Added better ssh defaults, added fail2ban, ferm for added security.

roots · Nov 19, 2014 · 313853c · 313853c · 30suns · Dec 1, 2014
1 parent 5be55f5
commit 313853c
Show file tree

Hide file tree

Showing 31 changed files with 896 additions and 3 deletions.
diff --git a/README.md b/README.md
@@ -83,6 +83,58 @@ The example `Vagrantfile` in this project can be kept in this folder, or moved a
 
 Whenever you move or copy the `Vagrantfile` somewhere else, you need to make sure to adjust the relative paths in it including `config.vm.synced_folder` and `ansible.playbook = './site.yml'`.
 
+## Security
+
+### Locking down `root`
+
+By default, ssh access to the `root` user is allowed on fresh server installs. The `secure-root.yml` playbook does a few things to lock the server down:
+
+* Creates users with `sudo` privileges.
+* Disable ssh root login.
+* Disable password authentication for ssh access.
+* Set better ssh defaults.
+
+There are a few variables to be aware of:
+
+* `sudoers` located in `group_vars/all`
+This variable contains a list of dictionaries of users to create.
+* `sudoer_passwords` located in `vars/sudoer_passwords`. This is a dictionary of user => password pairs used when creating users with sudo privileges.
+
+Here's an example list of `sudoers`:
+```
+sudoers:
+  - user: "admin"
+    groups: ["sudo"]
+  - user: "another_user"
+    groups: ["sudo"]
+```
+
+`user` is the key to be used when creating the user and `groups` is an array used to determine the groups the user belongs to. The first item in the array will be used when setting the user's primary group.
+
+
+Here's an example list of `sudoer_passwords`:
+```
+sudoers:
+  admin: $6$rounds=100000$JUkj1d3hCa6uFp6R$3rZ8jImyCpTP40e4I5APx7SbBvDCM8fB6GP/IGOrsk/GEUTUhl1i/Q2JNOpj9ashLpkgaCxqMqbFKdZdmAh26/
+  another_user: $6$rounds=100000$r3ZZsk/uc31cAxQT$YHMkmKrwgXr3u1YgrSvg0wHZg5IM6MLEzqOraIXqh5o7aWshxD.QaNeCcUX3KInqzTqaqN3qzo9nvc/QI0M1C.
+```
+
+The passwords were generated using the python command [found here](http://docs.ansible.com/faq.html#how-do-i-generate-crypted-passwords-for-the-user-module). The passwords generated here are `example_password` and `another_password`, respectively. The ansible user module doesn't handle any encryption and passwords must be encrypted beforehand. It's also recommended `vars/sudoer_passwords.yml` be encrypted using one of the encryption methods described in the [passwords](#passwords) section of this document. Passwords are stored separately in order to ease the separation of encrypted var files and are looked up based on the user name.
+
+This playbook should be run on remote hosts and is designed to be run once whenever the server is initially created (as the root user will be inaccessible after running and the ansible default user is the [current user](http://docs.ansible.com/intro_configuration.html#remote-user)). To invoke, run `ansible-playbook -i hosts/ENVIRONMENT secure-root.yml`. Because the root user is locked down, remote hosts also need to use a different ssh user. You can set the default remote user in `site.yml` by setting the `remote_user` variable.
+
+### `fail2ban` and `ferm`
+
+> Fail2ban scans log files (e.g. /var/log/apache/error_log) and bans IPs that show the malicious signs -- too many password failures, seeking for exploits, etc.
+
+From http://www.fail2ban.org/wiki/index.php/Main_Page
+
+> ferm is a tool to maintain complex firewalls, without having the trouble to rewrite the complex rules over and over again. ferm allows the entire firewall rule set to be stored in a separate file, and to be loaded with one command.
+
+From http://ferm.foo-projects.org/
+
+You can read the role documentation for `fail2ban` [here](roles/fail2ban/README.md) and `ferm` [here](roles/ferm/README.md).
+
 ## Vagrant Box
 
 By default, the example `Vagrantfile` now uses the `roots/bedrock` box. It's publicly available on the Vagrant Cloud site [here](https://vagrantcloud.com/roots/bedrock).

diff --git a/Vagrantfile b/Vagrantfile
@@ -50,7 +50,6 @@ Vagrant.configure('2') do |config|
       ansible_ssh_user: 'vagrant',
       user: 'vagrant'
     }
-    ansible.sudo = true
   end
 
