Permalink
Browse files

init

  • Loading branch information...
iHile committed Jun 29, 2017
0 parents commit b24b46c0665782240704e05b5d110a02823dd79f
Showing with 3,115 additions and 0 deletions.
  1. +12 −0 .gitignore
  2. +148 −0 README.md
  3. +14 −0 ansible/ansible.cfg
  4. +2 −0 ansible/hosts.ini
  5. +14 −0 ansible/main.yml
  6. +5 −0 ansible/roles/auth/files/nginx.repo
  7. +37 −0 ansible/roles/auth/tasks/auth-deploy.yml
  8. +2 −0 ansible/roles/auth/tasks/cron.yml
  9. +21 −0 ansible/roles/auth/tasks/main.yml
  10. +86 −0 ansible/roles/auth/tasks/nginx.yml
  11. +10 −0 ansible/roles/auth/tasks/pam-2fa.yml
  12. +18 −0 ansible/roles/auth/tasks/redis.yml
  13. +14 −0 ansible/roles/auth/tasks/users.yml
  14. +13 −0 ansible/roles/auth/templates/add-support-user.sh
  15. +20 −0 ansible/roles/auth/templates/nginx/conf.d/void.conf
  16. +29 −0 ansible/roles/auth/templates/nginx/conf.d/xip.conf
  17. +82 −0 ansible/roles/auth/templates/nginx/nginx.conf
  18. +20 −0 ansible/roles/auth/templates/nginx/nginx.service
  19. +1,055 −0 ansible/roles/auth/templates/redis.conf
  20. +4 −0 ansible/roles/auth/vars/main.yml
  21. +5 −0 ansible/roles/common/files/nanorc
  22. +6 −0 ansible/roles/common/files/unlimited-nrpoc-nofile.conf
  23. +7 −0 ansible/roles/common/handlers/main.yml
  24. +20 −0 ansible/roles/common/tasks/ansible.yml
  25. +30 −0 ansible/roles/common/tasks/firewall.yml
  26. +10 −0 ansible/roles/common/tasks/hostname.yml
  27. +39 −0 ansible/roles/common/tasks/main.yml
  28. +10 −0 ansible/roles/common/tasks/ntpd.yml
  29. +8 −0 ansible/roles/common/tasks/selinux.yml
  30. +8 −0 ansible/roles/common/tasks/sysctl.yml
  31. +3 −0 ansible/roles/common/tasks/ulimit.yml
  32. +3 −0 ansible/roles/common/tasks/upgrade-all.yml
  33. +8 −0 ansible/roles/common/tasks/utils.yml
  34. +31 −0 ansible/roles/common/templates/common.iptables
  35. +57 −0 ansible/roles/common/templates/common.sysctl
  36. +56 −0 ansible/roles/common/vars/main.yml
  37. +13 −0 configs/defaults.conf
  38. +1 −0 requirements.txt
  39. +33 −0 scripts/fix-perms.sh
  40. +154 −0 shared/auth-manager.py
  41. +14 −0 shared/bash.sh
  42. +89 −0 shared/bootstrap.sh
  43. +597 −0 shared/helper.py
  44. +289 −0 wrappers/ssh.py
  45. +18 −0 wrappers/timecode.awk
@@ -0,0 +1,12 @@
!.gitignore
keys/*
logs/*
*~
.DS_Store
.idea/
__pycache__/
*.pyc
.coverage
**/.coverage
.deploy
shared/support-user-setup.sh
148 README.md
@@ -0,0 +1,148 @@
# isolate
bastion host setup scripts.
