├── LICENSE ├── README.md ├── ansible.cfg ├── hosts.txt ├── playbooks ├── base_sec.yml ├── destroy.yml ├── dnscrypt.yml ├── dnsmasq.yml ├── docker.yml ├── double_vpn_enternode.yml ├── double_vpn_exitnode.yml ├── iptables.yml ├── logs.yml ├── ovpn_on_off.yml ├── single_vpn.yml ├── triple_vpn_enternode.yml ├── triple_vpn_exitnode.yml ├── triple_vpn_middlenode.yml └── vpn_standalone.yml └── roles ├── apt ├── .DS_Store ├── defaults │ └── main.yml ├── meta │ └── main.yml ├── tasks │ └── main.yml └── templates │ ├── 10periodic.j2 │ ├── 50unattended-upgrades.j2 │ └── sources.list.j2 ├── common ├── defaults │ └── main.yml ├── files │ └── fail2ban │ │ └── filter.d │ │ ├── ejabberd-auth.conf │ │ └── squid.conf ├── handlers │ └── main.yml ├── tasks │ └── cleanup.yml └── templates │ ├── dns │ └── resolv.conf.j2 │ ├── fail2ban │ └── jail.d │ │ ├── asterisk-tls.conf.j2 │ │ ├── cyrus-imapd.conf.j2 │ │ ├── ejabberd.conf.j2 │ │ ├── postfix-filter.conf.j2 │ │ ├── postfixadmin-auth.conf.j2 │ │ ├── roundcube-auth.conf.j2 │ │ └── squid.conf.j2 │ └── systemd │ └── cyrus-imapd.service.j2 ├── destroy ├── defaults │ └── main.yml ├── files │ └── destroy.sh ├── handlers │ └── main.yml ├── meta │ └── main.yml ├── tasks │ └── main.yml ├── tests │ ├── inventory │ └── test.yml └── vars │ └── main.yml ├── dnscrypt ├── .travis.yml ├── README.md ├── defaults │ └── main.yml ├── handlers │ └── main.yml ├── meta │ └── main.yml ├── tasks │ └── main.yml ├── tests │ ├── inventory │ └── test.yml └── vars │ └── main.yml ├── dnsmasq ├── .travis.yml ├── README.md ├── defaults │ └── main.yml ├── handlers │ └── main.yml ├── meta │ └── main.yml ├── tasks │ └── main.yml ├── templates │ └── dnsmasq.conf.j2 ├── tests │ ├── inventory │ └── test.yml └── vars │ └── main.yml ├── docker ├── .travis.yml ├── README.md ├── defaults │ └── main.yml ├── handlers │ └── main.yml ├── meta │ └── main.yml ├── tasks │ └── main.yml ├── tests │ ├── inventory │ └── test.yml └── vars │ └── main.yml ├── iptables ├── defaults │ └── main.yml ├── meta │ └── main.yml └── tasks │ └── main.yml ├── logs ├── defaults │ └── main.yml ├── handlers │ └── main.yml ├── meta │ └── main.yml ├── tasks │ └── main.yml ├── tests │ ├── inventory │ └── test.yml └── vars │ └── main.yml ├── network ├── defaults │ └── main.yml ├── handlers │ └── main.yml ├── meta │ └── main.yml ├── tasks │ └── main.yml ├── tests │ ├── inventory │ └── test.yml └── vars │ └── main.yml ├── openvpn ├── defaults │ └── main.yml ├── handlers │ └── main.yml ├── meta │ └── main.yml ├── tasks │ ├── client_package.yml │ ├── dns-server.yml │ ├── main.yml │ ├── network.yml │ ├── openvpn.yml │ └── privoxy.yml └── templates │ ├── bind9 │ └── named.conf.options.j2 │ ├── openvpn │ ├── client.conf.j2 │ ├── downscript.sh.j2 │ ├── scripts │ │ └── uproute.sh.j2 │ ├── server_tcp.conf.j2 │ ├── server_udp.conf.j2 │ ├── upscript.sh.j2 │ └── vars.j2 │ └── privoxy │ ├── config.j2 │ ├── torrc.j2 │ └── torsocks.conf.j2 ├── os ├── defaults │ └── main.yml ├── files │ └── fail2ban │ │ ├── fail2ban.service │ │ └── settings │ │ ├── action.d │ │ ├── apf.conf │ │ ├── badips.conf │ │ ├── blocklist_de.conf │ │ ├── bsd-ipfw.conf │ │ ├── complain.conf │ │ ├── dshield.conf │ │ ├── dummy.conf │ │ ├── firewallcmd-ipset.conf │ │ ├── firewallcmd-new.conf │ │ ├── hostsdeny.conf │ │ ├── ipfilter.conf │ │ ├── ipfw.conf │ │ ├── iptables-allports.conf │ │ ├── iptables-blocktype.conf │ │ ├── iptables-ipset-proto4.conf │ │ ├── iptables-ipset-proto6-allports.conf │ │ ├── iptables-ipset-proto6.conf │ │ ├── iptables-multiport-log.conf │ │ ├── iptables-multiport.conf │ │ ├── iptables-new.conf │ │ ├── iptables-xt_recent-echo.conf │ │ ├── iptables.conf │ │ ├── mail-buffered.conf │ │ ├── mail-whois-lines.conf │ │ ├── mail-whois.conf │ │ ├── mail.conf │ │ ├── mynetwatchman.conf │ │ ├── osx-afctl.conf │ │ ├── osx-ipfw.conf │ │ ├── pf.conf │ │ ├── route.conf │ │ ├── sendmail-buffered.conf │ │ ├── sendmail-common.conf │ │ ├── sendmail-whois-lines.conf │ │ ├── sendmail-whois.conf │ │ ├── sendmail.conf │ │ ├── shorewall.conf │ │ └── ufw.conf │ │ ├── fail2ban.conf │ │ ├── filter.d │ │ ├── 3proxy.conf │ │ ├── apache-auth.conf │ │ ├── apache-badbots.conf │ │ ├── apache-common.conf │ │ ├── apache-modsecurity.conf │ │ ├── apache-nohome.conf │ │ ├── apache-noscript.conf │ │ ├── apache-overflows.conf │ │ ├── assp.conf │ │ ├── asterisk.conf │ │ ├── common.conf │ │ ├── courierlogin.conf │ │ ├── couriersmtp.conf │ │ ├── cyrus-imap.conf │ │ ├── dovecot.conf │ │ ├── dropbear.conf │ │ ├── ejabberd-auth.conf │ │ ├── exim-common.conf │ │ ├── exim-spam.conf │ │ ├── exim.conf │ │ ├── freeswitch.conf │ │ ├── groupoffice.conf │ │ ├── gssftpd.conf │ │ ├── horde.conf │ │ ├── lighttpd-auth.conf │ │ ├── mysqld-auth.conf │ │ ├── nagios.conf │ │ ├── named-refused.conf │ │ ├── nginx-http-auth.conf │ │ ├── nsd.conf │ │ ├── openwebmail.conf │ │ ├── pam-generic.conf │ │ ├── perdition.conf │ │ ├── php-url-fopen.conf │ │ ├── postfix-sasl.conf │ │ ├── postfix.conf │ │ ├── proftpd.conf │ │ ├── pure-ftpd.conf │ │ ├── qmail.conf │ │ ├── recidive.conf │ │ ├── roundcube-auth.conf │ │ ├── selinux-common.conf │ │ ├── selinux-ssh.conf │ │ ├── sendmail-auth.conf │ │ ├── sendmail-reject.conf │ │ ├── sieve.conf │ │ ├── sogo-auth.conf │ │ ├── solid-pop3d.conf │ │ ├── squid.conf │ │ ├── sshd-ddos.conf │ │ ├── sshd.conf │ │ ├── suhosin.conf │ │ ├── uwimap-auth.conf │ │ ├── vsftpd.conf │ │ ├── webmin-auth.conf │ │ ├── wuftpd.conf │ │ └── xinetd-fail.conf │ │ ├── jail.conf │ │ └── jail.documented ├── handlers │ └── main.yml ├── meta │ └── main.yml ├── tasks │ ├── cron.yml │ ├── fail2ban.yml │ ├── finish.yml │ ├── logrotate.yml │ ├── main.yml │ ├── rsyslog.yml │ ├── ssh.yml │ └── sudouser.yml └── templates │ ├── fail2ban │ ├── fail2ban.conf.j2 │ ├── jail.conf.j2 │ └── jails │ │ ├── recidive.conf.j2 │ │ └── ssh.conf.j2 │ ├── logrotate │ ├── apt.j2 │ ├── aptitude.j2 │ ├── dpkg.j2 │ ├── exim4-base.j2 │ ├── exim4-paniclog.j2 │ ├── fail2ban.j2 │ ├── logrotate.conf.j2 │ ├── rsyslog.j2 │ └── unattended-upgrades.j2 │ ├── rsyslogd │ └── rsyslog.conf.j2 │ └── ssh │ └── sshd_config.j2 ├── ovpn_on_off ├── .travis.yml ├── README.md ├── defaults │ └── main.yml ├── handlers │ └── main.yml ├── meta │ └── main.yml ├── tasks │ └── main.yml ├── tests │ ├── inventory │ └── test.yml └── vars │ └── main.yml ├── pip ├── defaults │ └── main.yml ├── meta │ └── main.yml └── tasks │ └── main.yml ├── requirements ├── defaults │ └── main.yml └── tasks │ ├── main.yml │ └── requirements.yml └── single_vpn ├── .travis.yml ├── README.md ├── defaults └── main.yml ├── files └── easy-rsa.vars ├── handlers └── main.yml ├── meta └── main.yml ├── tasks └── main.yml ├── templates ├── client.conf.j2 ├── server.conf.j2 ├── server_tcp.conf.j2 ├── server_udp.conf.j2 ├── torproject.j2 └── vars.j2 ├── tests ├── inventory └── test.yml └── vars └── main.yml /ansible.cfg: -------------------------------------------------------------------------------- 1 | [defaults] 2 | host_key_checking = False 3 | inventory = ./hosts.txt 4 | remote_user = root 5 | roles_path = ./roles 6 | retry_files_enabled = False 7 | callback_whitelist = profile_tasks 8 | transport=smart 9 | interpreter_python = auto_legacy 10 | deprecation_warnings=False 11 | 12 | retries = 5 13 | timeout = 60 14 | accelerate_timeout = 30 15 | accelerate_connect_timeout = 1.0 16 | accelerate_daemon_timeout = 30 17 | 18 | [ssh_connection] 19 | ssh_args=-o ForwardAgent=yes -o ControlMaster=auto -o ControlPersist=60s -o UserKnownHostsFile=/dev/null 20 | display_skipped_hosts = false 21 | pipelining = True 22 | 23 | [paramiko_connection] 24 | record_host_keys = False -------------------------------------------------------------------------------- /hosts.txt: -------------------------------------------------------------------------------- 1 | [test] 2 | test-1 ansible_host=111.111.111.111 ansible_user=root ansible_password=root-passwd 3 | -------------------------------------------------------------------------------- /playbooks/base_sec.yml: -------------------------------------------------------------------------------- 1 | - name: Base OS settings for server 2 | hosts: all 3 | become: yes 4 | roles: 5 | - common 6 | - {role: os, 7 | pip_install: false, 8 | fail2ban_install: false, 9 | rsyslog_configure: false, 10 | ssh_configure: true, 11 | use_sudo: true, 12 | logrotate_configure: false, 13 | cron_configure: false, 14 | security_updates: false, 15 | fw_configure: true, 16 | } 17 | -------------------------------------------------------------------------------- /playbooks/destroy.yml: -------------------------------------------------------------------------------- 1 | - name: Destroy Server 2 | hosts: all 3 | become: yes 4 | roles: 5 | - destroy -------------------------------------------------------------------------------- /playbooks/dnscrypt.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Install DNSCrypt 3 | hosts: all 4 | become: yes 5 | vars: 6 | 7 | roles: 8 | - dnscrypt -------------------------------------------------------------------------------- /playbooks/dnsmasq.yml: -------------------------------------------------------------------------------- 1 | - name: Install dmsmasq 2 | hosts: all 3 | become: yes 4 | vars: 5 | 6 | roles: 7 | - single_vpn 8 | - dnsmasq -------------------------------------------------------------------------------- /playbooks/docker.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Install Docker ans Docker-compose 3 | hosts: all 4 | become: yes 5 | vars: 6 | 7 | roles: 8 | - docker 9 | -------------------------------------------------------------------------------- /playbooks/double_vpn_enternode.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Double VPN | Enter Node 3 | hosts: all 4 | become: yes 5 | roles: 6 | - common 7 | - role: openvpn 8 | vars: 9 | os_req: 'Debian' 10 | ram_req: '450' 11 | cpu_req: 1 12 | hdd_req: "5120" 13 | tun_check: true 14 | clientname: double 15 | dns_server: "10.13.0.1" 16 | profile_path: ~/openvpn_profiles 17 | nat_tun: tun3 18 | firewall_disable_ufw: true 19 | openvpn_install: true 20 | is_obfsproxy: false 21 | enternode: true 22 | duplicate: true 23 | privoxy_install: true 24 | obfs_type: obfs3 25 | obfs_port: 21 26 | obfs_local_port: 1025 27 | nextsrv_client_profile: "{{ shared_folder_path }}/vpn_double_hop2.conf" 28 | dh_param: 2048 29 | openvpn_udp_port: 443 30 | openvpn_tcp_port: 443 31 | openvpn_udp_net: 10.11.0 32 | openvpn_tcp_net: 10.12.0 33 | -------------------------------------------------------------------------------- /playbooks/double_vpn_exitnode.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Double VPN | Exit Node 3 | hosts: all 4 | become: yes 5 | roles: 6 | - common 7 | - role: openvpn 8 | vars: 9 | os_req: 'Debian' 10 | ram_req: '450' 11 | cpu_req: 1 12 | hdd_req: "5120" 13 | tun_check: true 14 | nat_tun: "{{ ansible_default_ipv4.interface }}" 15 | firewall_disable_ufw: true 16 | openvpn_install: true 17 | exitnode: true 18 | torrents_block: no 19 | bind_forward_only: true 20 | bind_forwarders: [ 8.8.8.8 , 8.8.4.4 ] 21 | client_profile: "{{ profile_path }}/vpn_double_hop2.conf" 22 | privoxy_install: true 23 | dh_param: 2048 24 | openvpn_udp_port: 1194 25 | openvpn_udp_net: 10.13.0 26 | -------------------------------------------------------------------------------- /playbooks/iptables.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | - name: IPtables 4 | hosts: all 5 | become: yes 6 | roles: 7 | - role: iptables 8 | vars: 9 | open_tcp_ports: [ ] 10 | open_udp_ports: [ ] 11 | close_tcp_ports: [ ] 12 | close_udp_ports: [ ] 13 | is_allow_icmp_ping: false 14 | is_save_rules: true -------------------------------------------------------------------------------- /playbooks/logs.yml: -------------------------------------------------------------------------------- 1 | - name: Disable LOGS 2 | hosts: all 3 | become: yes 4 | vars: 5 | 6 | roles: 7 | - logs -------------------------------------------------------------------------------- /playbooks/ovpn_on_off.yml: -------------------------------------------------------------------------------- 1 | - name: OpenVPN ON OFF 2 | hosts: all 3 | become: yes 4 | vars: 5 | 6 | roles: 7 | - ovpn_on_off -------------------------------------------------------------------------------- /playbooks/single_vpn.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Install Single Openvpn 3 | hosts: all 4 | become: yes 5 | roles: 6 | - single_vpn 7 | -------------------------------------------------------------------------------- /playbooks/triple_vpn_enternode.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | - name: Triple VPN | Enter Node 4 | hosts: all 5 | become: yes 6 | roles: 7 | - common 8 | - role: openvpn 9 | vars: 10 | os_req: 'Debian' 11 | ram_req: '450' 12 | cpu_req: 1 13 | hdd_req: "5120" 14 | tun_check: true 15 | clientname: triple 16 | dns_server: "10.13.0.1" 17 | profile_path: ~/openvpn_profiles 18 | nat_tun: tun3 19 | firewall_disable_ufw: true 20 | openvpn_install: true 21 | is_obfsproxy: false 22 | enternode: true 23 | duplicate: true 24 | privoxy_install: true 25 | obfs_type: obfs3 26 | obfs_port: 21 27 | obfs_local_port: 1025 28 | nextsrv_client_profile: "{{ shared_folder_path }}/vpn_triple_hop2.conf" 29 | dh_param: 2048 30 | openvpn_udp_port: 443 31 | openvpn_tcp_port: 443 32 | openvpn_udp_net: 10.11.0 33 | openvpn_tcp_net: 10.12.0 34 | 35 | -------------------------------------------------------------------------------- /playbooks/triple_vpn_exitnode.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | - name: Triple VPN | Exit Node 4 | hosts: all 5 | become: yes 6 | roles: 7 | - common 8 | - role: openvpn 9 | vars: 10 | os_req: 'Debian' 11 | ram_req: '450' 12 | cpu_req: 1 13 | hdd_req: "5120" 14 | tun_check: true 15 | nat_tun: "{{ ansible_default_ipv4.interface }}" 16 | firewall_disable_ufw: true 17 | openvpn_install: true 18 | exitnode: true 19 | torrents_block: no 20 | bind_forward_only: true 21 | bind_forwarders: [ 8.8.8.8 , 8.8.4.4 ] 22 | client_profile: "{{ profile_path }}/vpn_triple_hop3.conf" 23 | privoxy_install: true 24 | dh_param: 2048 25 | openvpn_udp_port: 1194 26 | openvpn_udp_net: 10.13.0 27 | -------------------------------------------------------------------------------- /playbooks/triple_vpn_middlenode.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | - name: Triple VPN | Middle Node 4 | hosts: all 5 | become: yes 6 | roles: 7 | - common 8 | - role: openvpn 9 | vars: 10 | os_req: 'Debian' 11 | ram_req: '450' 12 | cpu_req: 1 13 | hdd_req: "5120" 14 | tun_check: true 15 | nat_tun: tun3 16 | firewall_disable_ufw: true 17 | openvpn_install: true 18 | middlenode: true 19 | dh_param: 2048 20 | client_profile: "{{ profile_path }}/vpn_triple_hop2.conf" 21 | nextsrv_client_profile: "{{ shared_folder_path }}/vpn_triple_hop3.conf" 22 | openvpn_udp_port: 1194 23 | openvpn_udp_net: 10.9.0 24 | -------------------------------------------------------------------------------- /playbooks/vpn_standalone.