Update to 2021-03-04 10:00

master
Daniel Berteaud 4 years ago
parent 3b32e1147c
commit cf4e8273d1
  1. 6
      roles/crowdsec/tasks/conf.yml
  2. 4
      roles/crowdsec/tasks/directories.yml
  3. 14
      roles/crowdsec/tasks/facts.yml
  4. 15
      roles/crowdsec_firewall_bouncer/defaults/main.yml
  5. 4
      roles/crowdsec_firewall_bouncer/handlers/main.yml
  6. 8
      roles/crowdsec_firewall_bouncer/tasks/cleanup.yml
  7. 6
      roles/crowdsec_firewall_bouncer/tasks/conf.yml
  8. 9
      roles/crowdsec_firewall_bouncer/tasks/directories.yml
  9. 72
      roles/crowdsec_firewall_bouncer/tasks/facts.yml
  10. 70
      roles/crowdsec_firewall_bouncer/tasks/install.yml
  11. 17
      roles/crowdsec_firewall_bouncer/tasks/iptables.yml
  12. 10
      roles/crowdsec_firewall_bouncer/tasks/main.yml
  13. 5
      roles/crowdsec_firewall_bouncer/tasks/services.yml
  14. 12
      roles/crowdsec_firewall_bouncer/templates/cs-firewall-bouncer.yaml.j2
  15. 18
      roles/g2cs/files/g2cs.pl
  16. 1
      roles/g2cs/tasks/install.yml

@ -31,7 +31,7 @@
register: cs_lapi_credentials
delegate_to: "{{ cs_lapi_server }}"
- set_fact: cs_lapi_credentials_yaml={{ cs_lapi_credentials.stdout | from_yaml }}
- copy: content={{ cs_lapi_credentials_yaml.password }} dest={{ cs_root_dir }}/meta/lapi_pass mode=600
- copy: content={{ cs_lapi_credentials_yaml.password }} dest=/etc/crowdsec/meta/lapi_pass mode=600
- set_fact: cs_lapi_pass={{ cs_lapi_credentials_yaml.password }}
tags: cs
@ -44,8 +44,8 @@
command: cscli capi register -o raw -f /dev/stdout
register: cs_capi_credentials
- set_fact: cs_capi_credentials_yaml={{ cs_capi_credentials.stdout | from_yaml }}
- copy: content={{ cs_capi_credentials_yaml.login }} dest={{ cs_root_dir }}/meta/capi_user mode=600
- copy: content={{ cs_capi_credentials_yaml.password }} dest={{ cs_root_dir }}/meta/capi_pass mode=600
- copy: content={{ cs_capi_credentials_yaml.login }} dest=/etc/crowdsec/meta/capi_user mode=600
- copy: content={{ cs_capi_credentials_yaml.password }} dest=/etc/crowdsec/meta/capi_pass mode=600
- set_fact: cs_capi_user={{ cs_capi_credentials_yaml.login }}
- set_fact: cs_capi_pass={{ cs_capi_credentials_yaml.password }}
tags: cs

@ -6,8 +6,6 @@
- dir: /etc/crowdsec
mode: 755
- dir: "{{ cs_root_dir }}"
- dir: "{{ cs_root_dir }}/meta"
mode: 700
- dir: "{{ cs_root_dir }}/backup"
mode: 700
- dir: "{{ cs_root_dir }}/data"
@ -18,4 +16,6 @@
- dir: /etc/crowdsec/postoverflows/s00-enrich
- dir: /etc/crowdsec/postoverflows/s01-whitelist
- dir: /etc/crowdsec/acquis
- dir: /etc/crowdsec/meta
mode: 700
tags: cs

