Month: October 2020

iptables core with ssh drop logging

by

/etc/sysconfig/iptables:

*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:LOGGING - [0:0]

-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT

# here you allow the ssh/22 connections you need
-A INPUT -p tcp -m state --state NEW -m tcp -s IP.YOU.WANT.TOALLOW --dport 22 -j ACCEPT

# remaining 22/ssh connections are sent to logging
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j LOGGING

# recieve and log
-A LOGGING -m limit --limit 6/min --limit-burst 3 -j LOG --log-prefix "[iptables dropped] "

# drop for real
-A LOGGING -j DROP

COMMIT

/etc/rsyslog.d/iptables.conf:

# lets log the dropped connections into it's own file
:msg,contains,"[iptables dropped]" /var/log/iptables.log
 
# stop processing
& stop

/etc/logrotate.d/iptables.conf:

/var/log/iptables.log
{
  rotate 14
  weekly
  missingok
  compress
  delaycompress
  postrotate
        /usr/bin/systemctl kill -s HUP rsyslog.service >/dev/null 2>&1 || true
  endscript
}

Ansible: syncing Linux to AD time

by

Requirements: the PDC address is looked up from Active Directory DNS, so the machine you’re running the playbook against must be able to resolve names from the domain namespace. Assumes your timezone is set correctly.

ansible/setup-domaintime-linux/setup-domaintime-linux.yaml :

- hosts: all
  user: localuser
  become: true

  vars:
    pkgs:
      - chrony
      - bind-utils

  vars_prompt:
    - name: domain_fqdn
      prompt: "Enter domain FQDN to search for PDC (example: mydomain.local)"
      private: no

  tasks:

  - name: Checking if running RedHat/CentOS
    fail:
      msg: The system is not running RedHat/CentOS, aborting
    when: ansible_facts['os_family'] != 'RedHat'

  - name: Ensuring ntpdate is absent
    dnf:
      name: ntpdate
      state: absent

  - name: Ensuring chrony and bind-utils are present
    yum: name={{ pkgs }} state=present update_cache=yes

  - name: Masking ntpd service
    systemd:
      name: ntpd
      enabled: no
      masked: yes
      state: stopped

  - name: Looking up PDC in AD DNS
    shell: nslookup -q=SRV _ldap._tcp.pdc._msdcs.{{ domain_fqdn }} | grep _ldap | awk '{print $7}' | head --bytes -2
    register: PDClookup
  - set_fact:
      PDCfqdn : "{{ PDClookup.stdout }}"

  - name: Configuring chrony.conf
    template:
      src: chrony.conf.j2
      dest: /etc/chrony.conf
      owner: root
      group: root
      mode: 0644

  - name: Enabling chronyd service
    systemd:
      name: chronyd
      enabled: yes
      state: restarted

ansible/setup-domaintime-linux/templates/chrony.conf.j2 :

server {{ PDCfqdn }} iburst

driftfile /var/lib/chrony/drift
makestep 0.1 3
rtcsync

logdir /var/log/chrony
log measurements statistics tracking

leapsectz right/UTC

ansible/setup-domaintime-linux/ansible.cfg :

[defaults]
inventory           = hosts
host_key_checking   = False
become_method       = sudo

ansible/setup-domaintime-linux/hosts :

[all]
virtualhostname ansible_host=192.168.1.60 ansible_ssh_user=localuser