Licensing

Added loopback iptables rule
Iptables persistence finally working
2024-08-09 14:57:22 +02:00 · 2024-08-02 11:12:46 +02:00 · 2024-08-02 10:38:36 +02:00 · 2024-08-02 10:10:40 +02:00 · 2024-08-02 09:59:26 +02:00 · 2024-08-02 09:45:14 +02:00
8 changed files with 132 additions and 23 deletions
--- a/bootstrap.sh
+++ b/bootstrap.sh
@@ -24,7 +24,7 @@ sudo apt install git git-lfs -y
 git lfs install

 # Clone ansible_playbooks repo
-git clone https://git.athelas-conseils.fr/Stage/ansible_playbooks.git
+git clone -b dev https://git.athelas-conseils.fr/Stage/ansible_playbooks.git


 ~/.local/bin/ansible-playbook ansible_playbooks/tasks/full_setup.yml -i ansible_playbooks/inventory.ini --extra-vars "ansible_ssh_pass=$password ansible_ssh_common_args='-o StrictHostKeyChecking=no'"
--- a/files/usertwist
+++ b/files/usertwist
--- a/files/usertwist.service
+++ b/files/usertwist.service
@@ -2,9 +2,20 @@
 Description=Simple Web Service

 [Service]
-User=caddy
-Group=caddy
+User=usertwist
+Group=usertwist
 ExecStart=/usr/local/bin/usertwist
+PrivateTmp=yes
+NoNewPrivileges=true
+RestrictNamespaces=uts ipc pid user cgroup
+ProtectSystem=strict
+CapabilityBoundingSet=CAP_NET_BIND_SERVICE
+ProtectKernelTunables=yes
+ProtectKernelModules=yes
+ProtectControlGroups=yes
+PrivateDevices=yes
+RestrictSUIDSGID=true
+ProtectHome=true

 [Install]
-WantedBy=multi-user.target
+WantedBy=multi-user.target
--- a/tasks/install_caddy.yml
+++ b/tasks/install_caddy.yml
@@ -29,6 +29,17 @@
      src: ../templates/Caddyfile.j2
      dest: /etc/caddy/Caddyfile