@ -35,7 +35,7 @@
- block:
- import_tasks: ../includes/get_rand_pass.yml
vars:
- pass_file: "{{ cs_root_dir }}/meta/ansible_db_pass"
- pass_file: "/etc/crowdsec/meta/ansible_db_pass"
- complex: False
- set_fact: cs_db_pass={{ rand_pass }}
when:
@ -45,13 +45,13 @@
# Check if local API credentials are available in the meta dir
- name: Check local API credential files
stat: path={{ cs_root_dir }}/meta/lapi_pass
stat: path=/etc/crowdsec/meta/lapi_pass
register: cs_lapi_pass_file
tags: cs
- name: Read the local API pass
block:
- slurp: src={{ cs_root_dir }}/meta/lapi_pass
- slurp: src=/etc/crowdsec/meta/lapi_pass
register: cs_lapi_pass_meta
- set_fact: cs_lapi_pass={{ cs_lapi_pass_meta.content | b64decode | trim }}
when: cs_lapi_pass is not defined and cs_lapi_pass_file.stat.exists
@ -60,15 +60,15 @@
# Check if central API credentials are available in the meta dir
- name: Check central API credential files
block:
- stat: path={{ cs_root_dir }}/meta/capi_user
- stat: path=/etc/crowdsec/meta/capi_user
register: cs_capi_user_file
- stat: path={{ cs_root_dir }}/meta/capi_pass
- stat: path=/etc/crowdsec/meta/capi_pass
register: cs_capi_pass_file
tags: cs
- name: Read the central API user
block:
- slurp: src={{ cs_root_dir }}/meta/capi_user
- slurp: src=/etc/crowdsec/meta/capi_user
register: cs_capi_user_meta
- set_fact: cs_capi_user={{ cs_capi_user_meta.content | b64decode | trim }}
when: cs_capi_user is not defined and cs_capi_user_file.stat.exists
@ -76,7 +76,7 @@
- name: Read the central API pass
block:
- slurp: src={{ cs_root_dir }}/meta/capi_pass
- slurp: src=/etc/crowdsec/meta/capi_pass
register: cs_capi_pass_meta
- set_fact: cs_capi_pass={{ cs_capi_pass_meta.content | b64decode | trim }}
when: cs_capi_pass is not defined and cs_capi_pass_file.stat.exists

@ -0,0 +1,15 @@
---
# Version of the firewall bouncer to install
cs_fw_version: 0.0.10
# URL of the firewall bouncer archive
cs_fw_archive_url: https://github.com/crowdsecurity/cs-firewall-bouncer/releases/download/v{{ cs_fw_version }}/cs-firewall-bouncer.tgz
# Expected sha1 of the archive
cs_fw_archive_sha1: 46863e95bdc8f48434583f55e89b7720fce5736d
# API on which the bouncer should listen for alerts
cs_fw_lapi_url: "{{ cs_lapi_url | default('http://localhost:8080/') }}"
# If not defined, ansible will try to register the bouncer on the Local API server
# cs_lapi_server must be defined in this case
# cs_fw_lapi_key: aaabbbccc

@ -0,0 +1,4 @@
---
- name: restart cs-firewall-bouncer
service: name=cs-firewall-bouncer state=restarted

@ -0,0 +1,8 @@
---
- name: Remove temp and obsolete files
file: path={{ item }} state=absent
loop:
- /tmp/cs-firewall-bouncer.tgz
- /tmp/cs-firewall-bouncer-v{{ cs_fw_version }}
tags: cs

@ -0,0 +1,6 @@
---
- name: Deploy configuration
template: src=cs-firewall-bouncer.yaml.j2 dest=/etc/crowdsec/cs-firewall-bouncer/cs-firewall-bouncer.yaml mode=600
notify: restart cs-firewall-bouncer
tags: cs

@ -0,0 +1,9 @@
---
- name: Create needed directories
file: path={{ item.dir }} state=directory mode={{ item.mode | default(omit) }}
loop:
- dir: /etc/crowdsec/cs-firewall-bouncer
- dir: /etc/crowdsec/meta
mode: 700
tags: cs

