summaryrefslogtreecommitdiffstats
path: root/roles/common
Commit message (Collapse)AuthorAgeFiles
* Port baseline to Debian 11 (codename Bullseye).Guilhem Moulin2022-10-1319
|
* clamav-freshclam: Remove ‘SafeBrowsing’ option.Guilhem Moulin2022-10-111
|
* logcheck-database update.Guilhem Moulin2022-10-113
|
* Prefix ‘ipaddr’ and ‘ipv4’ with ‘ansible.utils.’.Guilhem Moulin2022-10-114
| | | | | | | This silences the following deprecation warning: Use 'ansible.utils.ipaddr' module instead. This feature will be removed from ansible.netcommon in a release after 2024-01-01. Deprecation warnings can be disabled by setting deprecation_warnings=False in ansible.cfg.
* logcheck-database update.Guilhem Moulin2021-02-131
| | | | ansible 2.10.7 uses "ansible-ansible.legacy.stat: Invoked with […]".
* munin: Skip ntp_* plugins when ntpq(1) is missing.Guilhem Moulin2021-02-061
|
* Postfix: pin key material to our MX:es for fripost.org and its subdomains.Guilhem Moulin2021-01-261
| | | | | | | | | | | | | | | | | | | | | | | | | | This solves an issue where an attacker would strip the STARTTLS keyword from the EHLO response, thereby preventing connection upgrade; or spoof DNS responses to route outgoing messages to an attacker-controlled SMTPd, thereby allowing message MiTM'ing. With key material pinning in place, smtp(8postfix) immediately aborts the connection (before the MAIL command) and places the message into the deferred queue instead: postfix-out/smtp[NNN]: … dsn=4.7.5, status=undeliverable (Server certificate not verified) This applies to the smarthost as well as for verification probes on the Mail Submission Agent. Placing message into the deferred queue might yield denial of service, but we argue that it's better than a privacy leak. This only covers *internal messages* (from Fripost to Fripost) though: only messages with ‘fripost.org’ (or a subdomain of such) as recipient domain. Other domains, even those using mx[12].fripost.org as MX, are not covered. A scalable solution for arbitrary domains would involve either DANE and TLSA records, or MTA-STS [RFC8461]. Regardless, there is some merit in hardcoding our internal policy (when the client and server are both under our control) in the configuration. It for instance enables us to harden TLS ciphers and protocols, and makes the verification logic independent of DNS.
* Firewall: Always include 172.16.0.0/12 to the bogon list.Guilhem Moulin2020-11-151
| | | | | Our IPsec subnet is in that subnet but the setup won't deal well with subnet overlap so it's best to explicitely not support NATed machines with an IP in 172.16.0.0/12.
* Firewall: Add counter to dropped ICMP packets.Guilhem Moulin2020-11-151
|
* rkhunter: workaround for mix usrmerge/non-usrmerge environments.Guilhem Moulin2020-11-151
| | | | See https://bugs.debian.org/932594#15 .
* Firewall: ICMPv6: accept link-local multicast receiver notification messages.Guilhem Moulin2020-11-151
|
* Change NTP client to systemd-timesyncd.Guilhem Moulin2020-11-155
| | | | | | | | | (Excluding our NTP master.) It's simpler, arguably more secure, and provides enough functionality when only simple client use-cases are desired. We allow outgoing connections to 123/udp also on NTP slaves so systemd-timesyncd can connect to the fallbacks NTP servers.
* logcheck-database update.Guilhem Moulin2020-11-154
|
* Firewall: allow ICMP type 11 (time time-exceeded).Guilhem Moulin2020-11-031
| | | | This is in particular needed for traceroutes and routing loop detection.
* Bacula: refactor systemd service files.Guilhem Moulin2020-11-032
| | | | | | Use unit overrides on top of upstream's service files instead of overriding entire service files. In particular, upstream uses flag `-P` so we don't need to use RuntimeDirectory= anymore.