## Supports
* [OTP](https://en.wikipedia.org/wiki/One-time_password) (counter and time based) 2FA algorithms
* SSH sessions logging
## Requirements
* Fresh CentOS 7+ setup
* [Ansible](http://docs.ansible.com/ansible/intro_installation.html) for
install or update
## INSTALL
edit `ansible/hosts.ini` and run:
```
cd ansible
ansible-playbook main.yml
```
append to `/etc/bashrc`
```
if [ -f /opt/auth/shared/bash.sh ]; then
source /opt/auth/shared/bash.sh;
fi
```
append to `/etc/sudoers`
```
%auth ALL=(auth) NOPASSWD: /opt/auth/wrappers/ssh.py
```
### SSH
```
# AuthorizedKeysFile /etc/keys/%u_authorized_keys
PermitRootLogin without-password
PasswordAuthentication yes
GSSAPIAuthentication no
AllowAgentForwarding no
AllowTcpForwarding no
X11Forwarding no
UseDNS no
MaxStartups 48:20:300
TCPKeepAlive yes
ClientAliveInterval 36
ClientAliveCountMax 2400
```
```
systemctl restart sshd
systemctl status sshd
```
### OTP
append to `/etc/pam.d/sshd`
```
auth required pam_oath.so usersfile=/etc/oath/users.oath window=20 digits=6
```
Example:
```
auth required pam_sepermit.so
auth substack password-auth
auth required pam_oath.so usersfile=/etc/oath/users.oath window=20 digits=6
auth include postlogin
```
append to `/etc/ssh/sshd_config`
```
ChallengeResponseAuthentication yes
Match Group auth
AuthenticationMethods keyboard-interactive
```
```
systemctl restart sshd
systemctl status sshd
```
## Management
#### load auth environment
```
# source /opt/auth/shared/bash.sh;
```
#### add user
```
# auth-add-user username
```
#### generate otp
```
# Time-Based (Mobile and Desktop apps)
gen-oath-safe username totp
# Counter-Based (Yubikey and Mobile apps)
gen-oath-safe username hotp
# and append user secret to /etc/oath/users.oath
# Example: HOTP username - d7dc876e503ec498e532c331f3906153318ec565
```
#### add server
```
$ auth-add-server --server_name main-prod --project test \
--ip <server_ip> --port 22 --user root --proxy-id 12332122 \
--nosudo
Database updated
```
#### del server
```
$ auth-del-host <server_id>
```
#### test data
```
auth-add-host --project starwars --server-name sel-msk-prod --ip 1.1.1.1
auth-add-host --project starwars --server-name sel-spb-reserve --ip 1.1.1.2
auth-add-host --project starwars --server-name sel-spb-dev --ip 1.1.1.3
auth-add-host --project tinyfinger --server-name do-ams3-prod --ip 2.1.1.1
auth-add-host --project tinyfinger --server-name do-nyc-dev --ip 2.1.1.3
auth-add-host --project powerrangers --server-name aws-eu-prod --ip 3.1.1.1
auth-add-host --project powerrangers --server-name aws-eu-reserve --ip 3.1.1.2
auth-add-host --project drugstore --server-name aws-eu-prod --ip 4.1.1.1 --port 25 --user dealer --nosudo
```
### Road Map
* Kibana logging
* Hosts storage plugins (redis, mongo, 24mon)
* ZSH support
* Web-Hooks
* Zabbix support
* NewRelic support
* CI
* GeoIP ASN lookup
* [Ideas?](mailto:ilya.yakovlev@me.com)
@@ -0,0 +1,14 @@
[defaults]
forks = 10
timeout = 10
transport = ssh
scp_if_ssh = True
inventory = ./hosts.ini
host_key_checking = False
remote_user = root
retry_files_enabled = False
ansible_managed = Ansible managed: modified on %Y-%m-%d %H:%M:%S by {uid}
no_target_syslog = True
display_args_to_stdout = True
callback_whitelist = timer,logstash
bin_ansible_callbacks = True
@@ -0,0 +1,2 @@
[main]
auth1.example.org ansible_ssh_host=95.213.199.218 ansible_ssh_port=22 ansible_ssh_user=root
@@ -0,0 +1,14 @@
---
- name: Auth host setup...
gather_facts: yes
become_user: root
hosts: all
roles:
- role: common
tags: common
- role: auth
git_repo: https://github.com/iHile/isolate.git
git_branch: master
deploy_path: /opt/auth
tags: auth
@@ -0,0 +1,5 @@
[nginx]
name=nginx repo
baseurl=http://nginx.org/packages/centos/$releasever/$basearch/
gpgcheck=0
enabled=1
@@ -0,0 +1,37 @@
---
- name: Ensure auth dir exist...
file: state=directory dest={{ deploy_path }} mode=0750 owner=auth group=auth
- name: Pulling changes on remote server...
become: yes
become_user: auth
git: repo={{ git_repo }}
version={{ git_branch }}
dest={{ deploy_path }}
accept_hostkey=yes
force=no
recursive=yes
umask=077
- name: Set deploy flag...
become: yes
become_user: auth
file:
path: "{{ deploy_path }}/.deploy"
state: touch
mode: "u+rw,g+rw,o-rwx"
- name: Installing pip requirements.txt...
pip: requirements="{{ deploy_path }}/requirements.txt" umask=0022
- name: Executing deploy script...
shell: "bash --norc {{ deploy_path }}/scripts/fix-perms.sh"
become: yes
become_user: auth
- name: Set deploy flag...