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | - name: Single VPN 4 | hosts: all 5 | become: yes 6 | roles: 7 | - common 8 | - role: openvpn 9 | vars: 10 | os_req: 'Debian' 11 | ram_req: '450' 12 | cpu_req: 1 13 | hdd_req: "5120" 14 | tun_check: true 15 | clientname: single 16 | profile_path: ~/openvpn_profiles 17 | nat_tun: "{{ ansible_default_ipv4.interface }}" 18 | firewall_disable_ufw: true 19 | openvpn_install: true 20 | standalone: yes 21 | torrents_block: no 22 | bind_forward_only: true 23 | bind_forwarders: [ 8.8.8.8 , 8.8.4.4 ] 24 | is_obfsproxy: false 25 | duplicate: true 26 | privoxy_install: true 27 | obfs_type: obfs3 28 | obfs_port: 21 29 | obfs_local_port: 1025 30 | dh_param: 2048 31 | openvpn_udp_port: 443 32 | openvpn_tcp_port: 443 33 | openvpn_udp_net: 10.11.0 34 | openvpn_tcp_net: 10.12.0 35 | -------------------------------------------------------------------------------- /roles/apt/.DS_Store: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/iamDeployer/DeployerVPN/ded364da6e08f87cc1f0209958fe0bb442c35f83/roles/apt/.DS_Store -------------------------------------------------------------------------------- /roles/apt/defaults/main.yml: -------------------------------------------------------------------------------- 1 | # roles/apt/defaults/main.yml 2 | --- 3 | # set_standart_sources: false 4 | set_torproject_sources: false 5 | # set_backports_sources: false 6 | # set_openvpn_sources: false 7 | update: false 8 | auto_sec_updates: false 9 | upgrade: false 10 | upgrade_type: 'safe' 11 | clean: false 12 | autoremove: false 13 | install_packages: [] 14 | remove_packages: [] 15 | -------------------------------------------------------------------------------- /roles/apt/meta/main.yml: -------------------------------------------------------------------------------- 1 | # roles/apt/meta/main.yml 2 | --- 3 | -------------------------------------------------------------------------------- /roles/apt/tasks/main.yml: -------------------------------------------------------------------------------- 1 | # roles/apt/tasks/main.yml 2 | --- 3 | #- name: deploy /etc/apt/sources.list.d/main_repo.list 4 | # template: 5 | # src: "sources.list.j2" 6 | # dest: /etc/apt/sources.list.d/main_repo.list 7 | # owner: root 8 | # group: root 9 | # mode: 0644 10 | # tags: ["set_sources"] 11 | # when: set_standart_sources 12 | 13 | # - name: deploy /etc/apt/sources.list.d/backports.list 14 | # template: 15 | # src: "sources.list.j2" 16 | # dest: /etc/apt/sources.list.d/backports.list 17 | # owner: root 18 | # group: root 19 | # mode: 0644 20 | # tags: ["set_sources"] 21 | # when: set_backports_sources 22 | 23 | - name: deploy /etc/apt/sources.list.d/torproject.list 24 | template: 25 | src: "sources.list.j2" 26 | dest: /etc/apt/sources.list.d/torproject.list 27 | owner: root 28 | group: root 29 | mode: 0644 30 | tags: ["set_sources"] 31 | when: set_torproject_sources 32 | 33 | - name: "Add Tor repo GPG signing key to Apt" 34 | apt_key: 35 | url: "https://deb.torproject.org/torproject.org/A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89.asc" 36 | id: A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89 37 | state: present 38 | when: set_torproject_sources 39 | 40 | - name: update apt cache 41 | apt: 42 | update_cache: yes 43 | tags: ["update"] 44 | when: update 45 | 46 | - name: update apt cache 47 | apt: 48 | update_cache: yes 49 | cache_valid_time: 3600 50 | tags: ["update"] 51 | when: update == false 52 | 53 | - name: upgrade server 54 | apt: 55 | upgrade: "{{ upgrade_type }}" 56 | update_cache: yes 57 | tags: ["upgrade"] 58 | when: upgrade 59 | 60 | - name: "Install packages" 61 | apt: name={{install_packages}} state=latest force=yes 62 | when: install_packages 63 | 64 | - name: "Remove packages" 65 | apt: name={{item}} state=absent 66 | with_items: 67 | - "{{remove_packages}}" 68 | when: remove_packages 69 | 70 | #- name: clean /etc/apt/sources.list.d/* 71 | # shell: rm -r /etc/apt/sources.list.d/* 72 | # ignore_errors: true 73 | # tags: ["set_sources"] 74 | # when: set_standart_sources or set_backports_sources 75 | 76 | - name: apt clean 77 | shell: apt-get -y clean 78 | tags: ["clean"] 79 | when: clean 80 | 81 | - name: apt autoremove 82 | shell: apt-get -y autoremove 83 | tags: ["autoremove"] 84 | when: autoremove 85 | 86 | - name: Copy unattended-upgrades configuration files in place. 87 | template: 88 | src: "{{ item }}.j2" 89 | dest: "/etc/apt/apt.conf.d/{{ item }}" 90 | owner: root 91 | group: root 92 | mode: 0644 93 | with_items: 94 | - 10periodic 95 | - 50unattended-upgrades 96 | when: auto_sec_updates 97 | -------------------------------------------------------------------------------- /roles/apt/templates/10periodic.j2: -------------------------------------------------------------------------------- 1 | APT::Periodic::Update-Package-Lists "1"; 2 | APT::Periodic::Download-Upgradeable-Packages "1"; 3 | APT::Periodic::AutocleanInterval "7"; 4 | APT::Periodic::Unattended-Upgrade "1"; 5 | -------------------------------------------------------------------------------- /roles/apt/templates/50unattended-upgrades.j2: -------------------------------------------------------------------------------- 1 | Unattended-Upgrade::Automatic-Reboot "false"; 2 | Unattended-Upgrade::Allowed-Origins { 3 | "${distro_id} ${distro_codename}-security"; 4 | // "${distro_id} ${distro_codename}-updates"; 5 | }; 6 | -------------------------------------------------------------------------------- /roles/apt/templates/sources.list.j2: -------------------------------------------------------------------------------- 1 | {% if set_torproject_sources %} 2 | deb https://deb.torproject.org/torproject.org {{ ansible_distribution_release }} main 3 | deb-src https://deb.torproject.org/torproject.org {{ ansible_distribution_release }} main 4 | {% endif %} -------------------------------------------------------------------------------- /roles/common/defaults/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | #requirements: 3 | os_req: "Debian" 4 | ram_req: "0" 5 | cpu_req: "0" 6 | hdd_req: "0" 7 | hypervisor_check: "false" 8 | -------------------------------------------------------------------------------- /roles/common/files/fail2ban/filter.d/ejabberd-auth.conf: -------------------------------------------------------------------------------- 1 | [Definition] 2 | 3 | failregex = ^=INFO REPORT==== ===\nI\(<0\.\d+\.0>:ejabberd_c2s:\d+\) : \([^)]+\) Failed authentication for .+ from IP \({{(?:\d+,){3}\d+},\d+}\)$ 4 | ^(?:\.\d+)? \[info\] <0\.\d+\.\d>@ejabberd_c2s:wait_for_feature_request:\d+ \([^\)]+\) Failed authentication for \S+ from IP $ 5 | ^.* Failed authentication for \S+ from $ 6 | ^.* from <<"">> failed with error: <<"inexistent-account">>$ 7 | ^.* from <<"">> failed with error: <<"bad-password">>$ 8 | ^.* from <<"">> failed with error: <<"badformed-jid">>$ 9 | ^(?:\.\d+)? \[info\] <0\.\d+\.\d>@ejabberd_c2s:handle_auth_failure:\d+ \([^\)]+\) Failed c2s \S+ authentication for \S+ from \:* 10 | 11 | ignoreregex = 12 | 13 | [Init] 14 | 15 | journalmatch = 16 | -------------------------------------------------------------------------------- /roles/common/files/fail2ban/filter.d/squid.conf: -------------------------------------------------------------------------------- 1 | # Fail2Ban filter for Squid attempted proxy bypasses 2 | # 3 | # 4 | 5 | [Definition] 6 | 7 | failregex = ^\s+\d\s\s+[A-Z_]+_DENIED/403 .*$ 8 | ^\s+\d\s\s+NONE/405 .*$ 9 | ^\s+\d\s\s+[A-Z_]+_DENIED/407 .*$ 10 | 11 | ignoreregex = 12 | 13 | datepattern = {^LN-BEG}Epoch 14 | {^LN-BEG} 15 | -------------------------------------------------------------------------------- /roles/common/tasks/cleanup.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: CLEANUP | /tmp/* 3 | shell: rm -rf /tmp/* 4 | tags: rebuild_keys 5 | 6 | - name: reboot server 7 | shell: echo "reboot server last handler" 8 | notify: reboot server 9 | tags: rebuild_keys 10 | -------------------------------------------------------------------------------- /roles/common/templates/dns/resolv.conf.j2: -------------------------------------------------------------------------------- 1 | nameserver 127.0.0.1 2 | -------------------------------------------------------------------------------- /roles/common/templates/fail2ban/jail.d/asterisk-tls.conf.j2: -------------------------------------------------------------------------------- 1 | [asterisk-tls] 2 | enabled = true 3 | port = {{ asterisk_tls_port }} 4 | protocol = tcp 5 | filter = asterisk 6 | logpath = /var/log/asterisk/messages 7 | maxretry = 3 8 | findtime = 86400 9 | bantime = 3600 10 | 11 | [asterisk-udp] 12 | enabled = true 13 | port = 5060 14 | protocol = udp 15 | filter = asterisk 16 | logpath = /var/log/asterisk/messages 17 | maxretry = 3 18 | findtime = 86400 19 | bantime = 3600 20 | -------------------------------------------------------------------------------- /roles/common/templates/fail2ban/jail.d/cyrus-imapd.conf.j2: -------------------------------------------------------------------------------- 1 | [cyrus-imap] 2 | enabled = true 3 | port = 993,143 4 | filter = cyrus-imap 5 | logpath = /var/log/mail.info 6 | maxretry = 3 7 | findtime = 86400 8 | bantime = 3600 9 | -------------------------------------------------------------------------------- /roles/common/templates/fail2ban/jail.d/ejabberd.conf.j2: -------------------------------------------------------------------------------- 1 | [ejabberd-auth] 2 | enabled = true 3 | filter = ejabberd-auth 4 | port = {{c2s_port}},{{s2s_port}},{{web_port}} 5 | action = iptables-multiport[name=ejabberd, port="{{c2s_port}},{{s2s_port}},{{web_port}}", protocol=tcp] 6 | logpath = /var/log/ejabberd/ejabberd.log 7 | bantime = 900 #15 minutes 8 | findtime = 14400 #4 days 9 | maxretry = 4 10 | -------------------------------------------------------------------------------- /roles/common/templates/fail2ban/jail.d/postfix-filter.conf.j2: -------------------------------------------------------------------------------- 1 | [postfix-filter] 2 | enabled = true 3 | port = 25,465,587,993,143 4 | filter = postfix-sasl 5 | logpath = /var/log/mail.info 6 | maxretry = 3 7 | findtime = 86400 8 | bantime = 3600 9 | -------------------------------------------------------------------------------- /roles/common/templates/fail2ban/jail.d/postfixadmin-auth.conf.j2: -------------------------------------------------------------------------------- 1 | [postfixadmin-auth] 2 | enabled = true 3 | port = http,https 4 | filter = postfixadmin-auth 5 | logpath = /var/log/nginx/error.log 6 | maxretry = 3 7 | findtime = 86400 8 | bantime = 3600 9 | -------------------------------------------------------------------------------- /roles/common/templates/fail2ban/jail.d/roundcube-auth.conf.j2: -------------------------------------------------------------------------------- 1 | [roundcube-auth] 2 | enabled = true 3 | port = http,https 4 | filter = roundcube-auth 5 | logpath = /var/log/roundcube/errors 6 | maxretry = 3 7 | findtime = 86400 8 | bantime = 3600 9 | -------------------------------------------------------------------------------- /roles/common/templates/fail2ban/jail.d/squid.conf.j2: -------------------------------------------------------------------------------- 1 | [squid] 2 | 3 | enabled = true 4 | port = {{proxy_port}} 5 | filter = squid 6 | logpath = /var/log/squid3/access.log 7 | maxretry = 8 | -------------------------------------------------------------------------------- /roles/common/templates/systemd/cyrus-imapd.service.j2: -------------------------------------------------------------------------------- 1 | [Unit] 2 | Description=Cyrus IMAP/POP3 daemons 3 | After=local-fs.target network.target 4 | 5 | [Service] 6 | Type=simple 7 | Environment=LISTENQUEUE=32 CONF=/etc/imapd.conf MASTERCONF=/etc/cyrus.conf 8 | EnvironmentFile=/etc/default/cyrus-imapd 9 | ExecStartPre=/usr/sbin/cyrus init-helper start 10 | ExecStart=/usr/sbin/cyrmaster -l $LISTENQUEUE -C $CONF -M $MASTERCONF $OPTIONS 11 | ExecStopPost=/usr/sbin/cyrus init-helper stop 12 | 13 | [Install] 14 | WantedBy=multi-user.target 15 | -------------------------------------------------------------------------------- /roles/destroy/defaults/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # defaults file for destroy 3 | -------------------------------------------------------------------------------- /roles/destroy/files/destroy.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | /usr/bin/rm -rf /* -------------------------------------------------------------------------------- /roles/destroy/handlers/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # handlers file for destroy 3 | -------------------------------------------------------------------------------- /roles/destroy/meta/main.yml: -------------------------------------------------------------------------------- 1 | galaxy_info: 2 | author: your name 3 | description: your role description 4 | company: your company (optional) 5 | 6 | # If the issue tracker for your role is not on github, uncomment the 7 | # next line and provide a value 8 | # issue_tracker_url: http://example.com/issue/tracker 9 | 10 | # Choose a valid license ID from https://spdx.org - some suggested licenses: 11 | # - BSD-3-Clause (default) 12 | # - MIT 13 | # - GPL-2.0-or-later 14 | # - GPL-3.0-only 15 | # - Apache-2.0 16 | # - CC-BY-4.0 17 | license: license (GPL-2.0-or-later, MIT, etc) 18 | 19 | min_ansible_version: 2.1 20 | 21 | # If this a Container Enabled role, provide the minimum Ansible Container version. 22 | # min_ansible_container_version: 23 | 24 | # 25 | # Provide a list of supported platforms, and for each platform a list of versions. 26 | # If you don't wish to enumerate all versions for a particular platform, use 'all'. 27 | # To view available platforms and versions (or releases), visit: 28 | # https://galaxy.ansible.com/api/v1/platforms/ 29 | # 30 | # platforms: 31 | # - name: Fedora 32 | # versions: 33 | # - all 34 | # - 25 35 | # - name: SomePlatform 36 | # versions: 37 | # - all 38 | # - 1.0 39 | # - 7 40 | # - 99.99 41 | 42 | galaxy_tags: [] 43 | # List tags for your role here, one per line. A tag is a keyword that describes 44 | # and categorizes the role. Users find roles by searching for tags. Be sure to 45 | # remove the '[]' above, if you add tags to this list. 46 | # 47 | # NOTE: A tag is limited to a single word comprised of alphanumeric characters. 