From 297537d0a96b712fb997d14a2150911dd047c964 Mon Sep 17 00:00:00 2001 From: Fredrik Thulin Date: Tue, 25 Feb 2014 09:33:20 +0100 Subject: define NTP servers, for eduID filtering of outgoing traffic --- global/overlay/etc/puppet/manifests/cosmos-site.pp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'global/overlay/etc') diff --git a/global/overlay/etc/puppet/manifests/cosmos-site.pp b/global/overlay/etc/puppet/manifests/cosmos-site.pp index 737045a..1e4e857 100644 --- a/global/overlay/etc/puppet/manifests/cosmos-site.pp +++ b/global/overlay/etc/puppet/manifests/cosmos-site.pp @@ -62,7 +62,7 @@ node 'sto-tug-kvm1.swamid.se' { class { 'dhcp': dnsdomain => [ 'eduid.se','sunet.se' ], nameservers => ['130.242.80.14','130.242.80.99'], - ntpservers => ['pool.ntp.org'], + ntpservers => ['ntp1.nordu.net','ntp2.nordu.net','Time1.Stupi.SE'], interfaces => ['eth0'], #pxeserver => '130.242.125.5', #pxefilename => 'pxelinux.0' @@ -266,7 +266,7 @@ class sunet-cdr { class { 'dhcp': dnsdomain => [ 'eduid.se','sunet.se' ], nameservers => ['130.242.80.14','130.242.80.99'], - ntpservers => ['pool.ntp.org'], + ntpservers => ['ntp1.nordu.net','ntp2.nordu.net','Time1.Stupi.SE'], interfaces => ['bond0'], #pxeserver => '130.242.125.5', #pxefilename => 'pxelinux.0' -- cgit v1.1 From cef1d1f2741e80c7eaa107bcbb23c0c7bb40234c Mon Sep 17 00:00:00 2001 From: Fredrik Thulin Date: Thu, 27 Feb 2014 09:03:03 +0100 Subject: ignore some ipv6-icmp --- global/overlay/etc/puppet/modules/sunet/manifests/server.pp | 12 ++++++++++++ 1 file changed, 12 insertions(+) (limited to 'global/overlay/etc') diff --git a/global/overlay/etc/puppet/modules/sunet/manifests/server.pp b/global/overlay/etc/puppet/modules/sunet/manifests/server.pp index 9215c8f..c4622fa 100644 --- a/global/overlay/etc/puppet/modules/sunet/manifests/server.pp +++ b/global/overlay/etc/puppet/modules/sunet/manifests/server.pp @@ -6,4 +6,16 @@ define sunet::server() { # Add prerequisites for ethernet bonding, if physical server sunet::ethernet_bonding { 'sunet_ethernet_bonding': } + # Ignore IPv6 multicast + ufw::deny { 'ignore_v6_multicast': + ip => 'ff02::1', + proto => 'any' # 'ufw' has a hard-coded list of protocols, which does not include 'ipv6-icmp' :( + } + + # Ignore IPv6 multicast PIM router talk + ufw::deny { 'ignore_v6_multicast_PIM': + ip => 'ff02::d', + proto => 'any' # 'ufw' has a hard-coded list of protocols, which does not include 'ipv6-icmp' :( + } + } -- cgit v1.1 From e008a30c890b1ad76a8e7704259858f1c442e2e6 Mon Sep 17 00:00:00 2001 From: Fredrik Thulin Date: Thu, 27 Feb 2014 09:05:24 +0100 Subject: use improved ufw from SUNET github repo --- global/overlay/etc/puppet/cosmos-modules.