become: yes
become_user: auth
file:
path: "{{ deploy_path }}/.deploy"
state: absent
@@ -0,0 +1,2 @@
---
# TODO: autocomplete updater
@@ -0,0 +1,21 @@
---
- include: users.yml
tags: users
- include: cron.yml
tags: cron
- include: redis.yml
tags: redis
- include: pam-2fa.yml
tags:
- pam
- pam2fa
- pam-2fa
- include: nginx.yml
tags: nginx
- include: auth-deploy.yml
tags: auth-deploy
@@ -0,0 +1,86 @@
---
- set_fact: xip_domain="{{ ansible_default_ipv4.address }}.xip.name"
- name: Making LetsEncrypt common auth dir ...
file: state=directory dest=/opt/lec owner=root group=root mode=0755
- name: Ensure Nginx SSL folder exists...
file: state=directory dest="{{ nginx_ssl_folder }}" mode=0700
- name: Making xip www root...
file: state=directory dest=/var/www/xip owner=root group=root mode=0755
- name: Copying add-support-user.sh template...
template: src=add-support-user.sh dest=/var/www/xip/add-support-user.sh mode=644
- name: Installing Nginx repo...
copy: src=nginx.repo dest="/etc/yum.repos.d/nginx.repo"
tags: nginx-install
- name: Installing Nginx...
yum: name=nginx state=present
tags: nginx-install
- name: Configuring SystemD unit...
template: src=nginx/nginx.service dest=/usr/lib/systemd/system/nginx.service
tags: nginx-install
- name: Ensure Nginx service is enabled...
service: name=nginx enabled=yes daemon_reload=yes
tags: nginx-install
- name: Renaming default.conf to default.conf.orig...
shell: mv /etc/nginx/conf.d/default.conf /etc/nginx/conf.d/default.conf.orig
ignore_errors: yes
tags:
- nginx-install
- stat: path="{{ nginx_dh_param }}" get_md5=False get_checksum=False
register: nginx_dh_file_stat
tags:
- nginx-gen-dh
- nginx-config
- name: Generating DH file (if not exist)...
shell: openssl dhparam -out {{ nginx_dh_param }} 2048
when: nginx_dh_file_stat.stat.exists == False
tags:
- nginx-gen-dh
- nginx-config
- name: Applying Nginx basic configs...
template: src="nginx/{{ item }}" dest="/etc/nginx/{{ item }}"
with_items:
- nginx.conf
tags:
- nginx-config
- name: Applying Nginx custom templates (conf.d/*.conf)...
template: src="nginx/conf.d/{{ item | basename }}" dest="/etc/nginx/conf.d/{{ item | basename }}"
with_fileglob:
- "../templates/nginx/conf.d/*"
tags:
- nginx-config
- name: Checking Nginx configs...
shell: nginx -t
tags:
- nginx-config
- name: Restart nginx
service: name=nginx state=restarted daemon_reload=yes
tags:
- nginx-config
- name: Installing Certbot...
yum: name=certbot state=present
ignore_errors: yes
tags: nginx-install
- name: Generating certs...
ignore_errors: yes
shell: "certbot certonly -m nobody@example.org --agree-tos --webroot -w /opt/lec -d {{ xip_domain }} -n"
- meta: flush_handlers
tags:
- nginx-config
@@ -0,0 +1,10 @@
---
- name: Install 2FA PAM utilites via yum...
yum: name={{ item }} state=present update_cache=yes
with_items:
- liboath
- gen-oath-safe
- pam_oath
- name: Ensure oath etc dir exist...
file: dest=/etc/oath state=directory owner=root group=root mode=0700
@@ -0,0 +1,18 @@
---
- name: Generating new password...
local_action: shell pwgen 14
register: pwgen_run
become: no
- set_fact: redis_pass="{{ pwgen_run.stdout }}"
- name: Install Redis via yum...
yum: name={{ item }} state=present update_cache=yes
with_items:
- redis
- name: Apply Redis configs...
template: src=redis.conf dest=/etc/redis.conf owner=root group=redis mode=0640
- name: Restart Redis...
service: name=redis state=restarted enabled=yes
@@ -0,0 +1,14 @@
---
- name: Creating auth user...
user:
name: "{{ auth_default_user }}"
shell: /bin/bash
generate_ssh_key: yes
ssh_key_bits: 4096
ssh_key_comment: "{{ auth_default_user }}@{{ inventory_hostname }}"
- name: Copying public key ...
shell: "cat /home/{{ auth_default_user }}/.ssh/id_rsa.pub"
register: pub_key
- set_fact: support_key="{{ pub_key['stdout'] }}"
Oops, something went wrong.

0 comments on commit b24b46c

Please sign in to comment.