From 5ebad367b4a68e30c0a89af1c0147e2e81dc5110 Mon Sep 17 00:00:00 2001 From: Mateo Date: Tue, 30 Jul 2024 14:06:48 +0200 Subject: [PATCH 1/9] Convert setup_iptables to ansible role + Fix usertwist group don't exist error --- tasks/install_caddy.yml | 4 +++ tasks/roles/setup_iptables/README.md | 38 +++++++++++++++++++++++ tasks/roles/setup_iptables/meta/main.yml | 34 ++++++++++++++++++++ tasks/roles/setup_iptables/tasks/main.yml | 17 ++++++++++ tasks/setup_iptables.yml | 20 ++---------- 5 files changed, 96 insertions(+), 17 deletions(-) create mode 100644 tasks/roles/setup_iptables/README.md create mode 100644 tasks/roles/setup_iptables/meta/main.yml create mode 100644 tasks/roles/setup_iptables/tasks/main.yml diff --git a/tasks/install_caddy.yml b/tasks/install_caddy.yml index 895013e..08d455b 100644 --- a/tasks/install_caddy.yml +++ b/tasks/install_caddy.yml @@ -29,6 +29,10 @@ src: ../templates/Caddyfile.j2 dest: /etc/caddy/Caddyfile + - name: Create the usertwist group + ansible.builtin.group: + name: usertwist + - name: Create the usertwist user ansible.builtin.user: name: usertwist diff --git a/tasks/roles/setup_iptables/README.md b/tasks/roles/setup_iptables/README.md new file mode 100644 index 0000000..225dd44 --- /dev/null +++ b/tasks/roles/setup_iptables/README.md @@ -0,0 +1,38 @@ +Role Name +========= + +A brief description of the role goes here. + +Requirements +------------ + +Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required. + +Role Variables +-------------- + +A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well. + +Dependencies +------------ + +A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles. + +Example Playbook +---------------- + +Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too: + + - hosts: servers + roles: + - { role: username.rolename, x: 42 } + +License +------- + +BSD + +Author Information +------------------ + +An optional section for the role authors to include contact information, or a website (HTML is not allowed). diff --git a/tasks/roles/setup_iptables/meta/main.yml b/tasks/roles/setup_iptables/meta/main.yml new file mode 100644 index 0000000..a7cde37 --- /dev/null +++ b/tasks/roles/setup_iptables/meta/main.yml @@ -0,0 +1,34 @@ +galaxy_info: + author: Motysten + description: Dev + company: Athelas + + # If the issue tracker for your role is not on github, uncomment the + # next line and provide a value + # issue_tracker_url: http://example.com/issue/tracker + + # Choose a valid license ID from https://spdx.org - some suggested licenses: + # - BSD-3-Clause (default) + # - MIT + # - GPL-2.0-or-later + # - GPL-3.0-only + # - Apache-2.0 + # - CC-BY-4.0 + license: license (GPL-2.0-or-later, MIT, etc) + + min_ansible_version: 2.1 + + # If this a Container Enabled role, provide the minimum Ansible Container version. + # min_ansible_container_version: + + galaxy_tags: [] + # List tags for your role here, one per line. A tag is a keyword that describes + # and categorizes the role. Users find roles by searching for tags. Be sure to + # remove the '[]' above, if you add tags to this list. + # + # NOTE: A tag is limited to a single word comprised of alphanumeric characters. + # Maximum 20 tags per role. + +dependencies: [] + # List your role dependencies here, one per line. Be sure to remove the '[]' above, + # if you add dependencies to this list. diff --git a/tasks/roles/setup_iptables/tasks/main.yml b/tasks/roles/setup_iptables/tasks/main.yml new file mode 100644 index 0000000..c468a39 --- /dev/null +++ b/tasks/roles/setup_iptables/tasks/main.yml @@ -0,0 +1,17 @@ +--- +# tasks file for setup_iptables +- name: Open needed ports + ansible.builtin.iptables: + chain: INPUT + protocol: tcp + in_interface: eth0 + jump: ACCEPT + destination_ports: + - "22" + - "443" + - "80" + +- name: Set INPUT policy to DROP + ansible.builtin.iptables: + chain: INPUT + policy: DROP \ No newline at end of file diff --git a/tasks/setup_iptables.yml b/tasks/setup_iptables.yml index b6a297e..2e6b195 100644 --- a/tasks/setup_iptables.yml +++ b/tasks/setup_iptables.yml @@ -1,20 +1,6 @@ - name: Edit iptables settings hosts: athelas become: true - tasks: - - - name: Open needed ports - ansible.builtin.iptables: - chain: INPUT - protocol: tcp - in_interface: eth0 - jump: ACCEPT - destination_ports: - - "22" - - "443" - - "80" - - - name: Set INPUT policy to DROP - ansible.builtin.iptables: - chain: INPUT - policy: DROP + + roles: + - setup_iptables -- 2.49.1 From 2082ccb5b52ad0363427167afc50ff554fe3c5a8 Mon Sep 17 00:00:00 2001 From: Mateo Date: Tue, 30 Jul 2024 14:44:15 +0200 Subject: [PATCH 2/9] Hardened systemd unit (4.8 score) --- files/usertwist.service | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/files/usertwist.service b/files/usertwist.service index 17cd2d9..ea45de5 100644 --- a/files/usertwist.service +++ b/files/usertwist.service @@ -5,6 +5,16 @@ Description=Simple Web Service User=usertwist Group=usertwist ExecStart=/usr/local/bin/usertwist +PrivateTmp=yes +NoNewPrivileges=true +RestrictNamespaces=uts ipc pid user cgroup +ProtectSystem=strict +CapabilityBoundingSet=CAP_NET_BIND_SERVICE +ProtectKernelTunables=yes +ProtectKernelModules=yes +ProtectControlGroups=yes +PrivateDevices=yes +RestrictSUIDSGID=true [Install] -WantedBy=multi-user.target +WantedBy=multi-user.target \ No newline at end of file -- 2.49.1 From 82151639ab96639defdeb4a91409f2143c0d3182 Mon Sep 17 00:00:00 2001 From: Mateo Date: Tue, 30 Jul 2024 14:50:57 +0200 Subject: [PATCH 3/9] Bootstrap get dev branch instead of main --- bootstrap.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bootstrap.sh b/bootstrap.sh index d7a7885..48bc3ab 100644 --- a/bootstrap.sh +++ b/bootstrap.sh @@ -24,7 +24,7 @@ sudo apt install git git-lfs -y git lfs install # Clone ansible_playbooks repo -git clone https://git.athelas-conseils.fr/Stage/ansible_playbooks.git +git clone -b dev https://git.athelas-conseils.fr/Stage/ansible_playbooks.git ~/.local/bin/ansible-playbook ansible_playbooks/tasks/full_setup.yml -i ansible_playbooks/inventory.ini --extra-vars "ansible_ssh_pass=$password ansible_ssh_common_args='-o StrictHostKeyChecking=no'" \ No newline at end of file -- 2.49.1 From daa4a1c7454785773019403b1d633d3768a4e93f Mon Sep 17 00:00:00 2001 From: Mateo Date: Fri, 2 Aug 2024 09:27:48 +0200 Subject: [PATCH 4/9] Hardened usertwist service + Saved iptables rules --- files/usertwist.service | 1 + tasks/roles/setup_iptables/README.md | 26 +++++------------------ tasks/roles/setup_iptables/tasks/main.yml | 7 +++++- 3 files changed, 12 insertions(+), 22 deletions(-) diff --git a/files/usertwist.service b/files/usertwist.service index ea45de5..cbfb6ab 100644 --- a/files/usertwist.service +++ b/files/usertwist.service @@ -15,6 +15,7 @@ ProtectKernelModules=yes ProtectControlGroups=yes PrivateDevices=yes RestrictSUIDSGID=true +ProtectHome=true [Install] WantedBy=multi-user.target \ No newline at end of file diff --git a/tasks/roles/setup_iptables/README.md b/tasks/roles/setup_iptables/README.md index 225dd44..c65e2c5 100644 --- a/tasks/roles/setup_iptables/README.md +++ b/tasks/roles/setup_iptables/README.md @@ -1,31 +1,14 @@ -Role Name +Setup IPTables ========= -A brief description of the role goes here. - -Requirements ------------- - -Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required. - -Role Variables --------------- - -A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well. - -Dependencies ------------- - -A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles. +Create iptables rules on the remote server to allow connection on WEB and SSH ports only Example Playbook ---------------- -Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too: - - hosts: servers roles: - - { role: username.rolename, x: 42 } + - setup_iptables License ------- @@ -35,4 +18,5 @@ BSD Author Information ------------------ -An optional section for the role authors to include contact information, or a website (HTML is not allowed). +Motysten +E-Mail : mdm@athelas.fr diff --git a/tasks/roles/setup_iptables/tasks/main.yml b/tasks/roles/setup_iptables/tasks/main.yml index c468a39..f2a362f 100644 --- a/tasks/roles/setup_iptables/tasks/main.yml +++ b/tasks/roles/setup_iptables/tasks/main.yml @@ -14,4 +14,9 @@ - name: Set INPUT policy to DROP ansible.builtin.iptables: chain: INPUT - policy: DROP \ No newline at end of file + policy: DROP + +- name: Save rules to keep them on reboot + ansible.builtin.iptables_state: + state: saved + path: /etc/iptables/iptables \ No newline at end of file -- 2.49.1 From d41bfb5aad26000c491f39e9360b837291846ced Mon Sep 17 00:00:00 2001 From: Mateo Date: Fri, 2 Aug 2024 09:31:45 +0200 Subject: [PATCH 5/9] Fixed error on iptables_state package --- tasks/roles/setup_iptables/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/roles/setup_iptables/tasks/main.yml b/tasks/roles/setup_iptables/tasks/main.yml index f2a362f..5292a60 100644 --- a/tasks/roles/setup_iptables/tasks/main.yml +++ b/tasks/roles/setup_iptables/tasks/main.yml @@ -17,6 +17,6 @@ policy: DROP - name: Save rules to keep them on reboot - ansible.builtin.iptables_state: + community.general.iptables_state: state: saved path: /etc/iptables/iptables \ No newline at end of file -- 2.49.1 From 95d216ccd5b2684e4a8ff96b0b7dd4cf6ee9e799 Mon Sep 17 00:00:00 2001 From: Mateo Date: Fri, 2 Aug 2024 09:45:14 +0200 Subject: [PATCH 6/9] Added iptables folder --- tasks/roles/setup_iptables/tasks/main.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/tasks/roles/setup_iptables/tasks/main.yml b/tasks/roles/setup_iptables/tasks/main.yml index 5292a60..4425155 100644 --- a/tasks/roles/setup_iptables/tasks/main.yml +++ b/tasks/roles/setup_iptables/tasks/main.yml @@ -16,6 +16,12 @@ chain: INPUT policy: DROP +- name: Create iptables folder in /etc + ansible.builtin.file: + path: /etc/ansible + state: directory + mode: '0755' + - name: Save rules to keep them on reboot community.general.iptables_state: state: saved -- 2.49.1 From 61705dd02fa4f2f7f47d02da4f4c6abf91846093 Mon Sep 17 00:00:00 2001 From: Mateo Date: Fri, 2 Aug 2024 09:59:26 +0200 Subject: [PATCH 7/9] Fixed persistence (maybe...) --- tasks/roles/setup_iptables/tasks/main.yml | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/tasks/roles/setup_iptables/tasks/main.yml b/tasks/roles/setup_iptables/tasks/main.yml index 4425155..4b91019 100644 --- a/tasks/roles/setup_iptables/tasks/main.yml +++ b/tasks/roles/setup_iptables/tasks/main.yml @@ -22,7 +22,16 @@ state: directory mode: '0755' -- name: Save rules to keep them on reboot +- name: Install iptables-persistent for rules persistence + ansible.builtin.package: + name: iptables-persistent + +- name: Save IPv4 rules to keep them on reboot community.general.iptables_state: state: saved - path: /etc/iptables/iptables \ No newline at end of file + path: /etc/iptables/rules.v4 + +- name: Save IPv6 rules to keep them on reboot + community.general.iptables_state: + state: saved + path: /etc/iptables/rules.v6 \ No newline at end of file -- 2.49.1 From 9ad7e73946be946babb300ffb5abd3b2b4786c08 Mon Sep 17 00:00:00 2001 From: Mateo Date: Fri, 2 Aug 2024 10:10:40 +0200 Subject: [PATCH 8/9] Removed login from usertwist --- tasks/install_caddy.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/tasks/install_caddy.yml b/tasks/install_caddy.yml index 08d455b..30de10d 100644 --- a/tasks/install_caddy.yml +++ b/tasks/install_caddy.yml @@ -38,6 +38,7 @@ name: usertwist group: usertwist system: true + shell: /usr/sbin/nologin - name: Put the service binary on the remote server ansible.builtin.copy: -- 2.49.1 From ee8242d842ca3e22a1e37fe7876e6a89994090fb Mon Sep 17 00:00:00 2001 From: Mateo Date: Fri, 2 Aug 2024 10:38:36 +0200 Subject: [PATCH 9/9] Iptables persistence finally working --- tasks/roles/setup_iptables/tasks/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/tasks/roles/setup_iptables/tasks/main.yml b/tasks/roles/setup_iptables/tasks/main.yml index 4b91019..c486da3 100644 --- a/tasks/roles/setup_iptables/tasks/main.yml +++ b/tasks/roles/setup_iptables/tasks/main.yml @@ -25,6 +25,7 @@ - name: Install iptables-persistent for rules persistence ansible.builtin.package: name: iptables-persistent + update_cache: true - name: Save IPv4 rules to keep them on reboot community.general.iptables_state: -- 2.49.1