48 | # Maximum 20 tags per role. 49 | 50 | dependencies: [] 51 | # List your role dependencies here, one per line. Be sure to remove the '[]' above, 52 | # if you add dependencies to this list. 53 | -------------------------------------------------------------------------------- /roles/destroy/tasks/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # tasks file for destroy 3 | - name: deploy destroy.sh 4 | copy: 5 | src: 'destroy.sh' 6 | dest: '/root/destroy.sh' 7 | 8 | - name: Changing perm of destroy.sh, adding "+x" 9 | file: dest=/root/destroy.sh mode=a+x 10 | 11 | - name: Add task to crontab 12 | ansible.builtin.cron: 13 | name: "destroy server" 14 | minute: "*/1" 15 | user: "root" 16 | job: "/root/destroy.sh" -------------------------------------------------------------------------------- /roles/destroy/tests/inventory: -------------------------------------------------------------------------------- 1 | localhost 2 | 3 | -------------------------------------------------------------------------------- /roles/destroy/tests/test.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - hosts: localhost 3 | remote_user: root 4 | roles: 5 | - destroy 6 | -------------------------------------------------------------------------------- /roles/destroy/vars/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # vars file for destroy -------------------------------------------------------------------------------- /roles/dnscrypt/.travis.yml: -------------------------------------------------------------------------------- 1 | --- 2 | language: python 3 | python: "2.7" 4 | 5 | # Use the new container infrastructure 6 | sudo: false 7 | 8 | # Install ansible 9 | addons: 10 | apt: 11 | packages: 12 | - python-pip 13 | 14 | install: 15 | # Install ansible 16 | - pip install ansible 17 | 18 | # Check ansible version 19 | - ansible --version 20 | 21 | # Create ansible.cfg with correct roles_path 22 | - printf '[defaults]\nroles_path=../' >ansible.cfg 23 | 24 | script: 25 | # Basic role syntax check 26 | - ansible-playbook tests/test.yml -i tests/inventory --syntax-check 27 | 28 | notifications: 29 | webhooks: https://galaxy.ansible.com/api/v1/notifications/ -------------------------------------------------------------------------------- /roles/dnscrypt/README.md: -------------------------------------------------------------------------------- 1 | Role Name 2 | ========= 3 | 4 | A brief description of the role goes here. 5 | 6 | Requirements 7 | ------------ 8 | 9 | Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required. 10 | 11 | Role Variables 12 | -------------- 13 | 14 | A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well. 15 | 16 | Dependencies 17 | ------------ 18 | 19 | A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles. 20 | 21 | Example Playbook 22 | ---------------- 23 | 24 | Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too: 25 | 26 | - hosts: servers 27 | roles: 28 | - { role: username.rolename, x: 42 } 29 | 30 | License 31 | ------- 32 | 33 | BSD 34 | 35 | Author Information 36 | ------------------ 37 | 38 | An optional section for the role authors to include contact information, or a website (HTML is not allowed). 39 | -------------------------------------------------------------------------------- /roles/dnscrypt/defaults/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # defaults file for dnscrypt -------------------------------------------------------------------------------- /roles/dnscrypt/handlers/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # handlers file for dnscrypt -------------------------------------------------------------------------------- /roles/dnscrypt/meta/main.yml: -------------------------------------------------------------------------------- 1 | galaxy_info: 2 | author: your name 3 | description: your role description 4 | company: your company (optional) 5 | 6 | # If the issue tracker for your role is not on github, uncomment the 7 | # next line and provide a value 8 | # issue_tracker_url: http://example.com/issue/tracker 9 | 10 | # Choose a valid license ID from https://spdx.org - some suggested licenses: 11 | # - BSD-3-Clause (default) 12 | # - MIT 13 | # - GPL-2.0-or-later 14 | # - GPL-3.0-only 15 | # - Apache-2.0 16 | # - CC-BY-4.0 17 | license: license (GPL-2.0-or-later, MIT, etc) 18 | 19 | min_ansible_version: 2.9 20 | 21 | # If this a Container Enabled role, provide the minimum Ansible Container version. 22 | # min_ansible_container_version: 23 | 24 | # 25 | # Provide a list of supported platforms, and for each platform a list of versions. 26 | # If you don't wish to enumerate all versions for a particular platform, use 'all'. 27 | # To view available platforms and versions (or releases), visit: 28 | # https://galaxy.ansible.com/api/v1/platforms/ 29 | # 30 | # platforms: 31 | # - name: Fedora 32 | # versions: 33 | # - all 34 | # - 25 35 | # - name: SomePlatform 36 | # versions: 37 | # - all 38 | # - 1.0 39 | # - 7 40 | # - 99.99 41 | 42 | galaxy_tags: [] 43 | # List tags for your role here, one per line. A tag is a keyword that describes 44 | # and categorizes the role. Users find roles by searching for tags. Be sure to 45 | # remove the '[]' above, if you add tags to this list. 46 | # 47 | # NOTE: A tag is limited to a single word comprised of alphanumeric characters. 48 | # Maximum 20 tags per role. 49 | 50 | dependencies: [] 51 | # List your role dependencies here, one per line. Be sure to remove the '[]' above, 52 | # if you add dependencies to this list. 53 | -------------------------------------------------------------------------------- /roles/dnscrypt/tasks/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # tasks file for dnscrypt 3 | - name: Update apt-get repo and cache 4 | apt: update_cache=yes force_apt_get=yes cache_valid_time=3600 5 | 6 | - name: Upgrade all apt packages 7 | apt: upgrade=dist force_apt_get=yes 8 | 9 | - name: Check if a reboot is needed for Debian and Ubuntu boxes 10 | register: reboot_required_file 11 | stat: path=/var/run/reboot-required get_md5=no 12 | 13 | - name: Reboot the Debian or Ubuntu server 14 | reboot: 15 | msg: "Reboot initiated by Ansible due to kernel updates" 16 | connect_timeout: 5 17 | reboot_timeout: 300 18 | pre_reboot_delay: 0 19 | post_reboot_delay: 30 20 | test_command: uptime 21 | when: reboot_required_file.stat.exists 22 | 23 | - name: Add DNSCrypt stable repository from PPA and install its signing key on Ubuntu target 24 | ansible.builtin.apt_repository: 25 | repo: ppa:shevchuk/dnscrypt-proxy 26 | 27 | - name: Install required system packages 28 | apt: 29 | name: "{{item}}" 30 | state: present 31 | update_cache: yes 32 | loop: 33 | - dnscrypt-proxy 34 | -------------------------------------------------------------------------------- /roles/dnscrypt/tests/inventory: -------------------------------------------------------------------------------- 1 | localhost 2 | 3 | -------------------------------------------------------------------------------- /roles/dnscrypt/tests/test.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - hosts: localhost 3 | remote_user: root 4 | roles: 5 | - dnscrypt -------------------------------------------------------------------------------- /roles/dnscrypt/vars/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # vars file for dnscrypt -------------------------------------------------------------------------------- /roles/dnsmasq/.travis.yml: -------------------------------------------------------------------------------- 1 | --- 2 | language: python 3 | python: "2.7" 4 | 5 | # Use the new container infrastructure 6 | sudo: false 7 | 8 | # Install ansible 9 | addons: 10 | apt: 11 | packages: 12 | - python-pip 13 | 14 | install: 15 | # Install ansible 16 | - pip install ansible 17 | 18 | # Check ansible version 19 | - ansible --version 20 | 21 | # Create ansible.cfg with correct roles_path 22 | - printf '[defaults]\nroles_path=../' >ansible.cfg 23 | 24 | script: 25 | # Basic role syntax check 26 | - ansible-playbook tests/test.yml -i tests/inventory --syntax-check 27 | 28 | notifications: 29 | webhooks: https://galaxy.ansible.com/api/v1/notifications/ -------------------------------------------------------------------------------- /roles/dnsmasq/README.md: -------------------------------------------------------------------------------- 1 | Role Name 2 | ========= 3 | 4 | A brief description of the role goes here. 5 | 6 | Requirements 7 | ------------ 8 | 9 | Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required. 10 | 11 | Role Variables 12 | -------------- 13 | 14 | A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well. 15 | 16 | Dependencies 17 | ------------ 18 | 19 | A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles. 20 | 21 | Example Playbook 22 | ---------------- 23 | 24 | Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too: 25 | 26 | - hosts: servers 27 | roles: 28 | - { role: username.rolename, x: 42 } 29 | 30 | License 31 | ------- 32 | 33 | BSD 34 | 35 | Author Information 36 | ------------------ 37 | 38 | An optional section for the role authors to include contact information, or a website (HTML is not allowed). 39 | -------------------------------------------------------------------------------- /roles/dnsmasq/defaults/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # defaults file for dnsmasq 3 | dnsmasq_service_state: "{{ service_default_state | default('started') }}" 4 | dnsmasq_service_enabled: "{{ service_default_enabled | default(true) }}" 5 | -------------------------------------------------------------------------------- /roles/dnsmasq/handlers/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # handlers file for dnsmasq 3 | - name: restart dnsmasq 4 | service: 5 | name: dnsmasq 6 | state: restarted 7 | when: service_default_state | default('started') == 'started' -------------------------------------------------------------------------------- /roles/dnsmasq/meta/main.yml: -------------------------------------------------------------------------------- 1 | galaxy_info: 2 | author: your name 3 | description: your role description 4 | company: your company (optional) 5 | 6 | # If the issue tracker for your role is not on github, uncomment the 7 | # next line and provide a value 8 | # issue_tracker_url: http://example.com/issue/tracker 9 | 10 | # Choose a valid license ID from https://spdx.org - some suggested licenses: 11 | # - BSD-3-Clause (default) 12 | # - MIT 13 | # - GPL-2.0-or-later 14 | # - GPL-3.0-only 15 | # - Apache-2.0 16 | # - CC-BY-4.0 17 | license: license (GPL-2.0-or-later, MIT, etc) 18 | 19 | min_ansible_version: 2.9 20 | 21 | # If this a Container Enabled role, provide the minimum Ansible Container version. 22 | # min_ansible_container_version: 23 | 24 | # 25 | # Provide a list of supported platforms, and for each platform a list of versions. 26 | # If you don't wish to enumerate all versions for a particular platform, use 'all'. 27 | # To view available platforms and versions (or releases), visit: 28 | # https://galaxy.ansible.com/api/v1/platforms/ 29 | # 30 | # platforms: 31 | # - name: Fedora 32 | # versions: 33 | # - all 34 | # - 25 35 | # - name: SomePlatform 36 | # versions: 37 | # - all 38 | # - 1.0 39 | # - 7 40 | # - 99.99 41 | 42 | galaxy_tags: [] 43 | # List tags for your role here, one per line. A tag is a keyword that describes 44 | # and categorizes the role. Users find roles by searching for tags. Be sure to 45 | # remove the '[]' above, if you add tags to this list. 46 | # 47 | # NOTE: A tag is limited to a single word comprised of alphanumeric characters. 48 | # Maximum 20 tags per role. 49 | 50 | dependencies: [] 51 | # List your role dependencies here, one per line. Be sure to remove the '[]' above, 52 | # if you add dependencies to this list. 53 | -------------------------------------------------------------------------------- /roles/dnsmasq/tasks/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # tasks file for dnsmasq 3 | - name: install dependencies 4 | apt: 5 | name: "{{ dnsmasq_dependencies }}" 6 | state: "{{ apt_install_state | default('latest') }}" 7 | update_cache: true 8 | cache_valid_time: "{{ apt_update_cache_valid_time | default(3600) }}" 9 | 10 | - name: create resolv-file for dnsmasq 11 | copy: 12 | content: | 13 | nameserver 8.8.8.8 14 | nameserver 8.8.4.4 15 | dest: /run/dnsmasq/resolv.conf 16 | 17 | - name: update configuration file(s) 18 | template: 19 | src: dnsmasq.conf.j2 20 | dest: "/etc/dnsmasq.conf" 21 | owner: root 22 | group: root 23 | mode: 0644 24 | validate: 'dnsmasq --test -C %s' 25 | notify: restart dnsmasq 26 | 27 | - name: stop and disable (systemd-resolved) service 28 | service: 29 | name: systemd-resolved 30 | state: stopped 31 | enabled: false 32 | 33 | - name: stop and disable (resolvconf) service 34 | service: 35 | name: resolvconf 36 | state: stopped 37 | enabled: false 38 | 39 | - name: start and enable service 40 | service: 41 | name: dnsmasq 42 | state: "{{ dnsmasq_service_state }}" 43 | enabled: "{{ dnsmasq_service_enabled | bool }}" -------------------------------------------------------------------------------- /roles/dnsmasq/templates/dnsmasq.conf.j2: -------------------------------------------------------------------------------- 1 | port=53 2 | listen-address={{ dns_server }} 3 | bind-interfaces 4 | domain-needed 5 | bogus-priv 6 | dnssec 7 | no-hosts 8 | dns-forward-max=150 9 | cache-size=1000 10 | neg-ttl=3600 11 | no-poll 12 | server=8.8.8.8 13 | server=8.8.4.4 -------------------------------------------------------------------------------- /roles/dnsmasq/tests/inventory: -------------------------------------------------------------------------------- 1 | localhost 2 | 3 | -------------------------------------------------------------------------------- /roles/dnsmasq/tests/test.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - hosts: localhost 3 | remote_user: root 4 | roles: 5 | - dnsmasq -------------------------------------------------------------------------------- /roles/dnsmasq/vars/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # vars file for dnsmasq 3 | dnsmasq_dependencies: 4 | - dnsmasq 5 | 6 | dnsmasq_etc_default_file: /etc/default/dnsmasq 7 | dnsmasq_etc_conf_file: /etc/dnsmasq.conf 8 | dns_server: 10.11.0.1 -------------------------------------------------------------------------------- /roles/docker/.travis.yml: -------------------------------------------------------------------------------- 1 | --- 2 | language: python 3 | python: "2.7" 4 | 5 | # Use the new container infrastructure 6 | sudo: false 7 | 8 | # Install ansible 9 | addons: 10 | apt: 11 | packages: 12 | - python-pip 13 | 14 | install: 15 | # Install ansible 16 | - pip install ansible 17 | 18 | # Check ansible version 19 | - ansible --version 20 | 21 | # Create ansible.cfg with correct roles_path 22 | - printf '[defaults]\nroles_path=../' >ansible.cfg 23 | 24 | script: 25 | # Basic role syntax check 26 | - ansible-playbook tests/test.yml -i tests/inventory --syntax-check 27 | 28 | notifications: 29 | webhooks: https://galaxy.ansible.com/api/v1/notifications/ -------------------------------------------------------------------------------- /roles/docker/README.md: -------------------------------------------------------------------------------- 1 | Role Name 2 | ========= 3 | 4 | A brief description of the role goes here. 5 | 6 | Requirements 7 | ------------ 8 | 9 | Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required. 