 

diff --git a/group_vars/all b/group_vars/all
@@ -1,3 +1,18 @@
 ---
 www_root: /srv/www
 mariadb_dist: trusty
+apt_cache_valid_time: 86400
+
+sudoers:
+  - user: "admin"
+    groups: ["sudo"]
+
+ferm_input_list:
+  - type: "dport_accept"
+    dport: ["http", "https"]
+    filename: "nginx_accept"
+  - type: "dport_limit"
+    dport: ["ssh"]
+    seconds: "300"
+    hits: "5"
+    disabled: false
diff --git a/roles/fail2ban/LICENSE b/roles/fail2ban/LICENSE
@@ -0,0 +1,22 @@
+The MIT License (MIT)
+
+Copyright (c) 2014 Nick Janetakis nick.janetakis@gmail.com
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+'Software'), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED 'AS IS', WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
+IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY
+CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT,
+TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
+SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
diff --git a/roles/fail2ban/README.md b/roles/fail2ban/README.md
@@ -0,0 +1,119 @@
+## What is ansible-fail2ban?
+
+It is an [ansible](http://www.ansible.com/home) role to install and configure fail2ban.
+
+### What problem does it solve and why is it useful?
+
+Security is important and fail2ban is an excellent tool to harden your server with minimal or even no configuration.
+
+## Role variables
+
+Below is a list of default values along with a description of what they do.
+
+```
+# Which log level should it be output as?
+# 1 = ERROR, 2 = WARN, 3 = INFO, 4 = DEBUG
+fail2ban_loglevel: 3
+
+# Where should log outputs be sent to?
+# SYSLOG, STDERR, STDOUT, file
+fail2ban_logtarget: /var/log/fail2ban.log
+
+# Where should the socket be created?
+fail2ban_socket: /var/run/fail2ban/fail2ban.sock
+
+# Which IP address, CIDR mark or DNS host should be ignored?
+fail2ban_ignoreip: 127.0.0.1/8
+
+# How long in seconds should the ban last for?
+fail2ban_bantime: 600
+
+# How many times can they try before getting banned?
+fail2ban_maxretry: 6
+
+# How should the file changes be detected?
+# gamin, polling, auto
+fail2ban_backend: polling
+
+# Where should e-mail reports be sent to?
+fail2ban_destemail: root@localhost
+
+# How should the ban be applied?
+# iptables, iptables-new, iptables-multiport, shorewall, etc.
+fail2ban_banaction: iptables-multiport
+
+# What e-mail action should be used?
+# sendmail or mail
+fail2ban_mta: sendmail
+
+# What should the default protocol be?
+fail2ban_protocol: tcp
+
+# Which chain would the JUMPs be added into iptables-*?
+fail2ban_chain: INPUT
+
+# What should the default ban action be?
+# action_, action_mw, action_mwl
+fail2ban_action: action_
+
+# What services should fail2ban monitor?
+# You can define fail2ban_services as an empty string to not monitor anything.
+# You can define multiple services as a standard yaml list.
+fail2ban_services:
+    # The name of the service
+    # REQUIRED.
+  - name: ssh
+
+    # Is it enabled?
+    # OPTIONAL: Defaults to "true" (must be a string).
+    enabled: "true"
+
+    # What port does the service use?
+    # Separate multiple ports with a comma, no spaces.
+    # REQUIRED.
+    port: ssh
+
+    # What protocol does the service use?
+    # OPTIONAL: Defaults to the protocol listed above.
+    protocol: tcp
+
+    # What filter should it use?
+    # REQUIRED.
+    filter: sshd
+
+    # Which log path should it monitor?
+    # REQUIRED.
+    logpath: /var/log/auth.log
+
+    # How many times can they try before getting banned?
+    # OPTIONAL: Defaults to the maxretry listed above.
+    maxretry: 6
+
+    # What should the default ban action be?
+    # OPTIONAL: Defaults to the action listed above.
+    action: action_
+
+    # How should the ban be applied?
+    # OPTIONAL: Defaults to the banaction listed above.
+    banaction: iptables-multiport
+```
+
+## Example playbook
+
+Let's say you want to edit a few values, you can do this by opening `group_vars/all` and then add the following:
