Update to 2022-01-12 10:14

This commit is contained in:
Daniel Berteaud
2022-01-12 10:14:43 +01:00
parent 898ae43de4
commit e73f05f073
22 changed files with 61 additions and 32 deletions

View File

@@ -41,12 +41,13 @@ ssh_users: []
# ssh_keys:
# - 'ssh-rsa AAAAB3NzaC1yc2...'
# - 'ssh-rsa AAAAB3NzaC1yc2...'
# keys_exclusive: True
# keys_file: %h/.ssh/authorized_keys
# key_options:
# - from="192.168.3.7"
# - no-pty
# sftp_only: True
# chroot: /var/www/html
# keys_file: %h/.ssh/authorized_keys
# allow_forwarding: False
# sudo_defaults:
# - '!env_reset'

View File

@@ -60,7 +60,7 @@
key_options: "{{ item.key_options | default([]) | join(',') }}"
path: "{{ item.keys_file | default('/etc/ssh/authorized_keys/' ~ item.name ~ '/authorized_keys') }}"
manage_dir: False
exclusive: True
exclusive: "{{ item.keys_exclusive | default(True) }}"
ignore_errors: True # Needed eg, if LDAP isn't available on first run
loop: "{{ ssh_users }}"
tags: ssh

View File

@@ -4,9 +4,14 @@
iptables_raw:
name: sshd_limit
rules: |
-A INPUT -p tcp -m state --state NEW -m multiport --dports {{ sshd_ports | join(',') }} -m recent --name ssh_limit --set
-A INPUT -p tcp -m state --state NEW -m multiport --dports {{ sshd_ports | join(',') }} -m recent --name ssh_limit --rcheck --seconds 60 --hitcount {{ sshd_max_conn_per_minute }} -j LOG --log-prefix "Firewall (ssh limit): "
-A INPUT -p tcp -m state --state NEW -m multiport --dports {{ sshd_ports | join(',') }} -m recent --name ssh_limit --rcheck --seconds 60 --hitcount {{ sshd_max_conn_per_minute }} -j REJECT
-N SSH_LIMIT
{% if trusted_ip is defined and trusted_ip | length > 0 %}
-A SSH_LIMIT -s {{ trusted_ip | join(',') }} -j RETURN
{% endif %}
-A SSH_LIMIT -m recent --name ssh_limit --set
-A SSH_LIMIT -m recent --name ssh_limit --rcheck --seconds 60 --hitcount {{ sshd_max_conn_per_minute }} -j LOG --log-prefix "Firewall (ssh limit): "
-A SSH_LIMIT -m recent --name ssh_limit --rcheck --seconds 60 --hitcount {{ sshd_max_conn_per_minute }} -j REJECT
-A INPUT -p tcp -m state --state NEW -m multiport --dports {{ sshd_ports | join(',') }} -j SSH_LIMIT
state: "{{ (sshd_max_conn_per_minute > 0) | ternary('present','absent') }}"
weight: 10
tags: ssh,firewall