From cf4e8273d1b553e1b7fded0e007dafb5c0369b60 Mon Sep 17 00:00:00 2001 From: Daniel Berteaud Date: Thu, 4 Mar 2021 10:00:09 +0100 Subject: [PATCH] Update to 2021-03-04 10:00 --- roles/crowdsec/tasks/conf.yml | 6 +- roles/crowdsec/tasks/directories.yml | 4 +- roles/crowdsec/tasks/facts.yml | 14 ++--- roles/crowdsec_firewall_bouncer/defaults/main.yml | 15 +++++ roles/crowdsec_firewall_bouncer/handlers/main.yml | 4 ++ roles/crowdsec_firewall_bouncer/tasks/cleanup.yml | 8 +++ roles/crowdsec_firewall_bouncer/tasks/conf.yml | 6 ++ .../tasks/directories.yml | 9 +++ roles/crowdsec_firewall_bouncer/tasks/facts.yml | 72 ++++++++++++++++++++++ roles/crowdsec_firewall_bouncer/tasks/install.yml | 70 +++++++++++++++++++++ roles/crowdsec_firewall_bouncer/tasks/iptables.yml | 17 +++++ roles/crowdsec_firewall_bouncer/tasks/main.yml | 10 +++ roles/crowdsec_firewall_bouncer/tasks/services.yml | 5 ++ .../templates/cs-firewall-bouncer.yaml.j2 | 12 ++++ roles/g2cs/files/g2cs.pl | 18 +++++- roles/g2cs/tasks/install.yml | 1 + 16 files changed, 256 insertions(+), 15 deletions(-) create mode 100644 roles/crowdsec_firewall_bouncer/defaults/main.yml create mode 100644 roles/crowdsec_firewall_bouncer/handlers/main.yml create mode 100644 roles/crowdsec_firewall_bouncer/tasks/cleanup.yml create mode 100644 roles/crowdsec_firewall_bouncer/tasks/conf.yml create mode 100644 roles/crowdsec_firewall_bouncer/tasks/directories.yml create mode 100644 roles/crowdsec_firewall_bouncer/tasks/facts.yml create mode 100644 roles/crowdsec_firewall_bouncer/tasks/install.yml create mode 100644 roles/crowdsec_firewall_bouncer/tasks/iptables.yml create mode 100644 roles/crowdsec_firewall_bouncer/tasks/main.yml create mode 100644 roles/crowdsec_firewall_bouncer/tasks/services.yml create mode 100644 roles/crowdsec_firewall_bouncer/templates/cs-firewall-bouncer.yaml.j2 diff --git a/roles/crowdsec/tasks/conf.yml b/roles/crowdsec/tasks/conf.yml index d818049..c87fadb 100644 --- a/roles/crowdsec/tasks/conf.yml +++ b/roles/crowdsec/tasks/conf.yml @@ -31,7 +31,7 @@ register: cs_lapi_credentials delegate_to: "{{ cs_lapi_server }}" - set_fact: cs_lapi_credentials_yaml={{ cs_lapi_credentials.stdout | from_yaml }} - - copy: content={{ cs_lapi_credentials_yaml.password }} dest={{ cs_root_dir }}/meta/lapi_pass mode=600 + - copy: content={{ cs_lapi_credentials_yaml.password }} dest=/etc/crowdsec/meta/lapi_pass mode=600 - set_fact: cs_lapi_pass={{ cs_lapi_credentials_yaml.password }} tags: cs @@ -44,8 +44,8 @@ command: cscli capi register -o raw -f /dev/stdout register: cs_capi_credentials - set_fact: cs_capi_credentials_yaml={{ cs_capi_credentials.stdout | from_yaml }} - - copy: content={{ cs_capi_credentials_yaml.login }} dest={{ cs_root_dir }}/meta/capi_user mode=600 - - copy: content={{ cs_capi_credentials_yaml.password }} dest={{ cs_root_dir }}/meta/capi_pass mode=600 + - copy: content={{ cs_capi_credentials_yaml.login }} dest=/etc/crowdsec/meta/capi_user mode=600 + - copy: content={{ cs_capi_credentials_yaml.password }} dest=/etc/crowdsec/meta/capi_pass mode=600 - set_fact: cs_capi_user={{ cs_capi_credentials_yaml.login }} - set_fact: cs_capi_pass={{ cs_capi_credentials_yaml.password }} tags: cs diff --git a/roles/crowdsec/tasks/directories.yml b/roles/crowdsec/tasks/directories.yml index 5184210..2c3bbbd 100644 --- a/roles/crowdsec/tasks/directories.yml +++ b/roles/crowdsec/tasks/directories.yml @@ -6,8 +6,6 @@ - dir: /etc/crowdsec mode: 755 - dir: "{{ cs_root_dir }}" - - dir: "{{ cs_root_dir }}/meta" - mode: 700 - dir: "{{ cs_root_dir }}/backup" mode: 700 - dir: "{{ cs_root_dir }}/data" @@ -18,4 +16,6 @@ - dir: /etc/crowdsec/postoverflows/s00-enrich - dir: /etc/crowdsec/postoverflows/s01-whitelist - dir: /etc/crowdsec/acquis + - dir: /etc/crowdsec/meta + mode: 700 tags: cs diff --git a/roles/crowdsec/tasks/facts.yml b/roles/crowdsec/tasks/facts.yml index a20a091..119ee78 100644 --- a/roles/crowdsec/tasks/facts.yml +++ b/roles/crowdsec/tasks/facts.yml @@ -35,7 +35,7 @@ - block: - import_tasks: ../includes/get_rand_pass.yml vars: - - pass_file: "{{ cs_root_dir }}/meta/ansible_db_pass" + - pass_file: "/etc/crowdsec/meta/ansible_db_pass" - complex: False - set_fact: cs_db_pass={{ rand_pass }} when: @@ -45,13 +45,13 @@ # Check if local API credentials are available in the meta dir - name: Check local API credential files - stat: path={{ cs_root_dir }}/meta/lapi_pass + stat: path=/etc/crowdsec/meta/lapi_pass register: cs_lapi_pass_file tags: cs - name: Read the local API pass block: - - slurp: src={{ cs_root_dir }}/meta/lapi_pass + - slurp: src=/etc/crowdsec/meta/lapi_pass register: cs_lapi_pass_meta - set_fact: cs_lapi_pass={{ cs_lapi_pass_meta.content | b64decode | trim }} when: cs_lapi_pass is not defined and cs_lapi_pass_file.stat.exists @@ -60,15 +60,15 @@ # Check if central API credentials are available in the meta dir - name: Check central API credential files block: - - stat: path={{ cs_root_dir }}/meta/capi_user + - stat: path=/etc/crowdsec/meta/capi_user register: cs_capi_user_file - - stat: path={{ cs_root_dir }}/meta/capi_pass + - stat: path=/etc/crowdsec/meta/capi_pass register: cs_capi_pass_file tags: cs - name: Read the central API user block: - - slurp: src={{ cs_root_dir }}/meta/capi_user + - slurp: src=/etc/crowdsec/meta/capi_user register: cs_capi_user_meta - set_fact: cs_capi_user={{ cs_capi_user_meta.content | b64decode | trim }} when: cs_capi_user is not defined and cs_capi_user_file.stat.exists @@ -76,7 +76,7 @@ - name: Read the central API pass block: - - slurp: src={{ cs_root_dir }}/meta/capi_pass + - slurp: src=/etc/crowdsec/meta/capi_pass register: cs_capi_pass_meta - set_fact: cs_capi_pass={{ cs_capi_pass_meta.content | b64decode | trim }} when: cs_capi_pass is not defined and cs_capi_pass_file.stat.exists diff --git a/roles/crowdsec_firewall_bouncer/defaults/main.yml b/roles/crowdsec_firewall_bouncer/defaults/main.yml new file mode 100644 index 0000000..d8d5c91 --- /dev/null +++ b/roles/crowdsec_firewall_bouncer/defaults/main.yml @@ -0,0 +1,15 @@ +--- + +# Version of the firewall bouncer to install +cs_fw_version: 0.0.10 +# URL of the firewall bouncer archive +cs_fw_archive_url: https://github.com/crowdsecurity/cs-firewall-bouncer/releases/download/v{{ cs_fw_version }}/cs-firewall-bouncer.tgz +# Expected sha1 of the archive +cs_fw_archive_sha1: 46863e95bdc8f48434583f55e89b7720fce5736d + +# API on which the bouncer should listen for alerts +cs_fw_lapi_url: "{{ cs_lapi_url | default('http://localhost:8080/') }}" +# If not defined, ansible will try to register the bouncer on the Local API server +# cs_lapi_server must be defined in this case +# cs_fw_lapi_key: aaabbbccc + diff --git a/roles/crowdsec_firewall_bouncer/handlers/main.yml b/roles/crowdsec_firewall_bouncer/handlers/main.yml new file mode 100644 index 0000000..c8c6d1e --- /dev/null +++ b/roles/crowdsec_firewall_bouncer/handlers/main.yml @@ -0,0 +1,4 @@ +--- + +- name: restart cs-firewall-bouncer + service: name=cs-firewall-bouncer state=restarted diff --git a/roles/crowdsec_firewall_bouncer/tasks/cleanup.yml b/roles/crowdsec_firewall_bouncer/tasks/cleanup.yml new file mode 100644 index 0000000..59e3129 --- /dev/null +++ b/roles/crowdsec_firewall_bouncer/tasks/cleanup.yml @@ -0,0 +1,8 @@ +--- + +- name: Remove temp and obsolete files + file: path={{ item }} state=absent + loop: + - /tmp/cs-firewall-bouncer.tgz + - /tmp/cs-firewall-bouncer-v{{ cs_fw_version }} + tags: cs diff --git a/roles/crowdsec_firewall_bouncer/tasks/conf.yml b/roles/crowdsec_firewall_bouncer/tasks/conf.yml new file mode 100644 index 0000000..b1485ec --- /dev/null +++ b/roles/crowdsec_firewall_bouncer/tasks/conf.yml @@ -0,0 +1,6 @@ +--- + +- name: Deploy configuration + template: src=cs-firewall-bouncer.yaml.j2 dest=/etc/crowdsec/cs-firewall-bouncer/cs-firewall-bouncer.yaml mode=600 + notify: restart cs-firewall-bouncer + tags: cs diff --git a/roles/crowdsec_firewall_bouncer/tasks/directories.yml b/roles/crowdsec_firewall_bouncer/tasks/directories.yml new file mode 100644 index 0000000..36ba46e --- /dev/null +++ b/roles/crowdsec_firewall_bouncer/tasks/directories.yml @@ -0,0 +1,9 @@ +--- + +- name: Create needed directories + file: path={{ item.dir }} state=directory mode={{ item.mode | default(omit) }} + loop: + - dir: /etc/crowdsec/cs-firewall-bouncer + - dir: /etc/crowdsec/meta + mode: 700 + tags: cs diff --git a/roles/crowdsec_firewall_bouncer/tasks/facts.yml b/roles/crowdsec_firewall_bouncer/tasks/facts.yml new file mode 100644 index 0000000..d9e19c0 --- /dev/null +++ b/roles/crowdsec_firewall_bouncer/tasks/facts.yml @@ -0,0 +1,72 @@ +--- + +- include_vars: "{{ item }}" + with_first_found: + - vars/{{ ansible_distribution }}-{{ ansible_distribution_major_version }}.yml + - vars/{{ ansible_distribution }}.yml + - vars/{{ ansible_os_family }}.yml + tags: cs + +- name: Check if API key is available + stat: path=/etc/crowdsec/meta/bouncer_fw_api_key + register: cs_fw_lapi_key_file + tags: cs + +- when: cs_fw_lapi_key is not defined and (not cs_fw_lapi_key_file.stat.exists or cs_fw_lapi_key_file.stat.size == 0) + block: + - name: Register the bouncer + shell: | + cscli bouncers list -o raw | grep -q -P '^{{ inventory_hostname }}-firewall' && cscli bouncers delete {{ inventory_hostname }}-firewall + cscli bouncers add {{ inventory_hostname }}-firewall -o raw + register: cs_bouncer_add + failed_when: cs_bouncer_add.rc not in [0,1] + changed_when: cs_bouncer_add.rc == 0 + delegate_to: "{{ cs_lapi_server | default(inventory_hostname) }}" + + - name: Record the API key for later use + copy: content={{ cs_bouncer_add.stdout }} dest=/etc/crowdsec/meta/bouncer_fw_api_key mode=600 + + tags: cs + +- when: cs_fw_lapi_key is not defined + block: + - name: Read the API key + slurp: src=/etc/crowdsec/meta/bouncer_fw_api_key + register: cs_fw_lapi_generated_key + - set_fact: cs_fw_lapi_key={{ cs_fw_lapi_generated_key.content | b64decode | trim }} + tags: cs + +- name: Set initial facts + block: + - set_fact: cs_fw_current_version='' + - set_fact: cs_fw_install_mode='none' + tags: cs + +- name: Check if the bouncer is installed + stat: path=/usr/local/bin/cs-firewall-bouncer + register: cs_fw_bin + tags: cs + +- when: cs_fw_bin.stat.exists + block: + - name: Detect installed version + shell: | + cs-firewall-bouncer -c /dev/null 2>&1 | perl -ne 'm/cs-firewall-bouncer v(\d+(\.