* Firewall: Move IPsec/ICMP/ICMPv6 rules to ingress chain.Guilhem Moulin2020-11-031
| | | | | | | | This is required to receive incoming traffic to our IPsec IP in 172.16.0.0/24, as well as linked-scoped ICMPv6 traffic from/to fe80::/10 (for neighbour discovery). Regression from a6b8c0b3a4758f8d84a7ad07bb9e068075d098d3.
* Firewall: Move martian and bogus TCP filters early in the packet flow.Guilhem Moulin2020-11-021
| | | | | This is more efficient: the earlier we filter the crap out the less resources they consume.
* kernel parameters: Disable SYN cookies and improve SYN backlog handling.Guilhem Moulin2020-11-021
| | | | See tcp(7) and https://levelup.gitconnected.com/linux-kernel-tuning-for-high-performance-networking-high-volume-incoming-connections-196e863d458a .
* typofixGuilhem Moulin2020-11-021
|
* IMAP: Update role to Debian Buster.Guilhem Moulin2020-05-191
| | | | | | | | For `ssl_cipher_list` we pick the suggested value from https://ssl-config.mozilla.org/#server=dovecot&version=2.3.9&config=intermediate&openssl=1.1.1d At the moment it's equivalent (modulo order) to adding ‘EDH+AESGCM+aRSA’ to ‘EECDH+AESGCM:EECDH+CHACHA20!MEDIUM!LOW!EXP!aNULL!eNULL’.
* MSA: Update role to Debian Buster.Guilhem Moulin2020-05-191
| | | | | | | | For `ssl_cipher_list` we pick the suggested value from https://ssl-config.mozilla.org/#server=postfix&version=3.4.10&config=intermediate&openssl=1.1.1d At the moment it's equivalent (modulo order) to adding ‘EDH+AESGCM+aRSA’ to ‘EECDH+AESGCM:EECDH+CHACHA20!MEDIUM!LOW!EXP!aNULL!eNULL’.
* s/LDAP-provider/LDAP_provider/Guilhem Moulin2020-05-192
| | | | This was forgotten after a092bfd947773281a23419ee0ab62358371b7166.
* stunnel4: Harden and socket-activate.Guilhem Moulin2020-05-182
|
* Firewall: note on reqid matching.Guilhem Moulin2020-05-181
| | | | To be done when we upgrade to Bullseye for more fine-grained control.
* AEAD ciphers: Add EECDH+CHACHA20 macro.Guilhem Moulin2020-05-181
| | | | | | | This adds the following two ciphers: ECDHE-ECDSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH Au=ECDSA Enc=CHACHA20/POLY1305(256) Mac=AEAD ECDHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH Au=RSA Enc=CHACHA20/POLY1305(256) Mac=AEAD
* Firewall: Use `meta secpath exists` to match xfrm associations.Guilhem Moulin2020-05-181
| | | | | Marking incoming ESP packets and matching decapsulated packets doesn't work with NAT traverslate (UDP encapsulation aka MOBIKE).
* Remove 'meta: flush_handlers' directives under conditionals.Guilhem Moulin2020-05-171
| | | | They don't appear to be supported anymore.
* Roundcube: Port to Debian 10.Guilhem Moulin2020-05-171
| | | | | We use the version from buster-backports (currently 1.4.4+dfsg.1-1~bpo10+1) for the elastic theme.
* typofixGuilhem Moulin2020-05-161
|
* Upgrade baseline to Debian 10.Guilhem Moulin2020-05-1623
|
* /etc/apt/sources.list: Use https:// URIs.Guilhem Moulin2020-01-251
| | | | | | | | Since 1.5 (Buster) APT supports https:// natively. There is no need to install ‘apt-transport-https’ (now a dummy transitional package) anymore. Plain-text connection don't undermine security as APT checks package OpenPGP signatures locally, but there is no reason not to use TLS here.
