fix

8 years ago · cf08c5ff61
parent b29f1ab226 27421070b9
commit cf08c5ff61
14 changed files with 178 additions and 183 deletions
--- a/digitalocean.yml
+++ b/digitalocean.yml
@ -1,3 +1,4 @@
+# vim:ft=ansible:
 - name: Configure the server and install required software
  hosts: localhost

@ -50,27 +51,27 @@
    private: no

  - name: "dns_enabled"
-    prompt: "Do you want to install a local DNS resolver to block ads while surfing? (Y or N):\n"
-    default: "Y"
+    prompt: "Do you want to install a local DNS resolver to block ads while surfing? (y/n):\n"
+    default: "y"
    private: no

  - name: "proxy_enabled"
-    prompt: "Do you want to install a proxy to block ads and decrease traffic usage while surfing? (Y or N):\n"
-    default: "Y"
+    prompt: "Do you want to install an HTTP proxy to block ads and decrease traffic usage while surfing? (y/n):\n"
+    default: "y"
    private: no

  - name: "auditd_enabled"
-    prompt: "Do you want to use auditd ? (Y or N):\n"
-    default: "Y"
+    prompt: "Do you want to use auditd for security monitoring (see config.cfg)? (y/n):\n"
+    default: "y"
    private: no

  - name: "ssh_tunneling_enabled"
-    prompt: "Do you want to use SSH tunneling ? (Y or N):\n"
-    default: "Y"
+    prompt: "Do you want each user to have their own account for SSH tunneling? (y/n):\n"
+    default: "y"
    private: no

  - name: "easyrsa_p12_export_password"
-    prompt: "Enter the password for p12 certificates:\n"
+    prompt: "Enter a password for p12 certificates:\n"
    default: "vpn"
    private: yes

@ -131,10 +132,10 @@
    - common
    - security
    - vpn
-    - { role: proxy, when: proxy_enabled is defined and proxy_enabled == "Y" } 
-    - { role: dns_adblocking, when: dns_enabled is defined and dns_enabled == "Y" }
-    - { role: logging, when: auditd_enabled is defined and auditd_enabled == 'Y' }
-    - { role: ssh_tunneling, when: ssh_tunneling_enabled is defined and ssh_tunneling_enabled == "Y" } 
+    - { role: proxy, when: proxy_enabled is defined and proxy_enabled == "y" }
+    - { role: dns_adblocking, when: dns_enabled is defined and dns_enabled == "y" }
+    - { role: logging, when: auditd_enabled is defined and auditd_enabled == "y" }
+    - { role: ssh_tunneling, when: ssh_tunneling_enabled is defined and ssh_tunneling_enabled == "y" }

  handlers:
    - name: reload eth0
--- a/ec2.yml
+++ b/ec2.yml
@ -21,7 +21,6 @@
      "11": "sa-east-1"

  vars_prompt:
-
  - name: "aws_access_key"
    prompt: "Enter your aws_access_key (http://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSGettingStartedGuide/AWSCredentials.html):\n"
    private: yes
@ -58,27 +57,27 @@
    private: no

  - name: "dns_enabled"
-      prompt: "Do you want to install a local DNS resolver to block ads while surfing? (Y or N):\n"
-      default: "Y"
+    prompt: "Do you want to install a local DNS resolver to block ads while surfing? (y/n):\n"
+    default: "y"
    private: no

  - name: "proxy_enabled"
-      prompt: "Do you want to install a proxy to block ads and decrease traffic usage while surfing? (Y or N):\n"
-      default: "Y"
+    prompt: "Do you want to install an HTTP proxy to block ads and decrease traffic usage while surfing? (y/n):\n"
+    default: "y"
    private: no

  - name: "auditd_enabled"
-      prompt: "Do you want to use auditd ? (Y or N):\n"
-      default: "Y"
+    prompt: "Do you want to use auditd for security monitoring (see config.cfg)? (y/n):\n"
+    default: "y"
    private: no

  - name: "ssh_tunneling_enabled"
-      prompt: "Do you want to use SSH tunneling ? (Y or N):\n"
-      default: "Y"
+    prompt: "Do you want each user to have their own account for SSH tunneling? (y/n):\n"
+    default: "y"
    private: no