+  - name: Create the usertwist group
+    ansible.builtin.group:
+      name: usertwist
+
+  - name: Create the usertwist user
+    ansible.builtin.user:
+      name: usertwist
+      group: usertwist
+      system: true
+      shell: /usr/sbin/nologin
+
  - name: Put the service binary on the remote server
    ansible.builtin.copy:
      src: ../files/usertwist
--- a/tasks/roles/setup_iptables/README.md
+++ b/tasks/roles/setup_iptables/README.md
@@ -0,0 +1,22 @@
+Setup IPTables
+=========
+
+Create iptables rules on the remote server to allow connection on WEB and SSH ports only
+
+Example Playbook
+----------------
+
+    - hosts: servers
+      roles:
+        - setup_iptables
+
+License
+-------
+
+BSD
+
+Author Information
+------------------
+
+Motysten
+E-Mail : mdm@athelas.fr
--- a/tasks/roles/setup_iptables/meta/main.yml
+++ b/tasks/roles/setup_iptables/meta/main.yml
@@ -0,0 +1,34 @@
+galaxy_info:
+  author: Motysten
+  description: Dev
+  company: Athelas
+
+  # If the issue tracker for your role is not on github, uncomment the
+  # next line and provide a value
+  # issue_tracker_url: http://example.com/issue/tracker
+
+  # Choose a valid license ID from https://spdx.org - some suggested licenses:
+  # - BSD-3-Clause (default)
+  # - MIT
+  # - GPL-2.0-or-later
+  # - GPL-3.0-only
+  # - Apache-2.0
+  # - CC-BY-4.0
+  license: MIT
+
+  min_ansible_version: 2.1
+
+  # If this a Container Enabled role, provide the minimum Ansible Container version.
+  # min_ansible_container_version:
+
+  galaxy_tags: []
+    # List tags for your role here, one per line. A tag is a keyword that describes
+    # and categorizes the role. Users find roles by searching for tags. Be sure to
+    # remove the '[]' above, if you add tags to this list.
+    #
+    # NOTE: A tag is limited to a single word comprised of alphanumeric characters.
+    #       Maximum 20 tags per role.
+
+dependencies: []
+  # List your role dependencies here, one per line. Be sure to remove the '[]' above,
+  # if you add dependencies to this list.
--- a/tasks/roles/setup_iptables/tasks/main.yml
+++ b/tasks/roles/setup_iptables/tasks/main.yml
@@ -0,0 +1,45 @@
+---
+# tasks file for setup_iptables
+- name: Open needed ports
+  ansible.builtin.iptables:
+    chain: INPUT
+    protocol: tcp
+    in_interface: eth0
+    jump: ACCEPT
+    destination_ports:
+      - "22"
+      - "443"
+      - "80"
+
+- name: Accept connection on lo (for Caddy <-> usertwist communication)
+  ansible.builtin.iptables:
+    chain: INPUT
+    protocol: tcp
+    in_interface: lo
+    jump: ACCEPT
+
+- name: Set INPUT policy to DROP
+  ansible.builtin.iptables:
+    chain: INPUT
+    policy: DROP
+
+- name: Create iptables folder in /etc
+  ansible.builtin.file:
+    path: /etc/ansible
+    state: directory
+    mode: '0755'
+
+- name: Install iptables-persistent for rules persistence
+  ansible.builtin.package:
+    name: iptables-persistent
+    update_cache: true
+
+- name: Save IPv4 rules to keep them on reboot
+  community.general.iptables_state:
+    state: saved
+    path: /etc/iptables/rules.v4
+
+- name: Save IPv6 rules to keep them on reboot
+  community.general.iptables_state:
+    state: saved
+    path: /etc/iptables/rules.v6
--- a/tasks/setup_iptables.yml
+++ b/tasks/setup_iptables.yml
@@ -1,20 +1,6 @@
 - name: Edit iptables settings
  hosts: athelas
  become: true
-  tasks:
-
-  - name: Open needed ports
-    ansible.builtin.iptables:
-      chain: INPUT
-      protocol: tcp
-      in_interface: eth0
-      jump: ACCEPT
-      destination_ports:
-        - "22"
-        - "443"
-        - "80"
-
-  - name: Set INPUT policy to DROP
-    ansible.builtin.iptables:
-      chain: INPUT
-      policy: DROP
+  
+  roles:
+    - setup_iptables
Author	SHA1	Message	Date
Mateo	113e72401e	Licensing	2024-08-09 14:57:22 +02:00
Mateo	23ad0ff277	Added loopback iptables rule	2024-08-02 11:12:46 +02:00
Mateo	ee8242d842	Iptables persistence finally working	2024-08-02 10:38:36 +02:00
Mateo	9ad7e73946	Removed login from usertwist	2024-08-02 10:10:40 +02:00
Mateo	61705dd02f	Fixed persistence (maybe...)	2024-08-02 09:59:26 +02:00
Mateo	95d216ccd5	Added iptables folder	2024-08-02 09:45:14 +02:00
Mateo	d41bfb5aad	Fixed error on iptables_state package	2024-08-02 09:31:45 +02:00
Mateo	daa4a1c745	Hardened usertwist service + Saved iptables rules	2024-08-02 09:27:48 +02:00
Mateo	deabcf2f69	Merge pull request 'Usertwist update' (#6 ) from main into dev Reviewed-on: #6	2024-07-30 12:54:52 +00:00
Mateo	a5a4c6ab90	usertwist executable	2024-07-30 14:53:12 +02:00
Mateo	8336445ae8	New version of usertwist	2024-07-30 14:51:51 +02:00
Mateo	82151639ab	Bootstrap get dev branch instead of main	2024-07-30 14:50:57 +02:00
Mateo	2082ccb5b5	Hardened systemd unit (4.8 score)	2024-07-30 14:44:15 +02:00
Mateo	5ebad367b4	Convert setup_iptables to ansible role + Fix usertwist group don't exist error	2024-07-30 14:06:48 +02:00
Mateo	18f2d62a24	revert `d84517026d` revert Added usertwist group	2024-07-30 12:02:42 +00:00
Mateo	f1fea14b41	revert `46f876f5a4` revert Edit usertwist port	2024-07-30 12:02:30 +00:00
Mateo	e136006c1c	revert `70d8e574b9` revert Merge branch 'main' of git.athelas-conseils.fr:Stage/ansible_playbooks	2024-07-30 12:02:16 +00:00
Mateo	70d8e574b9	Merge branch 'main' of git.athelas-conseils.fr:Stage/ansible_playbooks	2024-07-30 14:00:18 +02:00
Mateo	46f876f5a4	Edit usertwist port	2024-07-30 14:00:15 +02:00
Mateo	d84517026d	Added usertwist group	2024-07-30 13:46:11 +02:00
Mateo	cb3785236d	Moved roles	2024-07-30 13:40:14 +02:00
Mateo	98f646a3e6	Roles test	2024-07-30 13:37:30 +02:00
Mateo	e51d53adbf	Edit usertwist port	2024-07-25 16:59:44 +02:00
Mateo	7a237d6ac9	Merge branch 'main' of git.athelas-conseils.fr:Stage/ansible_playbooks	2024-07-25 14:00:12 +02:00
Mateo	4a4e754f14	Usertwist has his own user	2024-07-25 14:00:06 +02:00