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'global/overlay/etc') diff --git a/global/overlay/etc/puppet/cosmos-modules.conf b/global/overlay/etc/puppet/cosmos-modules.conf index b0a91f4..c47e936 100644 --- a/global/overlay/etc/puppet/cosmos-modules.conf +++ b/global/overlay/etc/puppet/cosmos-modules.conf @@ -4,7 +4,7 @@ concat puppetlabs/concat no stdlib puppetlabs/stdlib no cosmos git://github.com/leifj/puppet-cosmos.git yes -ufw attachmentgenie/ufw no +ufw git://github.com/SUNET/puppet-module-ufw.git yes apt puppetlabs/apt no vcsrepo puppetlabs/vcsrepo no xinetd puppetlabs/xinetd no -- cgit v1.1 From 4e2859018cc13954c88c6f13a5d03e12545a009c Mon Sep 17 00:00:00 2001 From: Fredrik Thulin Date: Thu, 27 Feb 2014 09:07:32 +0100 Subject: disable rules requiring newer ufw --- .../etc/puppet/modules/sunet/manifests/server.pp | 21 +++++++++++---------- 1 file changed, 11 insertions(+), 10 deletions(-) (limited to 'global/overlay/etc') diff --git a/global/overlay/etc/puppet/modules/sunet/manifests/server.pp b/global/overlay/etc/puppet/modules/sunet/manifests/server.pp index c4622fa..72d8d49 100644 --- a/global/overlay/etc/puppet/modules/sunet/manifests/server.pp +++ b/global/overlay/etc/puppet/modules/sunet/manifests/server.pp @@ -6,16 +6,17 @@ define sunet::server() { # Add prerequisites for ethernet bonding, if physical server sunet::ethernet_bonding { 'sunet_ethernet_bonding': } - # Ignore IPv6 multicast - ufw::deny { 'ignore_v6_multicast': - ip => 'ff02::1', - proto => 'any' # 'ufw' has a hard-coded list of protocols, which does not include 'ipv6-icmp' :( - } +# Removed until SWAMID hosts can have their ufw module updated / ft +# # Ignore IPv6 multicast +# ufw::deny { 'ignore_v6_multicast': +# ip => 'ff02::1', +# proto => 'any' # 'ufw' has a hard-coded list of protocols, which does not include 'ipv6-icmp' :( +# } - # Ignore IPv6 multicast PIM router talk - ufw::deny { 'ignore_v6_multicast_PIM': - ip => 'ff02::d', - proto => 'any' # 'ufw' has a hard-coded list of protocols, which does not include 'ipv6-icmp' :( - } +# # Ignore IPv6 multicast PIM router talk +# ufw::deny { 'ignore_v6_multicast_PIM': +# ip => 'ff02::d', +# proto => 'any' # 'ufw' has a hard-coded list of protocols, which does not include 'ipv6-icmp' :( +# } } -- cgit v1.1 From baffa6e766cb7b69454f9d833e670003e6a8646f Mon Sep 17 00:00:00 2001 From: Fredrik Thulin Date: Thu, 27 Feb 2014 10:52:15 +0100 Subject: some sshd_config hardening from eduid-ops --- .../etc/puppet/modules/sunet/manifests/server.pp | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) (limited to 'global/overlay/etc') diff --git a/global/overlay/etc/puppet/modules/sunet/manifests/server.pp b/global/overlay/etc/puppet/modules/sunet/manifests/server.pp index 72d8d49..875dc69 100644 --- a/global/overlay/etc/puppet/modules/sunet/manifests/server.pp +++ b/global/overlay/etc/puppet/modules/sunet/manifests/server.pp @@ -19,4 +19,22 @@ define sunet::server() { # proto => 'any' # 'ufw' has a hard-coded list of protocols, which does not include 'ipv6-icmp' :( # } + include augeas + augeas { "sshd_config": + context => "/files/etc/ssh/sshd_config", + changes => [ + "set PasswordAuthentication no", + "set X11Forwarding no", + "set LogLevel VERBOSE", # log pubkey used for root login + ], + notify => Service['ssh'], + } -> + file_line { + 'no_sftp_subsystem': + path => '/etc/ssh/sshd_config', + match => 'Subsystem sftp /usr/lib/openssh/sftp-server', + line => '#Subsystem sftp /usr/lib/openssh/sftp-server', + notify => Service['ssh'], + } + } -- cgit v1.1