  - name: "easyrsa_p12_export_password"
-      prompt: "Enter the password for p12 certificates:\n"
+    prompt: "Enter a password for p12 certificates:\n"
    default: "vpn"
    private: yes

@ -102,7 +101,7 @@
    - common
    - security
    - vpn
-    - { role: proxy, when: proxy_enabled is defined and proxy_enabled == "Y" }
-    - { role: dns_adblocking , when: dns_enabled is defined and dns_enabled == "Y" }
-    - { role: logging, when: auditd_enabled is defined and auditd_enabled == 'Y' }
-    - { role: ssh_tunneling, when: ssh_tunneling_enabled is defined and ssh_tunneling_enabled == "Y" }     
+    - { role: proxy, when: proxy_enabled is defined and proxy_enabled == "y" }
+    - { role: dns_adblocking , when: dns_enabled is defined and dns_enabled == "y" }
+    - { role: logging, when: auditd_enabled is defined and auditd_enabled == "y" }
+    - { role: ssh_tunneling, when: ssh_tunneling_enabled is defined and ssh_tunneling_enabled == "y" }
--- a/gce.yml
+++ b/gce.yml
@ -1,3 +1,4 @@
+# vim:ft=ansible:
 - name: Configure the server and install required software
  hosts: localhost
  gather_facts: false
@ -54,27 +55,27 @@
    private: no

  - name: "dns_enabled"
-    prompt: "Do you want to install a local DNS resolver to block ads while surfing? (Y or N):\n"
-    default: "Y"
+    prompt: "Do you want to install a local DNS resolver to block ads while surfing? (y/n):\n"
+    default: "y"
    private: no

  - name: "proxy_enabled"
-    prompt: "Do you want to install a proxy to block ads and decrease traffic usage while surfing? (Y or N):\n"
-    default: "Y"
+    prompt: "Do you want to install an HTTP proxy to block ads and decrease traffic usage while surfing? (y/n):\n"
+    default: "y"
    private: no

  - name: "auditd_enabled"
-    prompt: "Do you want to use auditd ? (Y or N):\n"
-    default: "Y"
+    prompt: "Do you want to use auditd for security monitoring (see config.cfg)? (y/n):\n"
+    default: "y"
    private: no

  - name: "ssh_tunneling_enabled"
-    prompt: "Do you want to use SSH tunneling ? (Y or N):\n"
-    default: "Y"
+    prompt: "Do you want each user to have their own account for SSH tunneling? (y/n):\n"
+    default: "y"
    private: no

  - name: "easyrsa_p12_export_password"
-    prompt: "Enter the password for p12 certificates:\n"
+    prompt: "Enter a password for p12 certificates:\n"
    default: "vpn"
    private: yes

@ -98,7 +99,7 @@
    - common
    - security
    - vpn
-    - { role: proxy, when: proxy_enabled is defined and proxy_enabled == "Y" }
-    - { role: dns_adblocking , when: dns_enabled is defined and dns_enabled == "Y" }
-    - { role: logging, when: auditd_enabled is defined and auditd_enabled == 'Y' }
-    - { role: ssh_tunneling, when: ssh_tunneling_enabled is defined and ssh_tunneling_enabled == "Y" }     
+    - { role: proxy, when: proxy_enabled is defined and proxy_enabled == "y" }
+    - { role: dns_adblocking , when: dns_enabled is defined and dns_enabled == "y" }
+    - { role: logging, when: auditd_enabled is defined and auditd_enabled == "y" }
+    - { role: ssh_tunneling, when: ssh_tunneling_enabled is defined and ssh_tunneling_enabled == "y" }
--- a/non-cloud.yml
+++ b/non-cloud.yml
@ -1,9 +1,10 @@
+# vim:ft=ansible:
 - hosts: localhost
  gather_facts: False
  vars_files:
    - config.cfg
-  vars_prompt:

+  vars_prompt:
  - name: "server_ip"
    prompt: "Enter IP address of your server: (use localhost for local installation)\n"
    default: localhost
@ -15,32 +16,32 @@
    private: no

  - name: "dns_enabled"
-      prompt: "Do you want to install a local DNS resolver to block ads while surfing? (Y or N):\n"
-      default: "Y"
+    prompt: "Do you want to install a local DNS resolver to block ads while surfing? (y/n):\n"
+    default: "y"
    private: no