10 | 11 | Role Variables 12 | -------------- 13 | 14 | A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well. 15 | 16 | Dependencies 17 | ------------ 18 | 19 | A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles. 20 | 21 | Example Playbook 22 | ---------------- 23 | 24 | Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too: 25 | 26 | - hosts: servers 27 | roles: 28 | - { role: username.rolename, x: 42 } 29 | 30 | License 31 | ------- 32 | 33 | BSD 34 | 35 | Author Information 36 | ------------------ 37 | 38 | An optional section for the role authors to include contact information, or a website (HTML is not allowed). 39 | -------------------------------------------------------------------------------- /roles/docker/defaults/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # defaults file for docker -------------------------------------------------------------------------------- /roles/docker/handlers/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # handlers file for docker -------------------------------------------------------------------------------- /roles/docker/meta/main.yml: -------------------------------------------------------------------------------- 1 | galaxy_info: 2 | author: your name 3 | description: your role description 4 | company: your company (optional) 5 | 6 | # If the issue tracker for your role is not on github, uncomment the 7 | # next line and provide a value 8 | # issue_tracker_url: http://example.com/issue/tracker 9 | 10 | # Choose a valid license ID from https://spdx.org - some suggested licenses: 11 | # - BSD-3-Clause (default) 12 | # - MIT 13 | # - GPL-2.0-or-later 14 | # - GPL-3.0-only 15 | # - Apache-2.0 16 | # - CC-BY-4.0 17 | license: license (GPL-2.0-or-later, MIT, etc) 18 | 19 | min_ansible_version: 2.9 20 | 21 | # If this a Container Enabled role, provide the minimum Ansible Container version. 22 | # min_ansible_container_version: 23 | 24 | # 25 | # Provide a list of supported platforms, and for each platform a list of versions. 26 | # If you don't wish to enumerate all versions for a particular platform, use 'all'. 27 | # To view available platforms and versions (or releases), visit: 28 | # https://galaxy.ansible.com/api/v1/platforms/ 29 | # 30 | # platforms: 31 | # - name: Fedora 32 | # versions: 33 | # - all 34 | # - 25 35 | # - name: SomePlatform 36 | # versions: 37 | # - all 38 | # - 1.0 39 | # - 7 40 | # - 99.99 41 | 42 | galaxy_tags: [] 43 | # List tags for your role here, one per line. A tag is a keyword that describes 44 | # and categorizes the role. Users find roles by searching for tags. Be sure to 45 | # remove the '[]' above, if you add tags to this list. 46 | # 47 | # NOTE: A tag is limited to a single word comprised of alphanumeric characters. 48 | # Maximum 20 tags per role. 49 | 50 | dependencies: [] 51 | # List your role dependencies here, one per line. Be sure to remove the '[]' above, 52 | # if you add dependencies to this list. 53 | -------------------------------------------------------------------------------- /roles/docker/tasks/main.yml: -------------------------------------------------------------------------------- 1 | # tasks file for docker 2 | --- 3 | 4 | - name: Install dependens 5 | apt: 6 | name: "{{item}}" 7 | state: present 8 | update_cache: yes 9 | loop: 10 | - apt-transport-https 11 | - ca-certificates 12 | - curl 13 | - gnupg-agent 14 | - software-properties-common 15 | 16 | - name: Add Docker’s official GPG key 17 | apt_key: 18 | url: https://download.docker.com/linux/ubuntu/gpg 19 | state: present 20 | 21 | - name: Add repository docker 22 | apt_repository: 23 | repo: deb https://download.docker.com/linux/ubuntu {{ ansible_distribution_release }} stable 24 | state: present 25 | 26 | - name: install docker 27 | apt: 28 | name: "{{item}}" 29 | state: latest 30 | update_cache: yes 31 | loop: 32 | - docker-ce 33 | - docker-ce-cli 34 | - containerd.io 35 | 36 | - name: Install docker-compose from official github repo 37 | get_url: 38 | url : https://github.com/docker/compose/releases/download/1.29.2/docker-compose-Linux-x86_64 39 | dest: /usr/local/bin/docker-compose 40 | mode: 'u+x,g+x' -------------------------------------------------------------------------------- /roles/docker/tests/inventory: -------------------------------------------------------------------------------- 1 | localhost 2 | 3 | -------------------------------------------------------------------------------- /roles/docker/tests/test.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - hosts: localhost 3 | remote_user: root 4 | roles: 5 | - docker -------------------------------------------------------------------------------- /roles/docker/vars/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # vars file for docker -------------------------------------------------------------------------------- /roles/iptables/defaults/main.yml: -------------------------------------------------------------------------------- 1 | # roles/iptables/defaults/main.yml 2 | is_allow_icmp_ping: false 3 | is_set_input_policy: false 4 | input_policy: 'DROP' 5 | is_set_output_policy: false 6 | output_policy: 'ACCEPT' 7 | is_set_forward_policy: false 8 | forward_policy: 'ACCEPT' 9 | is_flush_rules: false 10 | open_tcp_ports: [] 11 | close_tcp_ports: [] 12 | open_udp_ports: [] 13 | close_udp_ports: [] 14 | is_allow_input_related_and_established: false 15 | is_save_rules: false 16 | is_set_postrouting_masquerade: false 17 | is_iptables_openvpn: false 18 | use_sipnet: false 19 | interface_name: "eth0" -------------------------------------------------------------------------------- /roles/iptables/meta/main.yml: -------------------------------------------------------------------------------- 1 | # roles/iptables/meta/main.yml 2 | --- 3 | dependencies: 4 | - {role: apt, 5 | install_packages: [ 'netfilter-persistent' , 'iptables-persistent' ], 6 | } 7 | -------------------------------------------------------------------------------- /roles/logs/defaults/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # defaults file for logs 3 | -------------------------------------------------------------------------------- /roles/logs/handlers/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # handlers file for logs 3 | -------------------------------------------------------------------------------- /roles/logs/meta/main.yml: -------------------------------------------------------------------------------- 1 | galaxy_info: 2 | author: your name 3 | description: your role description 4 | company: your company (optional) 5 | 6 | # If the issue tracker for your role is not on github, uncomment the 7 | # next line and provide a value 8 | # issue_tracker_url: http://example.com/issue/tracker 9 | 10 | # Choose a valid license ID from https://spdx.org - some suggested licenses: 11 | # - BSD-3-Clause (default) 12 | # - MIT 13 | # - GPL-2.0-or-later 14 | # - GPL-3.0-only 15 | # - Apache-2.0 16 | # - CC-BY-4.0 17 | license: license (GPL-2.0-or-later, MIT, etc) 18 | 19 | min_ansible_version: 2.1 20 | 21 | # If this a Container Enabled role, provide the minimum Ansible Container version. 22 | # min_ansible_container_version: 23 | 24 | # 25 | # Provide a list of supported platforms, and for each platform a list of versions. 26 | # If you don't wish to enumerate all versions for a particular platform, use 'all'. 27 | # To view available platforms and versions (or releases), visit: 28 | # https://galaxy.ansible.com/api/v1/platforms/ 29 | # 30 | # platforms: 31 | # - name: Fedora 32 | # versions: 33 | # - all 34 | # - 25 35 | # - name: SomePlatform 36 | # versions: 37 | # - all 38 | # - 1.0 39 | # - 7 40 | # - 99.99 41 | 42 | galaxy_tags: [] 43 | # List tags for your role here, one per line. A tag is a keyword that describes 44 | # and categorizes the role. Users find roles by searching for tags. Be sure to 45 | # remove the '[]' above, if you add tags to this list. 46 | # 47 | # NOTE: A tag is limited to a single word comprised of alphanumeric characters. 48 | # Maximum 20 tags per role. 49 | 50 | dependencies: [] 51 | # List your role dependencies here, one per line. Be sure to remove the '[]' above, 52 | # if you add dependencies to this list. 53 | -------------------------------------------------------------------------------- /roles/logs/tasks/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # tasks file for logs 3 | # - name: start or stop and enable or disable SYSLOG 4 | # service: 5 | # name: syslog 6 | # state: "{{ syslog_service_state }}" 7 | # enabled: "{{ syslog_service_enabled | bool }}" 8 | 9 | - name: start or stop and enable or disable RSYSLOG 10 | service: 11 | name: rsyslog 12 | state: "{{ rsyslog_service_state }}" 13 | enabled: "{{ rsyslog_service_enabled | bool }}" 14 | 15 | - name: Delete logs files 16 | file: 17 | path: "{{ item }}" 18 | state: absent 19 | with_items: 20 | - /var/log/auth.log 21 | - /var/log/syslog 22 | - /var/log/dmesg -------------------------------------------------------------------------------- /roles/logs/tests/inventory: -------------------------------------------------------------------------------- 1 | localhost 2 | 3 | -------------------------------------------------------------------------------- /roles/logs/tests/test.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - hosts: localhost 3 | remote_user: root 4 | roles: 5 | - logs 6 | -------------------------------------------------------------------------------- /roles/logs/vars/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # vars file for logs 3 | syslog_service_state: "{{ service_default_state | default('stopped') }}" 4 | syslog_service_enabled: "{{ service_default_enabled | default(false) }}" 5 | 6 | rsyslog_service_state: "{{ service_default_state | default('stopped') }}" 7 | rsyslog_service_enabled: "{{ service_default_enabled | default(false) }}" -------------------------------------------------------------------------------- /roles/network/defaults/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # defaults file for network -------------------------------------------------------------------------------- /roles/network/handlers/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # handlers file for network 3 | 4 | - name: save iptables_rules 5 | command: invoke-rc.d netfilter-persistent save -------------------------------------------------------------------------------- /roles/network/meta/main.yml: -------------------------------------------------------------------------------- 1 | galaxy_info: 2 | author: your name 3 | description: your role description 4 | company: your company (optional) 5 | 6 | # If the issue tracker for your role is not on github, uncomment the 7 | # next line and provide a value 8 | # issue_tracker_url: http://example.com/issue/tracker 9 | 10 | # Choose a valid license ID from https://spdx.org - some suggested licenses: 11 | # - BSD-3-Clause (default) 12 | # - MIT 13 | # - GPL-2.0-or-later 14 | # - GPL-3.0-only 15 | # - Apache-2.0 16 | # - CC-BY-4.0 17 | license: license (GPL-2.0-or-later, MIT, etc) 18 | 19 | min_ansible_version: 2.9 20 | 21 | # If this a Container Enabled role, provide the minimum Ansible Container version. 22 | # min_ansible_container_version: 23 | 24 | # 25 | # Provide a list of supported platforms, and for each platform a list of versions. 26 | # If you don't wish to enumerate all versions for a particular platform, use 'all'. 27 | # To view available platforms and versions (or releases), visit: 28 | # https://galaxy.ansible.com/api/v1/platforms/ 29 | # 30 | # platforms: 31 | # - name: Fedora 32 | # versions: 33 | # - all 34 | # - 25 35 | # - name: SomePlatform 36 | # versions: 37 | # - all 38 | # - 1.0 39 | # - 7 40 | # - 99.99 41 | 42 | galaxy_tags: [] 43 | # List tags for your role here, one per line. A tag is a keyword that describes 44 | # and categorizes the role. Users find roles by searching for tags. Be sure to 45 | # remove the '[]' above, if you add tags to this list. 46 | # 47 | # NOTE: A tag is limited to a single word comprised of alphanumeric characters. 48 | # Maximum 20 tags per role. 49 | 50 | dependencies: [] 51 | # List your role dependencies here, one per line. Be sure to remove the '[]' above, 52 | # if you add dependencies to this list. 53 | -------------------------------------------------------------------------------- /roles/network/tasks/main.yml: -------------------------------------------------------------------------------- 1 | # tasks file for network 2 | --- 3 | - name: network | ip_forward allow 4 | sysctl: 5 | name: net.ipv4.ip_forward 6 | value: 1 7 | sysctl_set: yes 8 | state: present 9 | reload: yes 10 | 11 | - name: network | NAT rules | enternode or standalone 12 | iptables: 13 | table: nat 14 | chain: POSTROUTING 15 | out_interface: "{{nat_tun}}" 16 | source: "{{item}}/24" 17 | jump: MASQUERADE 18 | with_items: 19 | - "{{openvpn_udp_net}}" 20 | - "{{openvpn_tcp_net}}" 21 | become: yes 22 | notify: save iptables_rules 23 | when: standalone or enternode 24 | 25 | - name: network | NAT rules | middlenode or exitnode 26 | iptables: 27 | table: nat 28 | chain: POSTROUTING 29 | out_interface: "{{nat_tun}}" 30 | source: "{{item}}/24" 31 | jump: MASQUERADE 32 | with_items: "{{openvpn_udp_net}}" 33 | become: yes 34 | notify: save iptables_rules 35 | when: middlenode or exitnode -------------------------------------------------------------------------------- /roles/network/tests/inventory: -------------------------------------------------------------------------------- 1 | localhost 2 | 3 | -------------------------------------------------------------------------------- /roles/network/tests/test.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - hosts: localhost 3 | remote_user: root 4 | roles: 5 | - network -------------------------------------------------------------------------------- /roles/network/vars/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # vars file for network -------------------------------------------------------------------------------- /roles/openvpn/defaults/main.yml: -------------------------------------------------------------------------------- 1 | #roles/openvpn/defaults/main.yml 2 | --- 3 | #vpn type: 4 | enternode: false 5 | middlenode: false 6 | exitnode: false 7 | standalone: false 8 | #config vars: 9 | duplicate: false 10 | #additional services: 11 | privoxy_install: false 12 | is_obfsproxy: false 13 | #obfs_type: obfs3 14 | obfs_port: "" 15 | #obfs_local_port: 1025 16 | dh_param: "1024" 17 | #fix later, choose can template networks or not, try use not templated. 