* Improve/harden fail2ban configuration.Guilhem Moulin2020-01-257
| | | | | | | | | * Use nftables sets with a timeout * Start daemon with a hardened unit file and restricted Capability Bounding Set. (This requires to change the log path to /var/log/fail2ban/*.) * Skip database as we don't care about persistence. * Refactor jail.local
* Convert firewall to nftables.Guilhem Moulin2020-01-2311
| | | | Debian Buster uses the nftables framework by default.
* Postfix: disable DNS lookups on the internal SMTPds.Guilhem Moulin2020-01-231
| | | | | | Our internal IPs don't have a reverse PTR record, and skipping the resolution speeds up mail delivery. http://www.postfix.org/postconf.5.html#smtpd_peername_lookup
* tr/-/_/ in group names.Guilhem Moulin2020-01-223
| | | | | | | | | | | | This avoids [DEPRECATION WARNING]: The TRANSFORM_INVALID_GROUP_CHARS settings is set to allow bad characters in group names by default, this will change, but still be user configurable on deprecation. This feature will be removed in version 2.10. Deprecation warnings can be disabled by setting deprecation_warnings=False in ansible.cfg. [WARNING]: Invalid characters were found in group names but not replaced, use -vvvv to see details
* MSA: Open 465/TCP for Email Submission over TLS.Guilhem Moulin2019-03-194
| | | | See RFC 8314 sec. 3.3 "Cleartext Considered Obsolete".
* firewall: gracefully close invalid connections.Guilhem Moulin2018-12-221
| | | | | | | This is useful when an ESTABLISHED connection is seen as NEW because the client was offline for some time. For instance, clients now gracefully close existing SSH connections immediately after resuming from a suspend state, rather that waiting for the TCP timeout.
* fail2ban: Only install the roundcube/dovecot filters if needed.Guilhem Moulin2018-12-151
| | | | | | It doesn't hurt to install them on all machines, but we're overriding the provided /etc/fail2ban/filter.d/dovecot.conf and would rather keep our delta minimal.
* submission: Prospective SPF checking.Guilhem Moulin2018-12-122
| | | | Cf. http://www.openspf.org/Best_Practices/Outbound .
* IPsec: use Suite-B-GCM-256 algorithms for IKEv2 & ESP.Guilhem Moulin2018-12-091
| | | | | | | (That is, remove algorithms from Suite-B-GCM-128.) Cf. https://wiki.strongswan.org/projects/strongswan/wiki/IKEv2CipherSuites and https://wiki.strongswan.org/projects/strongswan/wiki/SecurityRecommendations .
* MSA verification probes: enable opportunistic encryption.Guilhem Moulin2018-12-091
| | | | | | And use ‘noreply.fripost.org’ as HELO name rather than $myhostname (i.e., ‘smtp.fripost.org’), so the same SPF policy can be used for ehlo and envelope sender identities.
* Update 'IMAP', 'MSA' and 'LDAP-provider' roles to Debian Stretch.Guilhem Moulin2018-12-096
|
* Disable resume device.Guilhem Moulin2018-12-093
| | | | We don't need suspend-on-disk (hibernation).
* systemd.service: Tighten hardening options.Guilhem Moulin2018-12-092
|
* bacula-*.service: Don't fork in the background.Guilhem Moulin2018-12-091
| | | | Inspired from /lib/systemd/system/bacula-fd.service.
* Upgrade 'lists' role to Debian Stretch.Guilhem Moulin2018-12-091
|
* Firewall: disable outgoing access to git:// remote servers.Guilhem Moulin2018-12-091
| | | | We don't need it anymore as we use https:// these days.
* systemd: Replace ‘ProtectSystem=full’ with ‘ProtectSystem=strict’.Guilhem Moulin2018-12-092
| | | | And remove ‘ReadOnlyDirectories=/’ as it's implied by ‘ProtectSystem=strict’.
* Firewall: REJECT outgoing connections instead of DROPing them.Guilhem Moulin2018-12-091
|
* Don't install the haveged entropy daemon.Guilhem Moulin2018-12-092
| | | | | It's not really needed on our metal hosts, and our KVM guests use virtio-rng.