  - name: "proxy_enabled"
-      prompt: "Do you want to install a proxy to block ads and decrease traffic usage while surfing? (Y or N):\n"
-      default: "Y"
+    prompt: "Do you want to install an HTTP proxy to block ads and decrease traffic usage while surfing? (y/n):\n"
+    default: "y"
    private: no

  - name: "auditd_enabled"
-      prompt: "Do you want to use auditd ? (Y or N):\n"
-      default: "Y"
+    prompt: "Do you want to use auditd for security monitoring (see config.cfg)? (y/n):\n"
+    default: "y"
    private: no

  - name: "ssh_tunneling_enabled"
-      prompt: "Do you want to use SSH tunneling ? (Y or N):\n"
-      default: "Y"
+    prompt: "Do you want each user to have their own account for SSH tunneling? (y/n):\n"
+    default: "y"
    private: no

  - name: "easyrsa_p12_export_password"
-      prompt: "Enter the password for p12 certificates:\n"
+    prompt: "Enter a password for p12 certificates:\n"
    default: "vpn"
    private: yes
      
  - name: "IP_subject"
-      prompt: "Enter public IP address of your server: (IMPORTANT! This IP is used to verify the certificate)\n"
+    prompt: "Enter the public IP address of your server: (IMPORTANT! This IP is used to verify the certificate)\n"
    private: no

  tasks:
@ -76,7 +77,7 @@
    - common
    - security
    - vpn
-    - { role: proxy, when: proxy_enabled is defined and proxy_enabled == "Y" }
-    - { role: dns_adblocking , when: dns_enabled is defined and dns_enabled == "Y" }
-    - { role: logging, when: auditd_enabled is defined and auditd_enabled == 'Y' }
-    - { role: ssh_tunneling, when: ssh_tunneling_enabled is defined and ssh_tunneling_enabled == "Y" }     
+    - { role: proxy, when: proxy_enabled is defined and proxy_enabled == "y" }
+    - { role: dns_adblocking , when: dns_enabled is defined and dns_enabled == "y" }
+    - { role: logging, when: auditd_enabled is defined and auditd_enabled == "y" }
+    - { role: ssh_tunneling, when: ssh_tunneling_enabled is defined and ssh_tunneling_enabled == "y" }
--- a/roles/common/templates/sshd_config.j2
+++ b/roles/common/templates/sshd_config.j2
@ -24,7 +24,6 @@ PubkeyAuthentication yes
 AcceptEnv LANG LC_*

 # Turn off a lot of features
-AllowAgentForwarding no
 IgnoreRhosts yes
 RhostsRSAAuthentication no
 RSAAuthentication no
@ -33,7 +32,6 @@ PermitEmptyPasswords no
 ChallengeResponseAuthentication no
 PasswordAuthentication no
 UseDNS no
-X11Forwarding no

 # Do not enable sftp
 # If you DO enable it, use this line to log which files sftp users read/write
@ -51,21 +49,16 @@ HostKey /etc/ssh/ssh_host_ed25519_key
 KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256
 Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com
 MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com
-
-###
-
 # TODO: I haven't seen anyone review these yet
 # HostKeyAlgorithms ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519
-
 # TODO: I haven't seen anyone review these yet
 # PubkeyAcceptedKeyTypes ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519

-# TODO: I think we want to enable tunnels but disable stream local fowarding?
-# PermitTunnel yes
-# AllowStreamLocalForwarding no
-
 {% if ssh_tunneling_enabled is defined and ssh_tunneling_enabled == "Y" %}
 Match Group algo
    AllowTcpForwarding remote
+    AllowAgentForwarding no
    AllowStreamLocalForwarding no
+    PermitTunnel no
+    X11Forwarding no
 {% endif %}    
--- a/roles/dns_adblocking/tasks/main.yml
+++ b/roles/dns_adblocking/tasks/main.yml
@ -10,7 +10,7 @@
    - restart dnsmasq

 - name: The dnsmasq directory created
-  file: dest=/var/lib/dnsmasq state=directory mode=755 owner=dnsmasq group=nogroup
+  file: dest=/var/lib/dnsmasq state=directory mode=0755 owner=dnsmasq group=nogroup

 - name: Enforce the dnsmasq AppArmor policy
  shell: aa-enforce usr.sbin.dnsmasq