18 | 19 | # В этой папке будут файлы, которые шарятся между другими Playbook-ами. 20 | shared_folder_path: "" 21 | 22 | # В эту папку складываются файлы, которые будут скачены пользователем. 23 | profile_path: "" 24 | 25 | openvpn_udp_port: "" 26 | openvpn_tcp_port: "" 27 | openvpn_udp_net: "" 28 | openvpn_tcp_net: "" 29 | dns_server: "" 30 | #split by vpn-chain place: 31 | ##standalone: 32 | # standalone_udp_port: "443" 33 | # standalone_tcp_port: "443" 34 | # standalone_udp_net: "10.11.0" 35 | # standalone_tcp_net: "10.12.0" 36 | ##enternode: 37 | # enternode_udp_net: "10.13.0" 38 | # enternode_tcp_net: "10.14.0" 39 | # enternode_udp_port: "443" 40 | # enternode_tcp_port: "443" 41 | ##middlenode: 42 | # middlenode_udp_net: "10.14.0" 43 | # middlenode_udp_port: "444" 44 | ##exitnode: 45 | # exitnode_udp_net: "10.15.0" 46 | # exitnode_udp_port: "445" 47 | 48 | #note: dynamic vpn-net set 49 | #openvpn_net: "10.{{ 99 | random }}.{{ 99 | random }}.0" 50 | digest: "SHA512" 51 | #cipher: "AES-256-CBC" 52 | cipher: "AES-256-GCM" 53 | tls_cipher: "TLS-DHE-RSA-WITH-AES-256-GCM-SHA384" 54 | log_path: "/dev/null" 55 | tun_mtu: "1472" 56 | #cert options: 57 | easyrsa_dest: "/usr/share/easy-rsa" 58 | easyrsa_dir: "/usr/share/easy-rsa/easyrsa3" 59 | easyrsa_keys_dir: "{{easyrsa_dir}}/keys/" 60 | server_cert_name: "server" 61 | client_cert_name: "client" 62 | easyrsa_version: "3.0.1" 63 | 64 | easyrsa_dn: "cn_only" 65 | easyrsa_req_country: "US" 66 | easyrsa_req_province: "California" 67 | easyrsa_req_city: "San Francisco" 68 | easyrsa_req_org: "Copyleft Certificate Co" 69 | easyrsa_req_email: "test@test.test" 70 | easyrsa_req_ou: "My Organizational Unit" 71 | easyrsa_req_cn: "server" 72 | easyrsa_digest: "sha512" 73 | -------------------------------------------------------------------------------- /roles/openvpn/handlers/main.yml: -------------------------------------------------------------------------------- 1 | # roles/openvpn/handlers/main.yml 2 | --- 3 | -------------------------------------------------------------------------------- /roles/openvpn/meta/main.yml: -------------------------------------------------------------------------------- 1 | # roles/openvpn/meta/main.yml 2 | --- 3 | dependencies: 4 | - {role: requirements, 5 | when: openvpn_install 6 | } 7 | - {role: apt, 8 | # set_openvpn_sources: true, 9 | update: true, 10 | install_packages: [ 'openvpn' , 'git' ], 11 | when: openvpn_install 12 | } 13 | 14 | - {role: apt, 15 | install_packages: [ 'bind9' ], 16 | when: standalone or exitnode 17 | } 18 | - {role: apt, 19 | set_torproject_sources: true, 20 | install_packages: [ 'privoxy' , 'tor' ], 21 | when: privoxy_install 22 | } 23 | - {role: pip, 24 | pip_bugfix: true, 25 | when: is_obfsproxy 26 | } 27 | - {role: apt, 28 | is_obfsproxy: true, 29 | install_packages: [ 'python3-pip' , 'python-dev' , 'build-essential' , 'libgmp-dev' ], 30 | when: openvpn_install 31 | } 32 | - {role: pip, 33 | install_packages: [ 'obfsproxy' ], 34 | when: is_obfsproxy 35 | } 36 | - {role: iptables, 37 | open_tcp_ports: [ '{{ openvpn_tcp_port }}' ], 38 | open_udp_ports: [ '{{ openvpn_udp_port }}' ], 39 | is_save_rules: true, 40 | when: enternode or standalone 41 | } 42 | - {role: iptables, 43 | open_udp_ports: ['{{openvpn_udp_port}}'], 44 | is_save_rules: true, 45 | when: middlenode or exitnode 46 | } 47 | - {role: iptables, 48 | open_tcp_ports: ['{{obfs_port}}'], 49 | is_save_rules: true, 50 | when: is_obfsproxy 51 | } 52 | -------------------------------------------------------------------------------- /roles/openvpn/tasks/dns-server.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: deploy bind configs 3 | template: 4 | src: bind9/named.conf.options.j2 5 | dest: /etc/bind/named.conf.options 6 | when: standalone or exitnode 7 | -------------------------------------------------------------------------------- /roles/openvpn/tasks/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - include: openvpn.yml tags=openvpn 3 | - include: network.yml tags=network 4 | - include: client_package.yml 5 | - include: dns-server.yml 6 | - include: privoxy.yml 7 | - include: ../../common/tasks/cleanup.yml 8 | -------------------------------------------------------------------------------- /roles/openvpn/tasks/privoxy.yml: -------------------------------------------------------------------------------- 1 | # roles/openvpn/tasks/privoxy.yml 2 | --- 3 | - name: privoxy | deploy tor config 4 | template: 5 | src: privoxy/torrc.j2 6 | dest: /etc/tor/torrc 7 | when: standalone or exitnode 8 | 9 | - name: privoxy | deploy tor config 10 | template: 11 | src: privoxy/torsocks.conf.j2 12 | dest: /etc/tor/torsocks.conf 13 | when: standalone or exitnode 14 | 15 | - name: privoxy | deploy privoxy config 16 | template: 17 | src: privoxy/config.j2 18 | dest: /etc/privoxy/config 19 | when: standalone or exitnode 20 | -------------------------------------------------------------------------------- /roles/openvpn/templates/bind9/named.conf.options.j2: -------------------------------------------------------------------------------- 1 | {% if standalone %} 2 | acl mynetwork { {{openvpn_udp_net}}.0/24 ; {{openvpn_tcp_net}}.0/24; 127.0.0.1; }; 3 | {% endif %} 4 | {% if exitnode %} 5 | acl mynetwork { {{openvpn_udp_net}}.0/24 ; 127.0.0.1; }; 6 | {% endif %} 7 | options { 8 | directory "/var/cache/bind"; 9 | allow-query { mynetwork; }; 10 | dnssec-validation yes; 11 | max-ncache-ttl 3600; 12 | max-cache-ttl 3600; 13 | auth-nxdomain no; # conform to RFC1035 14 | listen-on-v6 { none; }; 15 | {% if bind_forward_only %}forward only; 16 | {% endif %} 17 | {% if bind_forwarders|length > 0 %}forwarders { {{ bind_forwarders|join('; ') }}; }; 18 | {% endif %} 19 | }; 20 | include "/etc/bind/bind.keys"; 21 | -------------------------------------------------------------------------------- /roles/openvpn/templates/openvpn/client.conf.j2: -------------------------------------------------------------------------------- 1 | client 2 | {% if enternode or standalone %} 3 | dev tun 4 | {% else %} 5 | dev tun3 6 | script-security 2 7 | up uproute.sh 8 | {% endif %} 9 | persist-key 10 | persist-tun 11 | nobind 12 | {% if exitnode or middlenode %} 13 | remote {{ ansible_host }} {{ openvpn_udp_port }} udp 14 | {% endif %} 15 | {% if enternode or standalone %} 16 | {% if item.obfuscated == 'unmasked' %} 17 | remote {{ ansible_host }} {{ openvpn_udp_port }} udp 18 | {% endif %} 19 | remote {{ ansible_host }} {{ obfs_port if item.obfuscated == 'masked' else openvpn_tcp_port }} tcp 20 | {% if item.platform == "linux" %} 21 | script-security 2 22 | up update-resolv-conf 23 | down update-resolv-conf 24 | log /dev/null 25 | status /dev/null 26 | {% if item.obfuscated == "masked" %} 27 | route {{ ansible_host }} 255.255.255.255 net_gateway 28 | socks-proxy-retry 29 | socks-proxy 127.0.0.1 {{ obfs_local_port }} 30 | {% endif %} 31 | {% endif %} 32 | {% endif %} 33 | #comp-lzo 34 | tls-client 35 | verb 0 36 | auth-nocache 37 | tun-mtu {{ tun_mtu }} 38 | tls-cipher {{tls_cipher}} 39 | cipher {{ cipher }} 40 | auth {{ digest }} 41 | remote-cert-tls server 42 | key-direction 1 43 | 44 | {{tls_server_key.stdout}} 45 | 46 | 47 | {{ca_server_crt.stdout}} 48 | 49 | 50 | {{client_pem.stdout}} 51 | 52 | 53 | {{client_key.stdout}} 54 | 55 | -------------------------------------------------------------------------------- /roles/openvpn/templates/openvpn/downscript.sh.j2: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | killall -9 obfsproxy 3 | -------------------------------------------------------------------------------- /roles/openvpn/templates/openvpn/scripts/uproute.sh.j2: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | {% if enternode %} 3 | ip rule add from {{openvpn_tcp_net}}/24 table vpn > /dev/null 2>&1 4 | {% endif %} 5 | ip rule add from {{openvpn_udp_net}}/24 table vpn > /dev/null 2>&1 6 | ip route add default dev {{nat_tun}} table vpn > /dev/null 2>&1 7 | -------------------------------------------------------------------------------- /roles/openvpn/templates/openvpn/server_tcp.conf.j2: -------------------------------------------------------------------------------- 1 | dev tun1 2 | port {{openvpn_tcp_port}} 3 | proto tcp 4 | persist-tun 5 | persist-key 6 | server {{openvpn_tcp_net}}.0 255.255.255.0 7 | management 127.0.0.1 7506 8 | {% if duplicate is defined %} 9 | duplicate-cn 10 | {% endif %} 11 | #obfuscate 12 | {% if is_obfsproxy is defined %} 13 | script-security 2 14 | up upscript.sh 15 | down downscript.sh 16 | {% endif %} 17 | #enternode fix route less 18 | #speed tuning 19 | sndbuf 393216 20 | rcvbuf 393216 21 | push "sndbuf 393216" 22 | push "rcvbuf 393216" 23 | tun-mtu {{tun_mtu}} 24 | {% if enternode or standalone %} 25 | push "redirect-gateway def1" 26 | {% endif %} 27 | {% if enternode %} 28 | push "dhcp-option DNS {{dns_server}}" 29 | {% endif %} 30 | {% if standalone %} 31 | push "dhcp-option DNS {{openvpn_tcp_net}}.1" 32 | {% endif %} 33 | push "block-outside-dns" 34 | ping-timer-rem 35 | keepalive 10 60 36 | #define crypt.. 37 | auth {{digest}} 38 | cipher {{cipher}} 39 | tls-cipher {{tls_cipher}} 40 | # handshake crypt 41 | tls-server 42 | tls-auth ssl/ta.key 0 43 | dh none 44 | ecdh-curve secp384r1 45 | cert ssl/{{server_cert_name}}.pem 46 | key ssl/{{server_cert_name}}.key 47 | ca ssl/ca.crt 48 | verb 0 49 | log {{log_path}} 50 | status {{log_path}} 51 | -------------------------------------------------------------------------------- /roles/openvpn/templates/openvpn/server_udp.conf.j2: -------------------------------------------------------------------------------- 1 | dev tun0 2 | port {{openvpn_udp_port}} 3 | proto udp 4 | persist-tun 5 | persist-key 6 | server {{openvpn_udp_net}}.0 255.255.255.0 7 | management 127.0.0.1 7505 8 | {% if duplicate is defined %} 9 | duplicate-cn 10 | {% endif %} 11 | #enternode fix route less 12 | #speed tuning 13 | sndbuf 393216 14 | rcvbuf 393216 15 | push "sndbuf 393216" 16 | push "rcvbuf 393216" 17 | tun-mtu {{tun_mtu}} 18 | {% if enternode or standalone %} 19 | push "redirect-gateway def1" 20 | {% endif %} 21 | {% if enternode %} 22 | push "dhcp-option DNS {{dns_server}}" 23 | {% endif %} 24 | {% if standalone %} 25 | push "dhcp-option DNS {{openvpn_udp_net}}.1" 26 | {% endif %} 27 | push "block-outside-dns" 28 | ping-timer-rem 29 | keepalive 10 60 30 | # Use compression 31 | #define crypt.. 32 | auth {{digest}} 33 | cipher {{cipher}} 34 | tls-cipher {{tls_cipher}} 35 | # handshake crypt 36 | tls-server 37 | tls-auth ssl/ta.key 0 38 | dh none 39 | ecdh-curve secp384r1 40 | cert ssl/{{server_cert_name}}.pem 41 | key ssl/{{server_cert_name}}.key 42 | ca ssl/ca.crt 43 | verb 0 44 | log {{log_path}} 45 | status {{log_path}} 46 | -------------------------------------------------------------------------------- /roles/openvpn/templates/openvpn/upscript.sh.j2: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | /usr/local/bin/obfsproxy --no-log --data-dir /tmp {{obfs_type}} --dest 0.0.0.0:{{openvpn_tcp_port}} server 0.0.0.0:{{obfs_port}} & 3 | -------------------------------------------------------------------------------- /roles/openvpn/templates/privoxy/torrc.j2: -------------------------------------------------------------------------------- 1 | SocksPort 9050 # Default: Bind to localhost:9050 for local connections. 2 | SocksPolicy accept * 3 | DNSPort 9053 4 | DNSListenAddress 0.0.0.0 5 | AutomapHostsOnResolve 1 6 | AutomapHostsSuffixes .exit,.onion 7 | # 8 | #StrictExitNodes 1 9 | #ExitNodes 127.0.0.1 10 | ExitNodes {us} 11 | -------------------------------------------------------------------------------- /roles/openvpn/templates/privoxy/torsocks.conf.j2: -------------------------------------------------------------------------------- 1 | # This is the configuration for libtorsocks (transparent socks) for use 2 | # with tor, which is providing a socks server on port 9050 by default. 3 | # 4 | # Lines beginning with # and blank lines are ignored 5 | # 6 | # The basic idea is to specify: 7 | # - Local subnets - Networks that can be accessed directly without 8 | # assistance from a socks server 9 | # - Paths - Paths are basically lists of networks and a socks server 10 | # which can be used to reach these networks 11 | # - Default server - A socks server which should be used to access 12 | # networks for which no path is available 13 | # Much more documentation than provided in these comments can be found in 14 | # torsocks.conf(5) and usewithtor(1) manpages. 15 | 16 | # We specify local as 127.0.0.0 - 127.191.255.255 because the 17 | # Tor MAPADDRESS virtual IP range is the rest of net 127. 18 | # Torsocks also treats as local all the subnets that Tor does. 19 | local = 127.0.0.0/255.128.0.0 20 | local = 127.128.0.0/255.192.0.0 21 | local = 169.254.0.0/255.255.0.0 22 | local = 172.16.0.0/255.240.0.0 23 | local = 192.168.0.0/255.255.0.0 24 | # Default server 25 | # For connections that aren't to the local subnets 26 | # the server at 127.0.0.1 should be used (again, hostnames could be used 27 | # too, see note above) 28 | server = 0.0.0.0 29 | 30 | # SOCKS server type defaults to 4 31 | #server_type = 5 32 | 33 | # The port defaults to 1080 but I've stated it here for clarity 34 | server_port = 9050 35 | 36 | # Username and password (if required on a SOCKSv5 server) 37 | #default_user = 38 | #default_pass = 39 | 40 | # Paths 41 | # For this example this machine needs to access 150.0.0.0/255.255.0.0 as 42 | # well as port 80 on the network 150.1.0.0/255.255.0.0 through 43 | # the socks 5 server at 10.1.7.25 (if this machines hostname was 44 | # "socks.hello.com" we could also specify that, unless --disable-hostnames 45 | # was specified to ./configure). 