+
+```
+fail2ban_services:
+  - name: ssh
+    port: ssh
+    filter: sshd
+    logpath: /var/log/auth.log
+  - name: postfix
+    port: smtp,ssmtp
+    filter: postfix
+    logpath: /var/log/mail.log
+```
+
+## Attribution
+
+Many thanks to [nickjj](https://github.com/nickjj/) for creating the [original version](https://github.com/nickjj/ansible-fail2ban/) of this role.
diff --git a/roles/fail2ban/defaults/main.yml b/roles/fail2ban/defaults/main.yml
@@ -0,0 +1,24 @@
+---
+fail2ban_loglevel: 3
+fail2ban_logtarget: /var/log/fail2ban.log
+fail2ban_socket: /var/run/fail2ban/fail2ban.sock
+
+fail2ban_ignoreip: 127.0.0.1/8
+fail2ban_bantime: 600
+fail2ban_maxretry: 6
+
+fail2ban_backend: polling
+
+fail2ban_destemail: root@localhost
+fail2ban_banaction: iptables-multiport
+fail2ban_mta: sendmail
+fail2ban_protocol: tcp
+fail2ban_chain: INPUT
+
+fail2ban_action: action_
+
+fail2ban_services:
+  - name: ssh
+    port: ssh
+    filter: sshd
+    logpath: /var/log/auth.log
diff --git a/roles/fail2ban/handlers/main.yml b/roles/fail2ban/handlers/main.yml
@@ -0,0 +1,3 @@
+---
+- name: restart fail2ban
+  service: name=fail2ban state=restarted
diff --git a/roles/fail2ban/tasks/main.yml b/roles/fail2ban/tasks/main.yml
@@ -0,0 +1,16 @@
+---
+- name: ensure fail2ban is installed
+  apt: pkg=fail2ban state=latest update_cache=true cache_valid_time={{ apt_cache_valid_time }}
+  notify:
+    - restart fail2ban
+
+- name: ensure fail2ban is configured
+  template: src={{ item }}.j2 dest=/etc/fail2ban/{{ item }}
+  with_items:
+    - jail.local
+    - fail2ban.local
+  notify:
+    - restart fail2ban
+
+- name: ensure fail2ban starts on a fresh reboot
+  service: name=fail2ban state=started enabled=yes
diff --git a/roles/fail2ban/templates/fail2ban.local.j2 b/roles/fail2ban/templates/fail2ban.local.j2
@@ -0,0 +1,5 @@
+[Definition]
+
+loglevel = {{ fail2ban_loglevel }}
+logtarget = {{ fail2ban_logtarget }}
+socket = {{ fail2ban_socket }}
diff --git a/roles/fail2ban/templates/jail.local.j2 b/roles/fail2ban/templates/jail.local.j2
@@ -0,0 +1,47 @@
+[DEFAULT]
+
+ignoreip = {{ fail2ban_ignoreip }}
+bantime  = {{ fail2ban_bantime }}
+maxretry = {{ fail2ban_maxretry }}
+
+backend = {{fail2ban_backend}}
+
+destemail = {{ fail2ban_destemail }}
+banaction = {{ fail2ban_banaction }}
+mta = {{ fail2ban_mta }}
+protocol = {{ fail2ban_protocol }}
+chain = {{ fail2ban_chain }}
+
+action_ = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
+
+action_mw = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
+              %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s"]
+
+action_mwl = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
+               %(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"]
+
+action = %({{ fail2ban_action }})s
+
+{% if fail2ban_services is iterable %}
+{% for service in fail2ban_services %}
+[{{ service.name }}]
+
+enabled = {{ service.enabled|default("true") }}
+port = {{ service.port }}
+filter = {{ service.filter }}
+logpath = {{ service.logpath }}
+{% if service.maxretry is defined %}
+maxretry = {{ service.maxretry }}
+{% endif %}
+{% if service.protocol is defined %}
+protocol = {{ service.protocol }}
+{% endif %}
+{% if service.action is defined %}
+action = %({{ service.action }})s
+{% endif %}
+{% if service.banaction is defined %}
+banaction = {{ service.banaction }}
+{% endif %}
+
+{% endfor %}
+{% endif %}
diff --git a/roles/ferm/LICENSE b/roles/ferm/LICENSE
@@ -0,0 +1,22 @@
+The MIT License (MIT)
+
+Copyright (c) 2014 Nick Janetakis nick.janetakis@gmail.com
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+'Software'), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED 'AS IS', WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
+IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY
+CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT,
+TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
+SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.