\d+)*)/ && print $1' + register: cs_fw_current_version + changed_when: False + + - set_fact: cs_fw_current_version={{ cs_fw_current_version.stdout }} + tags: cs + +- name: Set install mode + set_fact: cs_fw_install_mode='install' + when: not cs_fw_bin.stat.exists + tags: cs + +- name: Set upgrade mode + set_fact: cs_fw_install_mode='upgrade' + when: + - cs_fw_bin.stat.exists + - cs_fw_current_version != cs_fw_version + tags: cs + diff --git a/roles/crowdsec_firewall_bouncer/tasks/install.yml b/roles/crowdsec_firewall_bouncer/tasks/install.yml new file mode 100644 index 0000000..b9c2ee1 --- /dev/null +++ b/roles/crowdsec_firewall_bouncer/tasks/install.yml @@ -0,0 +1,70 @@ +--- + +- name: Install needed tools + package: + name: + - ipset + tags: cs + +- when: cs_fw_install_mode != 'none' + block: + + - name: Download the bouncer + get_url: + url: "{{ cs_fw_archive_url }}" + dest: /tmp + checksum: sha1:{{ cs_fw_archive_sha1 }} + + - name: Extract the archive + unarchive: + src: /tmp/cs-firewall-bouncer.tgz + dest: /tmp + remote_src: True + + - name: Install or upgrade + command: ./{{ cs_fw_install_mode }}.sh + args: + chdir: /tmp/cs-firewall-bouncer-v{{ cs_fw_version }} + notify: restart cs-firewall-bouncer + + tags: cs + +- name: Create systemd unit snippet dir + file: path=/etc/systemd/system/cs-firewall-bouncer.service.d state=directory + tags: cs + +- name: Create iptables snippet dir + file: path=/etc/systemd/system/{{ cs_iptables_service }}.service.d state=directory + tags: cs + +- name: Create ipsets before iptables starts + copy: + content: | + [Service] + ExecStartPre=/usr/sbin/ipset -exist create crowdsec-blacklists nethash timeout 300 + ExecStartPre=/usr/sbin/ipset -exist create crowdsec6-blacklists nethash timeout 300 family inet6 + dest: /etc/systemd/system/{{ cs_iptables_service }}.service.d/cs-ipset.conf + register: cs_iptable_unit + tags: cs + +- name: Tune cs-firewall-bouncer service + copy: + content: | + [Unit] + # The bouncer should start after crowdsec to be able to register on the API + After=crowdsec.service + + [Service] + # Restart on failure + Restart=on-failure + StartLimitInterval=0 + RestartSec=30 + dest: /etc/systemd/system/cs-firewall-bouncer.service.d/ansible.conf + register: crodwsec_fw_unit + notify: restart cs-firewall-bouncer + tags: cs + +- name: Reload systemd + systemd: daemon_reload=True + when: crodwsec_fw_unit.changed or cs_iptable_unit.changed + tags: cs diff --git a/roles/crowdsec_firewall_bouncer/tasks/iptables.yml b/roles/crowdsec_firewall_bouncer/tasks/iptables.yml new file mode 100644 index 0000000..14d27f0 --- /dev/null +++ b/roles/crowdsec_firewall_bouncer/tasks/iptables.yml @@ -0,0 +1,17 @@ +--- + +- name: Ensure ipsets exist + shell: | + ipset list crowdsec-blacklists || ipset create crowdsec-blacklists nethash timeout 300 + ipset list crowdsec6-blacklists || ipset create crowdsec6-blacklists nethash timeout 300 family inet6 + changed_when: False + tags: cs + +- name: Add DROP rules + iptables_raw: + name: cs_blacklist + weight: 9 + rules: | + -A INPUT -m set --match-set crowdsec-blacklists src -j DROP + -A FORWARD -m set --match-set crowdsec-blacklists src -j DROP + tags: cs diff --git a/roles/crowdsec_firewall_bouncer/tasks/main.yml b/roles/crowdsec_firewall_bouncer/tasks/main.yml new file mode 100644 index 0000000..9575cea --- /dev/null +++ b/roles/crowdsec_firewall_bouncer/tasks/main.yml @@ -0,0 +1,10 @@ +--- + +- include: directories.yml +- include: facts.yml +- include: install.yml +- include: conf.yml +- include: iptables.yml + when: iptables_manage | default(True) +- include: services.yml +- include: cleanup.yml diff --git a/roles/crowdsec_firewall_bouncer/tasks/services.yml b/roles/crowdsec_firewall_bouncer/tasks/services.yml new file mode 100644 index 0000000..dc01f70 --- /dev/null +++ b/roles/crowdsec_firewall_bouncer/tasks/services.yml @@ -0,0 +1,5 @@ +--- + +- name: Start and enable the service + service: name=cs-firewall-bouncer state=started enabled=True + tags: cs diff --git a/roles/crowdsec_firewall_bouncer/templates/cs-firewall-bouncer.yaml.j2 b/roles/crowdsec_firewall_bouncer/templates/cs-firewall-bouncer.yaml.j2 new file mode 100644 index 0000000..7d60022 --- /dev/null +++ b/roles/crowdsec_firewall_bouncer/templates/cs-firewall-bouncer.yaml.j2 @@ -0,0 +1,12 @@ +--- + +mode: iptables +piddir: /var/run/ +update_frequency: 10s +daemonize: true +log_mode: stdout +log_level: info +api_url: {{ (cs_fw_lapi_url is search('/$')) | ternary(cs_fw_lapi_url,cs_fw_lapi_url ~ '/') }} +api_key: {{ cs_fw_lapi_key }} +disable_ipv6: false + diff --git a/roles/g2cs/files/g2cs.pl b/roles/g2cs/files/g2cs.pl index ddd01dc..20a1cad 100644 --- a/roles/g2cs/files/g2cs.pl +++ b/roles/g2cs/files/g2cs.pl @@ -38,13 +38,25 @@ my @ignored_syslog_id = qw( sudo zed zimbramon + systemd + systemd-logind + CROND + ttrss_1 + turnserver + syncoid + influxd ); # List of log files we're not interested in my @ignored_log_files = qw( /var/log/audit/audit.log /var/log/squid/cache.log + /var/log/squid/access.log /var/log/ufdbGuard/ufdbguardd.log /opt/zimbra/log/gc.log + /var/log/samba/json/auth.log + /var/log/samba/json/dsdb.log + /var/log/samba/json/dsdb_password.log + /var/log/samba/json/dsdb_transaction.log ); print "Start listening on UDP port $port\n"; @@ -111,12 +123,12 @@ while (1) { if ($fields->{log_file_path} eq '/var/log/pveproxy/access.log'){ $logfile = $logdir . '/pveproxy/access.log'; $msg = $fields->{msg}; - } elsif ($fields->{log_file_path} eq '/var/log/squid/access.log'){ - $logfile = $logdir . '/squid/access.log'; - $msg = $fields->{msg}; } elsif ($fields->{log_file_path} eq '/opt/zimbra/log/nginx.access.log'){ $logfile = $logdir . '/nginx/access.log'; $msg = $fields->{msg}; + } elsif ($fields->{log_file_path} eq '/opt/zimbra/log/mailbox.log'){ + $logfile = $logdir . '/zimbra/mailbox.log'; + $msg = $fields->{msg}; } } elsif (defined $fields->{application_name}){ if ($fields->{application_name} eq 'nginx'){ diff --git a/roles/g2cs/tasks/install.yml b/roles/g2cs/tasks/install.yml index 8552d40..692ab7d 100644 --- a/roles/g2cs/tasks/install.yml +++ b/roles/g2cs/tasks/install.yml @@ -9,6 +9,7 @@ - name: Install main script copy: src=g2cs.pl dest=/usr/local/bin/g2cs mode=755 + notify: restart g2cs tags: cs - name: Deploy systemd unit