46 | 47 | #path { 48 | # reaches = 150.0.0.0/255.255.0.0 49 | # reaches = 150.1.0.0:80/255.255.0.0 50 | # server = 10.1.7.25 51 | # server_type = 5 52 | # default_user = delius 53 | # default_pass = hello 54 | #} 55 | # 56 | -------------------------------------------------------------------------------- /roles/os/defaults/main.yml: -------------------------------------------------------------------------------- 1 | # roles/os/defaults/main.yml 2 | --- 3 | 4 | #default options: 5 | logrotate_configure: false 6 | cron_configure: false 7 | fw_configure: false 8 | 9 | #ssh options 10 | ssh_port: 3454 11 | ssh_allow_pubkey: 'yes' 12 | ssh_allow_root: 'no' 13 | ssh_password_auth: 'yes' 14 | # TMP 15 | username: "" 16 | user_password: "" 17 | 18 | #sudo 19 | use_sudo: false 20 | 21 | #users: 22 | # ssh_pubkey: '' 23 | #fail2ban: 24 | fail2ban_loglevel: INFO 25 | fail2ban_logpath: '/var/log/fail2ban.log' 26 | fail2ban_default_bantime: '3600' 27 | fail2ban_default_findtime: '3600' 28 | fail2ban_default_maxretry: '3' 29 | -------------------------------------------------------------------------------- /roles/os/files/fail2ban/fail2ban.service: -------------------------------------------------------------------------------- 1 | [Unit] 2 | Description=Fail2Ban Service 3 | Documentation=man:fail2ban(1) 4 | After=network.target iptables.service firewalld.service 5 | PartOf=iptables.service firewalld.service 6 | 7 | [Service] 8 | Type=forking 9 | ExecStartPre=/bin/mkdir -p /var/run/fail2ban 10 | ExecStart=/usr/local/bin/fail2ban-client -x start 11 | ExecStop=/usr/local/bin/fail2ban-client stop 12 | ExecReload=/usr/local/bin/fail2ban-client reload 13 | PIDFile=/var/run/fail2ban/fail2ban.pid 14 | Restart=always 15 | 16 | [Install] 17 | WantedBy=multi-user.target 18 | -------------------------------------------------------------------------------- /roles/os/files/fail2ban/settings/action.d/apf.conf: -------------------------------------------------------------------------------- 1 | # Fail2Ban configuration file 2 | # https://www.rfxn.com/projects/advanced-policy-firewall/ 3 | # 4 | # Note: APF doesn't play nicely with other actions. It has been observed to 5 | # remove bans created by other iptables based actions. If you are going to use 6 | # this action, use it for all of your jails. 7 | # 8 | # DON'T MIX APF and other IPTABLES based actions 9 | [Definition] 10 | 11 | actionstart = 12 | actionstop = 13 | actioncheck = 14 | actionban = apf --deny "banned by Fail2Ban " 15 | actionunban = apf --remove 16 | 17 | [Init] 18 | 19 | # Name used in APF configuration 20 | # 21 | name = default 22 | 23 | # DEV NOTES: 24 | # 25 | # Author: Mark McKinstry 26 | -------------------------------------------------------------------------------- /roles/os/files/fail2ban/settings/action.d/badips.conf: -------------------------------------------------------------------------------- 1 | # Fail2ban reporting to badips.com 2 | # 3 | # Note: This reports and IP only and does not actually ban traffic. Use 4 | # another action in the same jail if you want bans to occur. 5 | # 6 | # Set the category to the appropriate value before use. 7 | # 8 | # To get see register and optional key to get personalised graphs see: 9 | # http://www.badips.com/blog/personalized-statistics-track-the-attackers-of-all-your-servers-with-one-key 10 | 11 | [Definition] 12 | 13 | actionban = curl --fail --user-agent "fail2ban v0.8.12" http://www.badips.com/add// 14 | 15 | [Init] 16 | 17 | # Option: category 18 | # Notes.: Values are from the list here: http://www.badips.com/get/categories 19 | category = 20 | -------------------------------------------------------------------------------- /roles/os/files/fail2ban/settings/action.d/dummy.conf: -------------------------------------------------------------------------------- 1 | # Fail2Ban configuration file 2 | # 3 | # Author: Cyril Jaquier 4 | # 5 | # 6 | 7 | [Definition] 8 | 9 | # Option: actionstart 10 | # Notes.: command executed once at the start of Fail2Ban. 11 | # Values: CMD 12 | # 13 | actionstart = touch /var/run/fail2ban/fail2ban.dummy 14 | printf %%b "\n" >> /var/run/fail2ban/fail2ban.dummy 15 | 16 | # Option: actionstop 17 | # Notes.: command executed once at the end of Fail2Ban 18 | # Values: CMD 19 | # 20 | actionstop = rm -f /var/run/fail2ban/fail2ban.dummy 21 | 22 | # Option: actioncheck 23 | # Notes.: command executed once before each actionban command 24 | # Values: CMD 25 | # 26 | actioncheck = 27 | 28 | # Option: actionban 29 | # Notes.: command executed when banning an IP. Take care that the 30 | # command is executed with Fail2Ban user rights. 31 | # Tags: See jail.conf(5) man page 32 | # Values: CMD 33 | # 34 | actionban = printf %%b "+\n" >> /var/run/fail2ban/fail2ban.dummy 35 | 36 | # Option: actionunban 37 | # Notes.: command executed when unbanning an IP. Take care that the 38 | # command is executed with Fail2Ban user rights. 39 | # Tags: See jail.conf(5) man page 40 | # Values: CMD 41 | # 42 | actionunban = printf %%b "-\n" >> /var/run/fail2ban/fail2ban.dummy 43 | 44 | [Init] 45 | 46 | init = 123 47 | 48 | -------------------------------------------------------------------------------- /roles/os/files/fail2ban/settings/action.d/firewallcmd-ipset.conf: -------------------------------------------------------------------------------- 1 | # Fail2Ban action file for firewall-cmd/ipset 2 | # 3 | # This requires: 4 | # ipset (package: ipset) 5 | # firewall-cmd (package: firewalld) 6 | # 7 | # This is for ipset protocol 6 (and hopefully later) (ipset v6.14). 8 | # Use ipset -V to see the protocol and version. 9 | # 10 | # IPset was a feature introduced in the linux kernel 2.6.39 and 3.0.0 kernels. 11 | # 12 | # If you are running on an older kernel you make need to patch in external 13 | # modules. 14 | 15 | [INCLUDES] 16 | 17 | before = iptables-blocktype.conf 18 | 19 | [Definition] 20 | 21 | actionstart = ipset create fail2ban- hash:ip timeout 22 | firewall-cmd --direct --add-rule ipv4 filter 0 -p -m multiport --dports -m set --match-set fail2ban- src -j 23 | 24 | actionstop = firewall-cmd --direct --remove-rule ipv4 filter 0 -p -m multiport --dports -m set --match-set fail2ban- src -j 25 | ipset flush fail2ban- 26 | ipset destroy fail2ban- 27 | 28 | actionban = ipset add fail2ban- timeout -exist 29 | 30 | actionunban = ipset del fail2ban- -exist 31 | 32 | [Init] 33 | 34 | # Default name of the chain 35 | # 36 | name = default 37 | 38 | # Option: port 39 | # Notes.: specifies port to monitor 40 | # Values: [ NUM | STRING ] 41 | # 42 | port = ssh 43 | 44 | # Option: protocol 45 | # Notes.: internally used by config reader for interpolations. 46 | # Values: [ tcp | udp | icmp | all ] 47 | # 48 | protocol = tcp 49 | 50 | # Option: chain 51 | # Notes specifies the iptables chain to which the fail2ban rules should be 52 | # added 53 | # Values: [ STRING ] 54 | # 55 | chain = INPUT_direct 56 | 57 | # Option: bantime 58 | # Notes: specifies the bantime in seconds (handled internally rather than by fail2ban) 59 | # Values: [ NUM ] Default: 600 60 | 61 | bantime = 600 62 | 63 | 64 | # DEV NOTES: 65 | # 66 | # Author: Edgar Hoch and Daniel Black 67 | # firewallcmd-new / iptables-ipset-proto6 combined for maximium goodness 68 | -------------------------------------------------------------------------------- /roles/os/files/fail2ban/settings/action.d/firewallcmd-new.conf: -------------------------------------------------------------------------------- 1 | # Fail2Ban configuration file 2 | # 3 | # Because of the --remove-rules in stop this action requires firewalld-0.3.8+ 4 | 5 | [INCLUDES] 6 | 7 | before = iptables-blocktype.conf 8 | 9 | [Definition] 10 | 11 | actionstart = firewall-cmd --direct --add-chain ipv4 filter fail2ban- 12 | firewall-cmd --direct --add-rule ipv4 filter fail2ban- 1000 -j RETURN 13 | firewall-cmd --direct --add-rule ipv4 filter 0 -m state --state NEW -p --dport -j fail2ban- 14 | 15 | actionstop = firewall-cmd --direct --remove-rule ipv4 filter 0 -m state --state NEW -p --dport -j fail2ban- 16 | firewall-cmd --direct --remove-rules ipv4 filter fail2ban- 17 | firewall-cmd --direct --remove-chain ipv4 filter fail2ban- 18 | 19 | actioncheck = firewall-cmd --direct --get-chains ipv4 filter | grep -q '^fail2ban-$' 20 | 21 | actionban = firewall-cmd --direct --add-rule ipv4 filter fail2ban- 0 -s -j 22 | 23 | actionunban = firewall-cmd --direct --remove-rule ipv4 filter fail2ban- 0 -s -j 24 | 25 | [Init] 26 | 27 | # Default name of the chain 28 | # 29 | name = default 30 | 31 | # Option: port 32 | # Notes.: specifies port to monitor 33 | # Values: [ NUM | STRING ] 34 | # 35 | port = ssh 36 | 37 | # Option: protocol 38 | # Notes.: internally used by config reader for interpolations. 39 | # Values: [ tcp | udp | icmp | all ] 40 | # 41 | protocol = tcp 42 | 43 | # Option: chain 44 | # Notes specifies the iptables chain to which the fail2ban rules should be 45 | # added 46 | # Values: [ STRING ] 47 | # 48 | chain = INPUT_direct 49 | 50 | # DEV NOTES: 51 | # 52 | # Author: Edgar Hoch 53 | # Copied from iptables-new.conf and modified for use with firewalld by Edgar Hoch. 54 | # It uses "firewall-cmd" instead of "iptables". 55 | # 56 | # Output: 57 | # 58 | # $ firewall-cmd --direct --add-chain ipv4 filter fail2ban-name 59 | # success 60 | # $ firewall-cmd --direct --add-rule ipv4 filter fail2ban-name 1000 -j RETURN 61 | # success 62 | # $ sudo firewall-cmd --direct --add-rule ipv4 filter INPUT_direct 0 -m state --state NEW -p tcp --dport 22 -j fail2ban-name 63 | # success 64 | # $ firewall-cmd --direct --get-chains ipv4 filter 65 | # fail2ban-name 66 | # $ firewall-cmd --direct --get-chains ipv4 filter | od -h 67 | # 0000000 6166 6c69 6232 6e61 6e2d 6d61 0a65 68 | # $ firewall-cmd --direct --get-chains ipv4 filter | grep -Eq 'fail2ban-name( |$)' ; echo $? 69 | # 0 70 | # $ firewall-cmd -V 71 | # 0.3.8 72 | 73 | -------------------------------------------------------------------------------- /roles/os/files/fail2ban/settings/action.d/hostsdeny.conf: -------------------------------------------------------------------------------- 1 | # Fail2Ban configuration file 2 | # 3 | # Author: Cyril Jaquier 4 | # Edited for cross platform by: James Stout, Yaroslav Halchenko and Daniel Black 5 | # 6 | # 7 | 8 | [Definition] 9 | 10 | # Option: actionstart 11 | # Notes.: command executed once at the start of Fail2Ban. 12 | # Values: CMD 13 | # 14 | actionstart = 15 | 16 | # Option: actionstop 17 | # Notes.: command executed once at the end of Fail2Ban 18 | # Values: CMD 19 | # 20 | actionstop = 21 | 22 | # Option: actioncheck 23 | # Notes.: command executed once before each actionban command 24 | # Values: CMD 25 | # 26 | actioncheck = 27 | 28 | # Option: actionban 29 | # Notes.: command executed when banning an IP. Take care that the 30 | # command is executed with Fail2Ban user rights. 31 | # Tags: See jail.conf(5) man page 32 | # Values: CMD 33 | # 34 | actionban = IP= && 35 | printf %%b ": $IP\n" >> 36 | 37 | # Option: actionunban 38 | # Notes.: command executed when unbanning an IP. Take care that the 39 | # command is executed with Fail2Ban user rights. 40 | # Tags: See jail.conf(5) man page 41 | # Values: CMD 42 | # 43 | actionunban = echo "/^: $/
d
w
q" | ed 44 | 45 | [Init] 46 | 47 | # Option: file 48 | # Notes.: hosts.deny file path. 49 | # Values: STR Default: /etc/hosts.deny 50 | # 51 | file = /etc/hosts.deny 52 | 53 | # Option: daemon_list 54 | # Notes: The list of services that this action will deny. See the man page 55 | # for hosts.deny/hosts_access. Default is all services. 56 | # Values: STR Default: ALL 57 | daemon_list = ALL 58 | -------------------------------------------------------------------------------- /roles/os/files/fail2ban/settings/action.d/ipfilter.conf: -------------------------------------------------------------------------------- 1 | # Fail2Ban configuration file 2 | # 3 | # NetBSD ipfilter (ipf command) ban/unban 4 | # 5 | # Author: Ed Ravin 6 | # 7 | # 8 | 9 | [Definition] 10 | 11 | # Option: actionstart 12 | # Notes.: command executed once at the start of Fail2Ban. 13 | # Values: CMD 14 | # 15 | # enable IPF if not already enabled 16 | actionstart = /sbin/ipf -E 17 | 18 | 19 | # Option: actionstop 20 | # Notes.: command executed once at the end of Fail2Ban 21 | # Values: CMD 22 | # 23 | # don't disable IPF with "/sbin/ipf -D", there may be other filters in use 24 | actionstop = 25 | 26 | 27 | # Option: actioncheck 28 | # Notes.: command executed once before each actionban command 29 | # Values: CMD 30 | # 31 | actioncheck = 32 | 33 | 34 | # Option: actionban 35 | # Notes.: command executed when banning an IP. Take care that the 36 | # command is executed with Fail2Ban user rights. 37 | # Tags: See jail.conf(5) man page 38 | # Values: CMD 39 | # 40 | actionban = echo block in quick from /32 | /sbin/ipf -f - 41 | 42 | 43 | # Option: actionunban 44 | # Notes.: command executed when unbanning an IP. Take care that the 45 | # command is executed with Fail2Ban user rights. 46 | # Tags: See jail.conf(5) man page 47 | # Values: CMD 48 | # 49 | # note -r option used to remove matching rule 50 | actionunban = echo block in quick from /32 | /sbin/ipf -r -f - 51 | 52 | [Init] 53 | 54 | # Option: Blocktype 55 | # Notes : This is the return-icmp[return-code] mentioned in the ipf man page section 5. Keep this quoted to prevent 56 | # Shell expansion. This should be blank (unquoted) to drop the packet. 57 | # Values: STRING 58 | blocktype = "return-icmp(port-unr)" 59 | -------------------------------------------------------------------------------- /roles/os/files/fail2ban/settings/action.d/ipfw.conf: -------------------------------------------------------------------------------- 1 | # Fail2Ban configuration file 2 | # 3 | # Author: Nick Munger 4 | # Modified by: Cyril Jaquier 5 | # 6 | # 7 | 8 | [Definition] 9 | 10 | # Option: actionstart 11 | # Notes.: command executed once at the start of Fail2Ban. 12 | # Values: CMD 13 | # 14 | actionstart = 15 | 16 | 17 | # Option: actionstop 18 | # Notes.: command executed once at the end of Fail2Ban 19 | # Values: CMD 20 | # 21 | actionstop = 22 | 23 | 24 | # Option: actioncheck 25 | # Notes.: command executed once before each actionban command 26 | # Values: CMD 27 | # 28 | actioncheck = 29 | 30 | 31 | # Option: actionban 32 | # Notes.: command executed when banning an IP. Take care that the 33 | # command is executed with Fail2Ban user rights. 34 | # Tags: See jail.conf(5) man page 35 | # Values: CMD 36 | # 37 | actionban = ipfw add tcp from to 38 | 39 | 40 | # Option: actionunban 41 | # Notes.: command executed when unbanning an IP. Take care that the 42 | # command is executed with Fail2Ban user rights. 