@ -0,0 +1,72 @@
---
- include_vars: "{{ item }}"
with_first_found:
- vars/{{ ansible_distribution }}-{{ ansible_distribution_major_version }}.yml
- vars/{{ ansible_distribution }}.yml
- vars/{{ ansible_os_family }}.yml
tags: cs
- name: Check if API key is available
stat: path=/etc/crowdsec/meta/bouncer_fw_api_key
register: cs_fw_lapi_key_file
tags: cs
- when: cs_fw_lapi_key is not defined and (not cs_fw_lapi_key_file.stat.exists or cs_fw_lapi_key_file.stat.size == 0)
block:
- name: Register the bouncer
shell: |
cscli bouncers list -o raw | grep -q -P '^{{ inventory_hostname }}-firewall' && cscli bouncers delete {{ inventory_hostname }}-firewall
cscli bouncers add {{ inventory_hostname }}-firewall -o raw
register: cs_bouncer_add
failed_when: cs_bouncer_add.rc not in [0,1]
changed_when: cs_bouncer_add.rc == 0
delegate_to: "{{ cs_lapi_server | default(inventory_hostname) }}"
- name: Record the API key for later use
copy: content={{ cs_bouncer_add.stdout }} dest=/etc/crowdsec/meta/bouncer_fw_api_key mode=600
tags: cs
- when: cs_fw_lapi_key is not defined
block:
- name: Read the API key
slurp: src=/etc/crowdsec/meta/bouncer_fw_api_key
register: cs_fw_lapi_generated_key
- set_fact: cs_fw_lapi_key={{ cs_fw_lapi_generated_key.content | b64decode | trim }}
tags: cs
- name: Set initial facts
block:
- set_fact: cs_fw_current_version=''
- set_fact: cs_fw_install_mode='none'
tags: cs
- name: Check if the bouncer is installed
stat: path=/usr/local/bin/cs-firewall-bouncer
register: cs_fw_bin
tags: cs
- when: cs_fw_bin.stat.exists
block:
- name: Detect installed version
shell: |
cs-firewall-bouncer -c /dev/null 2>&1 | perl -ne 'm/cs-firewall-bouncer v(\d+(\.\d+)*)/ && print $1'
register: cs_fw_current_version
changed_when: False
- set_fact: cs_fw_current_version={{ cs_fw_current_version.stdout }}
tags: cs
- name: Set install mode
set_fact: cs_fw_install_mode='install'
when: not cs_fw_bin.stat.exists
tags: cs
- name: Set upgrade mode
set_fact: cs_fw_install_mode='upgrade'
when:
- cs_fw_bin.stat.exists
- cs_fw_current_version != cs_fw_version
tags: cs

@ -0,0 +1,70 @@
---
- name: Install needed tools
package:
name:
- ipset
tags: cs
- when: cs_fw_install_mode != 'none'
block:
- name: Download the bouncer
get_url:
url: "{{ cs_fw_archive_url }}"
dest: /tmp
checksum: sha1:{{ cs_fw_archive_sha1 }}
- name: Extract the archive
unarchive:
src: /tmp/cs-firewall-bouncer.tgz
dest: /tmp
remote_src: True
- name: Install or upgrade
command: ./{{ cs_fw_install_mode }}.sh
args:
chdir: /tmp/cs-firewall-bouncer-v{{ cs_fw_version }}
notify: restart cs-firewall-bouncer
tags: cs
- name: Create systemd unit snippet dir
file: path=/etc/systemd/system/cs-firewall-bouncer.service.d state=directory
tags: cs
- name: Create iptables snippet dir
file: path=/etc/systemd/system/{{ cs_iptables_service }}.service.d state=directory
tags: cs
- name: Create ipsets before iptables starts
copy:
content: |
[Service]
ExecStartPre=/usr/sbin/ipset -exist create crowdsec-blacklists nethash timeout 300
ExecStartPre=/usr/sbin/ipset -exist create crowdsec6-blacklists nethash timeout 300 family inet6
dest: /etc/systemd/system/{{ cs_iptables_service }}.service.d/cs-ipset.conf
register: cs_iptable_unit
tags: cs
- name: Tune cs-firewall-bouncer service
copy:
content: |
[Unit]
# The bouncer should start after crowdsec to be able to register on the API
After=crowdsec.service
[Service]
# Restart on failure
Restart=on-failure
StartLimitInterval=0
RestartSec=30
dest: /etc/systemd/system/cs-firewall-bouncer.service.d/ansible.conf
register: crodwsec_fw_unit
notify: restart cs-firewall-bouncer
tags: cs
- name: Reload systemd
systemd: daemon_reload=True
when: crodwsec_fw_unit.changed or cs_iptable_unit.changed
tags: cs

