From 1bbd04b13139f2202c7d11f5fb20e8c064d8ed43 Mon Sep 17 00:00:00 2001 From: Hoan To Date: Wed, 9 Nov 2022 15:05:49 +0000 Subject: [PATCH] DEV-533: added IP for aachen to whitelist and firewalls --- group_vars/all/plain.yml | 1 + roles/common/configs/sshd/sshd_config.j2 | 123 ------------------ roles/common/tasks/main.yml | 10 -- roles/hcloud/templates/firewall-awx.json.j2 | 17 --- .../hcloud/templates/firewall-default.json.j2 | 60 --------- .../hcloud/templates/firewall-kibana.json.j2 | 43 ------ .../templates/firewall-monitoring.json.j2 | 63 --------- 7 files changed, 1 insertion(+), 316 deletions(-) delete mode 100644 roles/common/configs/sshd/sshd_config.j2 delete mode 100644 roles/hcloud/templates/firewall-awx.json.j2 delete mode 100644 roles/hcloud/templates/firewall-default.json.j2 delete mode 100644 roles/hcloud/templates/firewall-kibana.json.j2 delete mode 100644 roles/hcloud/templates/firewall-monitoring.json.j2 diff --git a/group_vars/all/plain.yml b/group_vars/all/plain.yml index 8935f3c..1750a2c 100644 --- a/group_vars/all/plain.yml +++ b/group_vars/all/plain.yml @@ -134,6 +134,7 @@ ip_whitelist: - "212.121.131.106/32" # netgo berlin - "149.233.6.129/32" # netgo e-shelter - "46.245.219.98/32" # netgo borken + - "164.138.195.162/32" # netgo Aachen - "{{ shared_service_network }}" offsite_storage_server_ip: 142.132.155.83/32 diff --git a/roles/common/configs/sshd/sshd_config.j2 b/roles/common/configs/sshd/sshd_config.j2 deleted file mode 100644 index c9af59e..0000000 --- a/roles/common/configs/sshd/sshd_config.j2 +++ /dev/null @@ -1,123 +0,0 @@ -# $OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $ - -# This is the sshd server system-wide configuration file. See -# sshd_config(5) for more information. - -# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin - -# The strategy used for options in the default sshd_config shipped with -# OpenSSH is to specify options with their default value where -# possible, but leave them commented. Uncommented options override the -# default value. - -Include /etc/ssh/sshd_config.d/*.conf - -#Port 22 -#AddressFamily any -ListenAddress 5.9.148.23 -ListenAddress 212.121.131.106 - -#HostKey /etc/ssh/ssh_host_rsa_key -#HostKey /etc/ssh/ssh_host_ecdsa_key -#HostKey /etc/ssh/ssh_host_ed25519_key - -# Ciphers and keying -#RekeyLimit default none - -# Logging -#SyslogFacility AUTH -#LogLevel INFO - -# Authentication: - -#LoginGraceTime 2m -PermitRootLogin yes -#StrictModes yes -#MaxAuthTries 6 -#MaxSessions 10 - -#PubkeyAuthentication yes - -# Expect .ssh/authorized_keys2 to be disregarded by default in future. -#AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2 - -#AuthorizedPrincipalsFile none - -#AuthorizedKeysCommand none -#AuthorizedKeysCommandUser nobody - -# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts -#HostbasedAuthentication no -# Change to yes if you don't trust ~/.ssh/known_hosts for -# HostbasedAuthentication -#IgnoreUserKnownHosts no -# Don't read the user's ~/.rhosts and ~/.shosts files -#IgnoreRhosts yes - -# To disable tunneled clear text passwords, change to no here! -PasswordAuthentication no -#PermitEmptyPasswords no - -# Change to yes to enable challenge-response passwords (beware issues with -# some PAM modules and threads) -ChallengeResponseAuthentication no - -# Kerberos options -#KerberosAuthentication no -#KerberosOrLocalPasswd yes -#KerberosTicketCleanup yes -#KerberosGetAFSToken no - -# GSSAPI options -#GSSAPIAuthentication no -#GSSAPICleanupCredentials yes -#GSSAPIStrictAcceptorCheck yes -#GSSAPIKeyExchange no - -# Set this to 'yes' to enable PAM authentication, account processing, -# and session processing. If this is enabled, PAM authentication will -# be allowed through the ChallengeResponseAuthentication and -# PasswordAuthentication. Depending on your PAM configuration, -# PAM authentication via ChallengeResponseAuthentication may bypass -# the setting of "PermitRootLogin yes -# If you just want the PAM account and session checks to run without -# PAM authentication, then enable this but set PasswordAuthentication -# and ChallengeResponseAuthentication to 'no'. -UsePAM yes - -#AllowAgentForwarding yes -#AllowTcpForwarding yes -#GatewayPorts no -X11Forwarding yes -#X11DisplayOffset 10 -#X11UseLocalhost yes -#PermitTTY yes -PrintMotd no -#PrintLastLog yes -#TCPKeepAlive yes -#PermitUserEnvironment no -#Compression delayed -#ClientAliveInterval 0 -#ClientAliveCountMax 3 -#UseDNS no -#PidFile /var/run/sshd.pid -#MaxStartups 10:30:100 -#PermitTunnel no -#ChrootDirectory none -#VersionAddendum none - -# no default banner path -#Banner none - -# Allow client to pass locale environment variables -AcceptEnv LANG LC_* - -# override default of no subsystems -Subsystem sftp /usr/lib/openssh/sftp-server - -# Example of overriding settings on a per-user basis -#Match User anoncvs -# X11Forwarding no -# AllowTcpForwarding no -# PermitTTY no -# ForceCommand cvs server \ No newline at end of file diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml index 84deb74..b287053 100644 --- a/roles/common/tasks/main.yml +++ b/roles/common/tasks/main.yml @@ -251,16 +251,6 @@ - front-tier - back-tier -- name: sshd configuration file update - template: - src: 'configs/sshd/sshd_config.j2' - dest: '/etc/ssh/sshd_config.new' - owner: 'root' - group: 'root' - mode: 0644 - notify: - - restart ssh - # elasticsearch production mode requirements - name: "Set vm.max_map_count" sysctl: diff --git a/roles/hcloud/templates/firewall-awx.json.j2 b/roles/hcloud/templates/firewall-awx.json.j2 deleted file mode 100644 index 45e08f3..0000000 --- a/roles/hcloud/templates/firewall-awx.json.j2 +++ /dev/null @@ -1,17 +0,0 @@ -{ - "name": "awx", - "labels": { - }, - "rules": [ - { - "direction": "in", - "protocol": "tcp", - "port": "80", - "source_ips": [ - "159.69.46.214/32", - ], - "destination_ips": [ - ] - } - ] -} diff --git a/roles/hcloud/templates/firewall-default.json.j2 b/roles/hcloud/templates/firewall-default.json.j2 deleted file mode 100644 index 8e887a0..0000000 --- a/roles/hcloud/templates/firewall-default.json.j2 +++ /dev/null @@ -1,60 +0,0 @@ -{ - "name": "default", - "labels": { - }, - "rules": [ - { - "direction": "in", - "protocol": "icmp", - "port": null, - "source_ips": [ - "0.0.0.0/0", - "::/0" - ], - "destination_ips": [ - ] - }, - { - "direction": "in", - "protocol": "tcp", - "port": "22", - "source_ips": [ - "149.233.6.129/32", - "162.55.214.230/32", - "212.121.131.106/32", - "212.86.56.112/32", - "87.141.83.195/32" - ], - "destination_ips": [ - ] - }, - { - "direction": "in", - "protocol": "tcp", - "port": "80", - "source_ips": [ - "149.233.6.129/32", - "162.55.214.230/32", - "212.121.131.106/32", - "212.86.56.112/32", - "87.141.83.195/32" - ], - "destination_ips": [ - ] - }, - { - "direction": "in", - "protocol": "tcp", - "port": "443", - "source_ips": [ - "149.233.6.129/32", - "162.55.214.230/32", - "212.121.131.106/32", - "212.86.56.112/32", - "87.141.83.195/32" - ], - "destination_ips": [ - ] - } - ] -} diff --git a/roles/hcloud/templates/firewall-kibana.json.j2 b/roles/hcloud/templates/firewall-kibana.json.j2 deleted file mode 100644 index 3401c58..0000000 --- a/roles/hcloud/templates/firewall-kibana.json.j2 +++ /dev/null @@ -1,43 +0,0 @@ -{ - "name": "kibana", - "labels": { - }, - "rules": [ - { - "direction": "in", - "protocol": "tcp", - "port": "5601", - "source_ips": [ - "149.233.6.129/32", - "212.121.131.106/32", - "87.141.83.195/32" - ], - "destination_ips": [ - ] - }, - { - "direction": "in", - "protocol": "tcp", - "port": "9200", - "source_ips": [ - "149.233.6.129/32", - "212.121.131.106/32", - "87.141.83.195/32" - ], - "destination_ips": [ - ] - }, - { - "direction": "in", - "protocol": "tcp", - "port": "9300", - "source_ips": [ - "149.233.6.129/32", - "212.121.131.106/32", - "87.141.83.195/32" - ], - "destination_ips": [ - ] - } - ] -} diff --git a/roles/hcloud/templates/firewall-monitoring.json.j2 b/roles/hcloud/templates/firewall-monitoring.json.j2 deleted file mode 100644 index 887e639..0000000 --- a/roles/hcloud/templates/firewall-monitoring.json.j2 +++ /dev/null @@ -1,63 +0,0 @@ -{ - "name": "monitoring", - "labels": { - }, - "rules": [ - { - "direction": "in", - "protocol": "tcp", - "port": "9080-9085", - "source_ips": [ - "149.233.6.129/32", - "212.121.131.106/32", - "212.86.56.112/32", - "87.141.83.195/32", - "94.130.97.253/32" - ], - "destination_ips": [ - ] - }, - { - "direction": "in", - "protocol": "tcp", - "port": "9001", - "source_ips": [ - "149.233.6.129/32", - "212.121.131.106/32", - "212.86.56.112/32", - "87.141.83.195/32", - "94.130.97.253/32" - ], - "destination_ips": [ - ] - }, - { - "direction": "in", - "protocol": "tcp", - "port": "9187", - "source_ips": [ - "149.233.6.129/32", - "212.121.131.106/32", - "212.86.56.112/32", - "87.141.83.195/32", - "94.130.97.253/32" - ], - "destination_ips": [ - ] - }, - { - "direction": "in", - "protocol": "tcp", - "port": "80", - "source_ips": [ - "149.233.6.129/32", - "212.121.131.106/32", - "212.86.56.112/32", - "87.141.83.195/32", - "94.130.97.253/32" - ], - "destination_ips": [ - ] - } - ] -}