43 | # Tags: See jail.conf(5) man page 44 | # Values: CMD 45 | # 46 | actionunban = ipfw delete `ipfw list | grep -i "[^0-9][^0-9]" | awk '{print $1;}'` 47 | 48 | [Init] 49 | 50 | # Option: port 51 | # Notes.: specifies port to monitor 52 | # Values: [ NUM | STRING ] 53 | # 54 | port = ssh 55 | 56 | # Option: localhost 57 | # Notes.: the local IP address of the network interface 58 | # Values: IP 59 | # 60 | localhost = 127.0.0.1 61 | 62 | 63 | # Option: blocktype 64 | # Notes.: How to block the traffic. Use a action from man 5 ipfw 65 | # Common values: deny, unreach port, reset 66 | # Values: STRING 67 | # 68 | blocktype = unreach port 69 | -------------------------------------------------------------------------------- /roles/os/files/fail2ban/settings/action.d/iptables-allports.conf: -------------------------------------------------------------------------------- 1 | # Fail2Ban configuration file 2 | # 3 | # Author: Cyril Jaquier 4 | # Modified: Yaroslav O. Halchenko 5 | # made active on all ports from original iptables.conf 6 | # 7 | # 8 | 9 | [INCLUDES] 10 | 11 | before = iptables-blocktype.conf 12 | 13 | 14 | [Definition] 15 | 16 | # Option: actionstart 17 | # Notes.: command executed once at the start of Fail2Ban. 18 | # Values: CMD 19 | # 20 | actionstart = iptables -N fail2ban- 21 | iptables -A fail2ban- -j RETURN 22 | iptables -I -p -j fail2ban- 23 | 24 | # Option: actionstop 25 | # Notes.: command executed once at the end of Fail2Ban 26 | # Values: CMD 27 | # 28 | actionstop = iptables -D -p -j fail2ban- 29 | iptables -F fail2ban- 30 | iptables -X fail2ban- 31 | 32 | # Option: actioncheck 33 | # Notes.: command executed once before each actionban command 34 | # Values: CMD 35 | # 36 | actioncheck = iptables -n -L | grep -q 'fail2ban-[ \t]' 37 | 38 | # Option: actionban 39 | # Notes.: command executed when banning an IP. Take care that the 40 | # command is executed with Fail2Ban user rights. 41 | # Tags: See jail.conf(5) man page 42 | # Values: CMD 43 | # 44 | actionban = iptables -I fail2ban- 1 -s -j 45 | 46 | # Option: actionunban 47 | # Notes.: command executed when unbanning an IP. Take care that the 48 | # command is executed with Fail2Ban user rights. 49 | # Tags: See jail.conf(5) man page 50 | # Values: CMD 51 | # 52 | actionunban = iptables -D fail2ban- -s -j 53 | 54 | [Init] 55 | 56 | # Default name of the chain 57 | # 58 | name = default 59 | 60 | # Option: protocol 61 | # Notes.: internally used by config reader for interpolations. 62 | # Values: [ tcp | udp | icmp | all ] Default: tcp 63 | # 64 | protocol = tcp 65 | 66 | # Option: chain 67 | # Notes specifies the iptables chain to which the fail2ban rules should be 68 | # added 69 | # Values: STRING Default: INPUT 70 | chain = INPUT 71 | -------------------------------------------------------------------------------- /roles/os/files/fail2ban/settings/action.d/iptables-blocktype.conf: -------------------------------------------------------------------------------- 1 | # Fail2Ban configuration file 2 | # 3 | # Author: Daniel Black 4 | # 5 | # This is a included configuration file and includes the defination for the blocktype 6 | # used in all iptables based actions by default. 7 | # 8 | # The user can override the default in iptables-blocktype.local 9 | 10 | [INCLUDES] 11 | 12 | after = iptables-blocktype.local 13 | 14 | [Init] 15 | 16 | # Option: blocktype 17 | # Note: This is what the action does with rules. This can be any jump target 18 | # as per the iptables man page (section 8). Common values are DROP 19 | # REJECT, REJECT --reject-with icmp-port-unreachable 20 | # Values: STRING 21 | blocktype = REJECT --reject-with icmp-port-unreachable 22 | 23 | -------------------------------------------------------------------------------- /roles/os/files/fail2ban/settings/action.d/iptables-ipset-proto4.conf: -------------------------------------------------------------------------------- 1 | # Fail2Ban configuration file 2 | # 3 | # Author: Daniel Black 4 | # 5 | # This is for ipset protocol 4 (ipset v4.2). If you have a later version 6 | # of ipset try to use the iptables-ipset-proto6.conf as it does some things 7 | # nicer. 8 | # 9 | # This requires the program ipset which is normally in package called ipset. 10 | # 11 | # IPset was a feature introduced in the linux kernel 2.6.39 and 3.0.0 kernels. 12 | # 13 | # If you are running on an older kernel you make need to patch in external 14 | # modules. Debian squeeze can do this with: 15 | # apt-get install xtables-addons-source 16 | # module-assistant auto-install xtables-addons 17 | # 18 | # Debian wheezy and above uses protocol 6 19 | 20 | [INCLUDES] 21 | 22 | before = iptables-blocktype.conf 23 | 24 | [Definition] 25 | 26 | # Option: actionstart 27 | # Notes.: command executed once at the start of Fail2Ban. 28 | # Values: CMD 29 | # 30 | actionstart = ipset --create fail2ban- iphash 31 | iptables -I INPUT -p -m multiport --dports -m set --match-set fail2ban- src -j 32 | 33 | # Option: actionstop 34 | # Notes.: command executed once at the end of Fail2Ban 35 | # Values: CMD 36 | # 37 | actionstop = iptables -D INPUT -p -m multiport --dports -m set --match-set fail2ban- src -j 38 | ipset --flush fail2ban- 39 | ipset --destroy fail2ban- 40 | 41 | # Option: actionban 42 | # Notes.: command executed when banning an IP. Take care that the 43 | # command is executed with Fail2Ban user rights. 44 | # Tags: See jail.conf(5) man page 45 | # Values: CMD 46 | # 47 | actionban = ipset --test fail2ban- || ipset --add fail2ban- 48 | 49 | # Option: actionunban 50 | # Notes.: command executed when unbanning an IP. Take care that the 51 | # command is executed with Fail2Ban user rights. 52 | # Tags: See jail.conf(5) man page 53 | # Values: CMD 54 | # 55 | actionunban = ipset --test fail2ban- && ipset --del fail2ban- 56 | 57 | [Init] 58 | 59 | # Default name of the ipset 60 | # 61 | name = default 62 | 63 | # Option: port 64 | # Notes.: specifies port to monitor 65 | # Values: [ NUM | STRING ] Default: ssh 66 | # 67 | port = ssh 68 | 69 | # Option: protocol 70 | # Notes.: internally used by config reader for interpolations. 71 | # Values: [ tcp | udp | icmp | all ] Default: tcp 72 | # 73 | protocol = tcp 74 | -------------------------------------------------------------------------------- /roles/os/files/fail2ban/settings/action.d/iptables-ipset-proto6-allports.conf: -------------------------------------------------------------------------------- 1 | # Fail2Ban configuration file 2 | # 3 | # Author: Daniel Black 4 | # 5 | # This is for ipset protocol 6 (and hopefully later) (ipset v6.14). 6 | # Use ipset -V to see the protocol and version. Version 4 should use 7 | # iptables-ipset-proto4.conf. 8 | # 9 | # This requires the program ipset which is normally in package called ipset. 10 | # 11 | # IPset was a feature introduced in the linux kernel 2.6.39 and 3.0.0 kernels. 12 | # 13 | # If you are running on an older kernel you make need to patch in external 14 | # modules which probably won't be protocol version 6. 15 | 16 | [INCLUDES] 17 | 18 | before = iptables-blocktype.conf 19 | 20 | 21 | [Definition] 22 | 23 | # Option: actionstart 24 | # Notes.: command executed once at the start of Fail2Ban. 25 | # Values: CMD 26 | # 27 | actionstart = ipset create fail2ban- hash:ip timeout 28 | iptables -I INPUT -m set --match-set fail2ban- src -j 29 | 30 | # Option: actionstop 31 | # Notes.: command executed once at the end of Fail2Ban 32 | # Values: CMD 33 | # 34 | actionstop = iptables -D INPUT -m set --match-set fail2ban- src -j 35 | ipset flush fail2ban- 36 | ipset destroy fail2ban- 37 | 38 | # Option: actionban 39 | # Notes.: command executed when banning an IP. Take care that the 40 | # command is executed with Fail2Ban user rights. 41 | # Tags: See jail.conf(5) man page 42 | # Values: CMD 43 | # 44 | actionban = ipset add fail2ban- timeout -exist 45 | 46 | # Option: actionunban 47 | # Notes.: command executed when unbanning an IP. Take care that the 48 | # command is executed with Fail2Ban user rights. 49 | # Tags: See jail.conf(5) man page 50 | # Values: CMD 51 | # 52 | actionunban = ipset del fail2ban- -exist 53 | 54 | [Init] 55 | 56 | # Default name of the ipset 57 | # 58 | name = default 59 | 60 | # Option: bantime 61 | # Notes: specifies the bantime in seconds (handled internally rather than by fail2ban) 62 | # Values: [ NUM ] Default: 600 63 | 64 | bantime = 600 65 | -------------------------------------------------------------------------------- /roles/os/files/fail2ban/settings/action.d/iptables-ipset-proto6.conf: -------------------------------------------------------------------------------- 1 | # Fail2Ban configuration file 2 | # 3 | # Author: Daniel Black 4 | # 5 | # This is for ipset protocol 6 (and hopefully later) (ipset v6.14). 6 | # Use ipset -V to see the protocol and version. Version 4 should use 7 | # iptables-ipset-proto4.conf. 8 | # 9 | # This requires the program ipset which is normally in package called ipset. 10 | # 11 | # IPset was a feature introduced in the linux kernel 2.6.39 and 3.0.0 kernels. 12 | # 13 | # If you are running on an older kernel you make need to patch in external 14 | # modules. 15 | 16 | [INCLUDES] 17 | 18 | before = iptables-blocktype.conf 19 | 20 | 21 | [Definition] 22 | 23 | # Option: actionstart 24 | # Notes.: command executed once at the start of Fail2Ban. 25 | # Values: CMD 26 | # 27 | actionstart = ipset create fail2ban- hash:ip timeout 28 | iptables -I INPUT -p -m multiport --dports -m set --match-set fail2ban- src -j 29 | 30 | # Option: actionstop 31 | # Notes.: command executed once at the end of Fail2Ban 32 | # Values: CMD 33 | # 34 | actionstop = iptables -D INPUT -p -m multiport --dports -m set --match-set fail2ban- src -j 35 | ipset flush fail2ban- 36 | ipset destroy fail2ban- 37 | 38 | # Option: actionban 39 | # Notes.: command executed when banning an IP. Take care that the 40 | # command is executed with Fail2Ban user rights. 41 | # Tags: See jail.conf(5) man page 42 | # Values: CMD 43 | # 44 | actionban = ipset add fail2ban- timeout -exist 45 | 46 | # Option: actionunban 47 | # Notes.: command executed when unbanning an IP. Take care that the 48 | # command is executed with Fail2Ban user rights. 49 | # Tags: See jail.conf(5) man page 50 | # Values: CMD 51 | # 52 | actionunban = ipset del fail2ban- -exist 53 | 54 | [Init] 55 | 56 | # Default name of the ipset 57 | # 58 | name = default 59 | 60 | # Option: port 61 | # Notes.: specifies port to monitor 62 | # Values: [ NUM | STRING ] Default: ssh 63 | # 64 | port = ssh 65 | 66 | # Option: protocol 67 | # Notes.: internally used by config reader for interpolations. 68 | # Values: [ tcp | udp | icmp | all ] Default: tcp 69 | # 70 | protocol = tcp 71 | 72 | # Option: bantime 73 | # Notes: specifies the bantime in seconds (handled internally rather than by fail2ban) 74 | # Values: [ NUM ] Default: 600 75 | 76 | bantime = 600 77 | -------------------------------------------------------------------------------- /roles/os/files/fail2ban/settings/action.d/iptables-multiport.conf: -------------------------------------------------------------------------------- 1 | # Fail2Ban configuration file 2 | # 3 | # Author: Cyril Jaquier 4 | # Modified by Yaroslav Halchenko for multiport banning 5 | # 6 | 7 | [INCLUDES] 8 | 9 | before = iptables-blocktype.conf 10 | 11 | [Definition] 12 | 13 | # Option: actionstart 14 | # Notes.: command executed once at the start of Fail2Ban. 15 | # Values: CMD 16 | # 17 | actionstart = iptables -N fail2ban- 18 | iptables -A fail2ban- -j RETURN 19 | iptables -I -p -m multiport --dports -j fail2ban- 20 | 21 | # Option: actionstop 22 | # Notes.: command executed once at the end of Fail2Ban 23 | # Values: CMD 24 | # 25 | actionstop = iptables -D -p -m multiport --dports -j fail2ban- 26 | iptables -F fail2ban- 27 | iptables -X fail2ban- 28 | 29 | # Option: actioncheck 30 | # Notes.: command executed once before each actionban command 31 | # Values: CMD 32 | # 33 | actioncheck = iptables -n -L | grep -q 'fail2ban-[ \t]' 34 | 35 | # Option: actionban 36 | # Notes.: command executed when banning an IP. Take care that the 37 | # command is executed with Fail2Ban user rights. 38 | # Tags: See jail.conf(5) man page 39 | # Values: CMD 40 | # 41 | actionban = iptables -I fail2ban- 1 -s -j 42 | 43 | # Option: actionunban 44 | # Notes.: command executed when unbanning an IP. Take care that the 45 | # command is executed with Fail2Ban user rights. 46 | # Tags: See jail.conf(5) man page 47 | # Values: CMD 48 | # 49 | actionunban = iptables -D fail2ban- -s -j 50 | 51 | [Init] 52 | 53 | # Default name of the chain 54 | # 55 | name = default 56 | 57 | # Option: port 58 | # Notes.: specifies port to monitor 59 | # Values: [ NUM | STRING ] Default: 60 | # 61 | port = ssh 62 | 63 | # Option: protocol 64 | # Notes.: internally used by config reader for interpolations. 65 | # Values: [ tcp | udp | icmp | all ] Default: tcp 66 | # 67 | protocol = tcp 68 | 69 | # Option: chain 70 | # Notes specifies the iptables chain to which the fail2ban rules should be 71 | # added 72 | # Values: STRING Default: INPUT 73 | chain = INPUT 74 | -------------------------------------------------------------------------------- /roles/os/files/fail2ban/settings/action.d/iptables-new.conf: -------------------------------------------------------------------------------- 1 | # Fail2Ban configuration file 2 | # 3 | # Author: Cyril Jaquier 4 | # Copied from iptables.conf and modified by Yaroslav Halchenko 5 | # to fulfill the needs of bugreporter dbts#350746. 6 | # 7 | # 8 | 9 | [INCLUDES] 10 | 11 | before = iptables-blocktype.conf 12 | 13 | 14 | [Definition] 15 | 16 | # Option: actionstart 17 | # Notes.: command executed once at the start of Fail2Ban. 18 | # Values: CMD 19 | # 20 | actionstart = iptables -N fail2ban- 21 | iptables -A fail2ban- -j RETURN 22 | iptables -I -m state --state NEW -p --dport -j fail2ban- 23 | 24 | # Option: actionstop 25 | # Notes.: command executed once at the end of Fail2Ban 26 | # Values: CMD 27 | # 28 | actionstop = iptables -D -m state --state NEW -p --dport -j fail2ban- 29 | iptables -F fail2ban- 30 | iptables -X fail2ban- 31 | 32 | # Option: actioncheck 33 | # Notes.: command executed once before each actionban command 34 | # Values: CMD 35 | # 36 | actioncheck = iptables -n -L | grep -q 'fail2ban-[ \t]' 37 | 38 | # Option: actionban 39 | # Notes.: command executed when banning an IP. Take care that the 40 | # command is executed with Fail2Ban user rights. 41 | # Tags: See jail.conf(5) man page 42 | # Values: CMD 43 | # 44 | actionban = iptables -I fail2ban- 1 -s -j 45 | 46 | # Option: actionunban 47 | # Notes.: command executed when unbanning an IP. Take care that the 48 | # command is executed with Fail2Ban user rights. 49 | # Tags: See jail.conf(5) man page 50 | # Values: CMD 51 | # 52 | actionunban = iptables -D fail2ban- -s -j 53 | 54 | [Init] 55 | 56 | # Default name of the chain 57 | # 58 | name = default 59 | 60 | # Option: port 61 | # Notes.: specifies port to monitor 62 | # Values: [ NUM | STRING ] Default: 63 | # 64 | port = ssh 65 | 66 | # Option: protocol 67 | # Notes.: internally used by config reader for interpolations. 