From 02af593780427be8a8109517bab3450859425e49 Mon Sep 17 00:00:00 2001
From: Aaron LI <aly@aaronly.me>
Date: Sat, 3 Mar 2018 10:58:59 +0800
Subject: Add security role: PF firewall, sshlockout

---
 roles/security/tasks/main.yml | 41 +++++++++++++++++++++++++++++++++++++++++
 1 file changed, 41 insertions(+)
 create mode 100644 roles/security/tasks/main.yml

(limited to 'roles/security/tasks')

diff --git a/roles/security/tasks/main.yml b/roles/security/tasks/main.yml
new file mode 100644
index 0000000..0a7ef0f
--- /dev/null
+++ b/roles/security/tasks/main.yml
@@ -0,0 +1,41 @@
+---
+- name: firewall - setup PF rules
+  template:
+    src: pf.conf.j2
+    dest: /etc/pf.conf
+    validate: "pfctl -nf %s"
+
+- name: firewall - enable PF
+  command: rcenable pf
+
+- name: firewall - enable PF log
+  command: rcenable pflog
+
+- name: sshlockout - setup with PF
+  blockinfile:
+    path: /etc/syslog.conf
+    marker: '# {mark} ANSIBLE MANAGED - sshlockout'
+    block: |
+      # Block SSH auth failures using "sshlockout" and "pf"
+      auth.info;authpriv.info	|exec /usr/sbin/sshlockout -pf bruteforce
+
+- name: periodic - copy clean-pf script
+  copy:
+    src: 600.clean-pf
+    dest: /etc/periodic/daily/600.clean-pf
+    mode: 0755
+
+- name: periodic - touch config file
+  file:
+    path: /etc/periodic.conf
+    state: touch
+    mode: 0644
+
+- name: periodic - enable clean-pf
+  blockinfile:
+    path: /etc/periodic.conf
+    marker: '# {mark} ANSIBLE MANAGED - clean-pf'
+    block: |
+      # Clean up PF tables
+      daily_clean_pf_enable="YES"
+      daily_clean_pf_tables="bruteforce"
-- 
cgit v1.2.2