|---|---|
| Allow SSH | INPUT | 22/tcp | ACCEPT | if ssh_network is dfined, the access is restricted to defined nets |
| Allow current established traffic | INPUT | all | ACCEPT | |
| Allow current established traffic | FORWARD | all | ACCEPT | |
| Allow input to lo | INPUT | all | ACCEPT | traffic on lo interface |
Reject traffic to lo not arriving from local |
INPUT | all | REJECT |
SSH server enforcement
This role will create the group ssh.
This role will create the file /etc/ssh/sshd_config.d/custom_config.conf whit this lines:
AuthorizedKeysFile .ssh/authorized_keys # specifies the path for auth keys
PasswordAuthentication no # disable pass authentication
PermitEmptyPasswords no # disable empty passwords authentication
PermitRootLogin no # disable root login via ssh
AllowGroups ssh # only users belonging to the ssh group can login
The last measuer taken to enforce ssh server secutiry is the installation of fail2ban with and the activation of the sshd jail.
The fail2ban configuration are left as default.
Users
Special users
Admin user
Ansible as orchestrator need an admin user, we assume it is the user you created when you installed the system, and the one you are using to run ansible, it will be added to the ssh group.
This user public key can be controlled using this parameter:
ansible_ssh_public_key_file: "{ { lookup('file', '{ { playbook_dir } }/.ssh/admin_rsa.pub') } }"
snapshot user
This role create system user snapshot; this user is part of the ssh group, and a custom sudo
rule is installed, this user can run rsync server as root.
snapshot_ssh_public_key_file: "{ { lookup('file', '{ { playbook_dir } }/.ssh/admin_rsa.pub') } }"
This can be used to run system backups using rsnapshot.
Other users
It is possible to add users to the system adding users to the other_users variable;
all for all username in this list it will be created a user belongin to users and ssh groups.
Quest'opera è distribuita con Licenza Creative Commons Attribuzione - Condividi allo stesso modo 4.0 Internazionale Theme Moonwalk