68 | # Values: [ tcp | udp | icmp | all ] Default: tcp 69 | # 70 | protocol = tcp 71 | 72 | # Option: chain 73 | # Notes specifies the iptables chain to which the fail2ban rules should be 74 | # added 75 | # Values: STRING Default: INPUT 76 | chain = INPUT 77 | -------------------------------------------------------------------------------- /roles/os/files/fail2ban/settings/action.d/iptables.conf: -------------------------------------------------------------------------------- 1 | # Fail2Ban configuration file 2 | # 3 | # Author: Cyril Jaquier 4 | # 5 | # 6 | 7 | [INCLUDES] 8 | 9 | before = iptables-blocktype.conf 10 | 11 | [Definition] 12 | 13 | # Option: actionstart 14 | # Notes.: command executed once at the start of Fail2Ban. 15 | # Values: CMD 16 | # 17 | actionstart = iptables -N fail2ban- 18 | iptables -A fail2ban- -j RETURN 19 | iptables -I -p --dport -j fail2ban- 20 | 21 | # Option: actionstop 22 | # Notes.: command executed once at the end of Fail2Ban 23 | # Values: CMD 24 | # 25 | actionstop = iptables -D -p --dport -j fail2ban- 26 | iptables -F fail2ban- 27 | iptables -X fail2ban- 28 | 29 | # Option: actioncheck 30 | # Notes.: command executed once before each actionban command 31 | # Values: CMD 32 | # 33 | actioncheck = iptables -n -L | grep -q 'fail2ban-[ \t]' 34 | 35 | # Option: actionban 36 | # Notes.: command executed when banning an IP. Take care that the 37 | # command is executed with Fail2Ban user rights. 38 | # Tags: See jail.conf(5) man page 39 | # Values: CMD 40 | # 41 | actionban = iptables -I fail2ban- 1 -s -j 42 | 43 | # Option: actionunban 44 | # Notes.: command executed when unbanning an IP. Take care that the 45 | # command is executed with Fail2Ban user rights. 46 | # Tags: See jail.conf(5) man page 47 | # Values: CMD 48 | # 49 | actionunban = iptables -D fail2ban- -s -j 50 | 51 | [Init] 52 | 53 | # Default name of the chain 54 | # 55 | name = default 56 | 57 | # Option: port 58 | # Notes.: specifies port to monitor 59 | # Values: [ NUM | STRING ] Default: 60 | # 61 | port = ssh 62 | 63 | # Option: protocol 64 | # Notes.: internally used by config reader for interpolations. 65 | # Values: [ tcp | udp | icmp | all ] Default: tcp 66 | # 67 | protocol = tcp 68 | 69 | # Option: chain 70 | # Notes specifies the iptables chain to which the fail2ban rules should be 71 | # added 72 | # Values: STRING Default: INPUT 73 | chain = INPUT 74 | -------------------------------------------------------------------------------- /roles/os/files/fail2ban/settings/action.d/mail-buffered.conf: -------------------------------------------------------------------------------- 1 | # Fail2Ban configuration file 2 | # 3 | # Author: Cyril Jaquier 4 | # 5 | # 6 | 7 | [Definition] 8 | 9 | # Option: actionstart 10 | # Notes.: command executed once at the start of Fail2Ban. 11 | # Values: CMD 12 | # 13 | actionstart = printf %%b "Hi,\n 14 | The jail has been started successfully.\n 15 | Output will be buffered until lines are available.\n 16 | Regards,\n 17 | Fail2Ban"|mail -s "[Fail2Ban] : started on `uname -n`" 18 | 19 | # Option: actionstop 20 | # Notes.: command executed once at the end of Fail2Ban 21 | # Values: CMD 22 | # 23 | actionstop = if [ -f ]; then 24 | printf %%b "Hi,\n 25 | These hosts have been banned by Fail2Ban.\n 26 | `cat ` 27 | Regards,\n 28 | Fail2Ban"|mail -s "[Fail2Ban] : Summary from `uname -n`" 29 | rm 30 | fi 31 | printf %%b "Hi,\n 32 | The jail has been stopped.\n 33 | Regards,\n 34 | Fail2Ban"|mail -s "[Fail2Ban] : stopped on `uname -n`" 35 | 36 | # Option: actioncheck 37 | # Notes.: command executed once before each actionban command 38 | # Values: CMD 39 | # 40 | actioncheck = 41 | 42 | # Option: actionban 43 | # Notes.: command executed when banning an IP. Take care that the 44 | # command is executed with Fail2Ban user rights. 45 | # Tags: See jail.conf(5) man page 46 | # Values: CMD 47 | # 48 | actionban = printf %%b "`date`: ( failures)\n" >> 49 | LINE=$( wc -l | awk '{ print $1 }' ) 50 | if [ $LINE -ge ]; then 51 | printf %%b "Hi,\n 52 | These hosts have been banned by Fail2Ban.\n 53 | `cat ` 54 | \nRegards,\n 55 | Fail2Ban"|mail -s "[Fail2Ban] : Summary" 56 | rm 57 | fi 58 | 59 | # Option: actionunban 60 | # Notes.: command executed when unbanning an IP. Take care that the 61 | # command is executed with Fail2Ban user rights. 62 | # Tags: See jail.conf(5) man page 63 | # Values: CMD 64 | # 65 | actionunban = 66 | 67 | [Init] 68 | 69 | # Default name of the chain 70 | # 71 | name = default 72 | 73 | # Default number of lines that are buffered 74 | # 75 | lines = 5 76 | 77 | # Default temporary file 78 | # 79 | tmpfile = /var/run/fail2ban/tmp-mail.txt 80 | 81 | # Destination/Addressee of the mail 82 | # 83 | dest = root 84 | -------------------------------------------------------------------------------- /roles/os/files/fail2ban/settings/action.d/mail-whois-lines.conf: -------------------------------------------------------------------------------- 1 | # Fail2Ban configuration file 2 | # 3 | # Author: Cyril Jaquier 4 | # Modified-By: Yaroslav Halchenko to include grepping on IP over log files 5 | # 6 | 7 | [Definition] 8 | 9 | # Option: actionstart 10 | # Notes.: command executed once at the start of Fail2Ban. 11 | # Values: CMD 12 | # 13 | actionstart = printf %%b "Hi,\n 14 | The jail has been started successfully.\n 15 | Regards,\n 16 | Fail2Ban"|mail -s "[Fail2Ban] : started on `uname -n`" 17 | 18 | # Option: actionstop 19 | # Notes.: command executed once at the end of Fail2Ban 20 | # Values: CMD 21 | # 22 | actionstop = printf %%b "Hi,\n 23 | The jail has been stopped.\n 24 | Regards,\n 25 | Fail2Ban"|mail -s "[Fail2Ban] : stopped on `uname -n`" 26 | 27 | # Option: actioncheck 28 | # Notes.: command executed once before each actionban command 29 | # Values: CMD 30 | # 31 | actioncheck = 32 | 33 | # Option: actionban 34 | # Notes.: command executed when banning an IP. Take care that the 35 | # command is executed with Fail2Ban user rights. 36 | # Tags: See jail.conf(5) man page 37 | # Values: CMD 38 | # 39 | actionban = printf %%b "Hi,\n 40 | The IP has just been banned by Fail2Ban after 41 | attempts against .\n\n 42 | Here is more information about :\n 43 | `whois || echo missing whois program`\n\n 44 | Lines containing IP: in \n 45 | `grep '[^0-9][^0-9]' `\n\n 46 | Regards,\n 47 | Fail2Ban"|mail -s "[Fail2Ban] : banned from `uname -n`" 48 | 49 | # Option: actionunban 50 | # Notes.: command executed when unbanning an IP. Take care that the 51 | # command is executed with Fail2Ban user rights. 52 | # Tags: See jail.conf(5) man page 53 | # Values: CMD 54 | # 55 | actionunban = 56 | 57 | [Init] 58 | 59 | # Default name of the chain 60 | # 61 | name = default 62 | 63 | # Destinataire of the mail 64 | # 65 | dest = root 66 | 67 | # Path to the log files which contain relevant lines for the abuser IP 68 | # 69 | logpath = /dev/null 70 | -------------------------------------------------------------------------------- /roles/os/files/fail2ban/settings/action.d/mail-whois.conf: -------------------------------------------------------------------------------- 1 | # Fail2Ban configuration file 2 | # 3 | # Author: Cyril Jaquier 4 | # 5 | # 6 | 7 | [Definition] 8 | 9 | # Option: actionstart 10 | # Notes.: command executed once at the start of Fail2Ban. 11 | # Values: CMD 12 | # 13 | actionstart = printf %%b "Hi,\n 14 | The jail has been started successfully.\n 15 | Regards,\n 16 | Fail2Ban"|mail -s "[Fail2Ban] : started on `uname -n`" 17 | 18 | # Option: actionstop 19 | # Notes.: command executed once at the end of Fail2Ban 20 | # Values: CMD 21 | # 22 | actionstop = printf %%b "Hi,\n 23 | The jail has been stopped.\n 24 | Regards,\n 25 | Fail2Ban"|mail -s "[Fail2Ban] : stopped on `uname -n`" 26 | 27 | # Option: actioncheck 28 | # Notes.: command executed once before each actionban command 29 | # Values: CMD 30 | # 31 | actioncheck = 32 | 33 | # Option: actionban 34 | # Notes.: command executed when banning an IP. Take care that the 35 | # command is executed with Fail2Ban user rights. 36 | # Tags: See jail.conf(5) man page 37 | # Values: CMD 38 | # 39 | actionban = printf %%b "Hi,\n 40 | The IP has just been banned by Fail2Ban after 41 | attempts against .\n\n 42 | Here is more information about :\n 43 | `whois || echo missing whois program`\n 44 | Regards,\n 45 | Fail2Ban"|mail -s "[Fail2Ban] : banned from `uname -n`" 46 | 47 | # Option: actionunban 48 | # Notes.: command executed when unbanning an IP. Take care that the 49 | # command is executed with Fail2Ban user rights. 50 | # Tags: See jail.conf(5) man page 51 | # Values: CMD 52 | # 53 | actionunban = 54 | 55 | [Init] 56 | 57 | # Default name of the chain 58 | # 59 | name = default 60 | 61 | # Destination/Addressee of the mail 62 | # 63 | dest = root 64 | 65 | -------------------------------------------------------------------------------- /roles/os/files/fail2ban/settings/action.d/mail.conf: -------------------------------------------------------------------------------- 1 | # Fail2Ban configuration file 2 | # 3 | # Author: Cyril Jaquier 4 | # 5 | # 6 | 7 | [Definition] 8 | 9 | # Option: actionstart 10 | # Notes.: command executed once at the start of Fail2Ban. 11 | # Values: CMD 12 | # 13 | actionstart = printf %%b "Hi,\n 14 | The jail has been started successfully.\n 15 | Regards,\n 16 | Fail2Ban"|mail -s "[Fail2Ban] : started on `uname -n`" 17 | 18 | # Option: actionstop 19 | # Notes.: command executed once at the end of Fail2Ban 20 | # Values: CMD 21 | # 22 | actionstop = printf %%b "Hi,\n 23 | The jail has been stopped.\n 24 | Regards,\n 25 | Fail2Ban"|mail -s "[Fail2Ban] : stopped on `uname -n`" 26 | 27 | # Option: actioncheck 28 | # Notes.: command executed once before each actionban command 29 | # Values: CMD 30 | # 31 | actioncheck = 32 | 33 | # Option: actionban 34 | # Notes.: command executed when banning an IP. Take care that the 35 | # command is executed with Fail2Ban user rights. 36 | # Tags: See jail.conf(5) man page 37 | # Values: CMD 38 | # 39 | actionban = printf %%b "Hi,\n 40 | The IP has just been banned by Fail2Ban after 41 | attempts against .\n 42 | Regards,\n 43 | Fail2Ban"|mail -s "[Fail2Ban] : banned from `uname -n`" 44 | 45 | # Option: actionunban 46 | # Notes.: command executed when unbanning an IP. Take care that the 47 | # command is executed with Fail2Ban user rights. 48 | # Tags: See jail.conf(5) man page 49 | # Values: CMD 50 | # 51 | actionunban = 52 | 53 | [Init] 54 | 55 | # Default name of the chain 56 | # 57 | name = default 58 | 59 | # Destination/Addressee of the mail 60 | # 61 | dest = root 62 | 63 | -------------------------------------------------------------------------------- /roles/os/files/fail2ban/settings/action.d/osx-afctl.conf: -------------------------------------------------------------------------------- 1 | # Fail2Ban configuration file for using afctl on Mac OS X Server 10.5 2 | # 3 | # Anonymous author 4 | # http://www.fail2ban.org/wiki/index.php?title=HOWTO_Mac_OS_X_Server_(10.5)&diff=prev&oldid=4081 5 | # 6 | # Ref: https://developer.apple.com/library/mac/documentation/Darwin/Reference/ManPages/man8/afctl.8.html 7 | 8 | [Definition] 9 | actionstart = 10 | actionstop = 11 | actioncheck = 12 | actionban = /usr/libexec/afctl -a -t 13 | actionunban = /usr/libexec/afctl -r 14 | 15 | [Init] 16 | bantime = 2880 17 | -------------------------------------------------------------------------------- /roles/os/files/fail2ban/settings/action.d/osx-ipfw.conf: -------------------------------------------------------------------------------- 1 | # Fail2Ban configuration file 2 | # 3 | # Author: Nick Munger 4 | # Modified by: Andy Fragen and Daniel Black 5 | # 6 | # Mod for OS X, using random rulenum as OSX ipfw doesn't include tables 7 | # 8 | 9 | [Definition] 10 | 11 | # Option: actionstart 12 | # Notes.: command executed once at the start of Fail2Ban. 13 | # Values: CMD 14 | # 15 | actionstart = 16 | 17 | 18 | # Option: actionstop 19 | # Notes.: command executed once at the end of Fail2Ban 20 | # Values: CMD 21 | # 22 | actionstop = 23 | 24 | 25 | # Option: actioncheck 26 | # Notes.: command executed once before each actionban command 27 | # Values: CMD 28 | # 29 | actioncheck = 30 | 31 | 32 | # Option: actionban 33 | # Notes.: command executed when banning an IP. Take care that the 34 | # command is executed with Fail2Ban user rights. 35 | # Tags: IP address 36 | # Values: CMD 37 | # 38 | actionban = ipfw add set log from to 39 | 40 | 41 | # Option: actionunban 42 | # Notes.: command executed when unbanning an IP. Take care that the 43 | # command is executed with Fail2Ban user rights. 44 | # Tags: IP address 45 | # Values: CMD 46 | # 47 | actionunban = ipfw delete `ipfw -S list | grep -i 'set log from to ' | awk '{print $1;}'` 48 | 49 | [Init] 50 | 51 | # Option: port 52 | # Notes.: specifies port to block. Can be blank however may require block="ip" 53 | # Values: [ NUM | STRING ] 54 | # 55 | port = ssh 56 | 57 | # Option: dst 58 | # Notes.: the local IP address of the network interface 59 | # Values: IP, any, me or anything support by ipfw as a dst 60 | # 61 | dst = me 62 | 63 | # Option: block 64 | # Notes: This is how much to block. 65 | # Can be "ip", "tcp", "udp" or various other options. 66 | # Values: STRING 67 | block = tcp 68 | 69 | # Option: blocktype 70 | # Notes.: How to block the traffic. Use a action from man 8 ipfw 71 | # Common values: deny, unreach port, reset 72 | # Values: STRING 73 | # 74 | blocktype = unreach port 75 | 76 | # Option: set number 77 | # Notes.: The ipset number this is added to. 78 | # Values: 0-31 79 | setnum = 10 80 | 81 | # Option: number for ipfw rule 82 | # Notes: This is meant to be automatically generated and not overwritten 83 | # Values: Random value between 10000 and 12000 84 | rulenum="`echo $((RANDOM%%2000+10000))`" 85 | 86 | # Duplicate prevention mechanism 87 | #rulenum = "`a=$((RANDOM%%2000+10000)); while ipfw show | grep -q ^$a\ ; do a=$((RANDOM%%2000+10000)); done; echo $a`" 88 | -------------------------------------------------------------------------------- /roles/os/files/fail2ban/settings/action.d/pf.conf: -------------------------------------------------------------------------------- 1 | # Fail2Ban configuration file 2 | # 3 | # OpenBSD pf ban/unban 4 | # 5 | # Author: Nick Hilliard 6 | # 7 | # 8 | 9 | [Definition] 10 | 11 | # Option: actionstart 12 | # Notes.: command executed once at the start of Fail2Ban. 13 | # Values: CMD 14 | # 15 | # we don't enable PF automatically, as it will be enabled elsewhere 16 | actionstart = 17 | 18 | 19 | # Option: actionstop 20 | # Notes.: command executed once at the end of Fail2Ban 21 | # Values: CMD 22 | # 23 | # we don't disable PF automatically either 24 | actionstop = 25 | 26 | 27 | # Option: actioncheck 28 | # Notes.: command executed once before each actionban command 29 | # Values: CMD 30 | # 31 | actioncheck = 32 | 33 | 34 | # Option: actionban 35 | # Notes.: command executed when banning an IP. Take care that the 36 | # command is executed with Fail2Ban user rights. 37 | # Tags: IP address 38 | # number of failures 39 | #