Add SSH/PVE Configuration Playbook

2023-11-25 15:39:11 -05:00 · 2023-11-25 15:39:11 -05:00 · 410a57c2d9
commit 410a57c2d9
parent a7714122b1
10 changed files with 129 additions and 2 deletions
--- a/.gitignore
+++ b/.gitignore
@ -0,0 +1,2 @@
+.vscode/
+*.log
--- a/Ansible/inventory.ini
+++ b/Ansible/inventory.ini
@ -0,0 +1,13 @@
+[proxmox]
+10.0.1.0
+
+[windows]
+10.0.1.10
+10.0.1.11
+
+[linux]
+10.0.1.2
+10.0.1.12
+10.0.1.14
+10.0.1.15
+10.0.1.16
--- a/Ansible/openssh.yml
+++ b/Ansible/openssh.yml
@ -0,0 +1,16 @@
+- hosts: linux
+  remote_user: root
+  tasks:
+  - name: Update/install OpenSSH
+    apt: 
+      name: openssh-server
+      state: latest
+      update_cache: yes
+  - name: Copy Secure Configuration File
+    copy:
+      src: ../Configs/sshd_config
+      dest: /etc/ssh/sshd_config
+  - name: Restart OpenSSH
+    systemd_service:
+      name: sshd
+      state: restarted
--- a/Ansible/proxmox.yml
+++ b/Ansible/proxmox.yml
@ -0,0 +1,27 @@
+- hosts: proxmox
+  remote_user: root
+  tasks:
+    - name: Adding ansible SSH Pubkey as authorized
+      copy:
+        src: ~/.ssh/authorized_keys
+        dest: /root/.ssh/authorized_keys
+    
+    - name: adding PVE-no-subscription repo
+      blockinfile:
+        path: /etc/apt/sources.list
+        insertbefore: "^# security"
+        block: |
+          # PVE pve-no-subscription repository provided by proxmox.com,
+          # NOT recommended for production use
+          deb http://download.proxmox.com/debian/pve bullseye pve-no-subscription
+
+    - name: upgrading system
+      apt:
+        upgrade: full
+        update_cache: yes
+        cache_valid_time: 7200
+
+    - name: installing sudo
+      apt:
+        name: sudo
+        state: present
--- a/Bash/compliance-list.txt
+++ b/Bash/compliance-list.txt
@ -0,0 +1,5 @@
+10.0.1.2
+10.0.1.12
+10.0.1.14
+10.0.1.15
+10.0.1.16
--- a/Bash/ssl-compliance.sh
+++ b/Bash/ssl-compliance.sh
@ -0,0 +1,24 @@
+#!/bin/sh
+
+if [ "$#" -eq 0 ]; then
+    echo "Usage: $0 (--install-deps) <file-with-hosts>"
+    exit 1
+fi
+
+if [ "$1" = "--install-deps" ]; then
+    echo "[+] Installing dependencies"
+    pip3 install --upgrade pip setuptools wheel --break-system-packages
+    pip3 install --upgrade sslyze --break-system-packages
+    filename="$2"
+else
+    filename="$1"
+fi
+
+if [ ! -f "$filename" ]; then
+    echo "Error: File '$filename' not found."
+    exit 1
+fi
+
+while IFS= read -r line; do
+    python3 -m sslyze "$line"
+done < "$filename"
--- a/Configs/sshd_config
+++ b/Configs/sshd_config
@ -0,0 +1,42 @@
+# Based on https://infosec.mozilla.org/guidelines/openssh secure configuration guide
+
+Include /etc/ssh/sshd_config.d/*.conf
+
+HostKey /etc/ssh/ssh_host_ed25519_key
+HostKey /etc/ssh/ssh_host_rsa_key
+HostKey /etc/ssh/ssh_host_ecdsa_key
+
+KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256
+Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
+MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
+
+LogLevel VERBOSE
+
+#LoginGraceTime 2m
+#PermitRootLogin prohibit-password
+#StrictModes yes
+MaxAuthTries 5
+MaxSessions 8
+
+PubkeyAuthentication yes
+
+PasswordAuthentication no
+PermitEmptyPasswords no
+
+KbdInteractiveAuthentication no
+
+KerberosAuthentication no
+GSSAPIAuthentication no
+
+UsePAM yes
+
+AllowAgentForwarding no
+AllowTcpForwarding no
+X11Forwarding no
+PrintMotd no
+
+# Allow client to pass locale environment variables
+AcceptEnv LANG LC_*
+
+# override default of no subsystems
+Subsystem	sftp	/usr/lib/openssh/sftp-server
--- a/PowerShell/Find-RDP.ps1
+++ b/PowerShell/Find-RDP.ps1
--- a/PowerShell/Get-Programs.ps1
+++ b/PowerShell/Get-Programs.ps1
--- a/TODO.md
+++ b/TODO.md
@ -1,2 +0,0 @@
-* Add Winget/Choco package support for Get-Packages.ps1
-* More backup scripts