@ -0,0 +1,17 @@
---
- name: Ensure ipsets exist
shell: |
ipset list crowdsec-blacklists || ipset create crowdsec-blacklists nethash timeout 300
ipset list crowdsec6-blacklists || ipset create crowdsec6-blacklists nethash timeout 300 family inet6
changed_when: False
tags: cs
- name: Add DROP rules
iptables_raw:
name: cs_blacklist
weight: 9
rules: |
-A INPUT -m set --match-set crowdsec-blacklists src -j DROP
-A FORWARD -m set --match-set crowdsec-blacklists src -j DROP
tags: cs

@ -0,0 +1,10 @@
---
- include: directories.yml
- include: facts.yml
- include: install.yml
- include: conf.yml
- include: iptables.yml
when: iptables_manage | default(True)
- include: services.yml
- include: cleanup.yml

@ -0,0 +1,5 @@
---
- name: Start and enable the service
service: name=cs-firewall-bouncer state=started enabled=True
tags: cs

@ -0,0 +1,12 @@
---
mode: iptables
piddir: /var/run/
update_frequency: 10s
daemonize: true
log_mode: stdout
log_level: info
api_url: {{ (cs_fw_lapi_url is search('/$')) | ternary(cs_fw_lapi_url,cs_fw_lapi_url ~ '/') }}
api_key: {{ cs_fw_lapi_key }}
disable_ipv6: false

@ -38,13 +38,25 @@ my @ignored_syslog_id = qw(
sudo
zed
zimbramon
systemd
systemd-logind
CROND
ttrss_1
turnserver
syncoid
influxd
);
# List of log files we're not interested in
my @ignored_log_files = qw(
/var/log/audit/audit.log
/var/log/squid/cache.log
/var/log/squid/access.log
/var/log/ufdbGuard/ufdbguardd.log
/opt/zimbra/log/gc.log
/var/log/samba/json/auth.log
/var/log/samba/json/dsdb.log
/var/log/samba/json/dsdb_password.log
/var/log/samba/json/dsdb_transaction.log
);
print "Start listening on UDP port $port\n";
@ -111,12 +123,12 @@ while (1) {
if ($fields->{log_file_path} eq '/var/log/pveproxy/access.log'){
$logfile = $logdir . '/pveproxy/access.log';
$msg = $fields->{msg};
} elsif ($fields->{log_file_path} eq '/var/log/squid/access.log'){
$logfile = $logdir . '/squid/access.log';
$msg = $fields->{msg};
} elsif ($fields->{log_file_path} eq '/opt/zimbra/log/nginx.access.log'){
$logfile = $logdir . '/nginx/access.log';
$msg = $fields->{msg};
} elsif ($fields->{log_file_path} eq '/opt/zimbra/log/mailbox.log'){
$logfile = $logdir . '/zimbra/mailbox.log';
$msg = $fields->{msg};
}
} elsif (defined $fields->{application_name}){
if ($fields->{application_name} eq 'nginx'){

@ -9,6 +9,7 @@
- name: Install main script
copy: src=g2cs.pl dest=/usr/local/bin/g2cs mode=755
notify: restart g2cs
tags: cs
- name: Deploy systemd unit

Loading…
Cancel
Save