From 4ba072958cbefc1d95ce224cf9484ae909289950 Mon Sep 17 00:00:00 2001 From: Christophe Vandeplas Date: Wed, 1 Apr 2020 20:36:16 +0200 Subject: [PATCH] chg: [doc] updated ansible TDS install scripts --- .gitignore | 2 + ansible/nginx.conf | 35 ++++++++ ansible/plume.yaml | 205 ++++++++++++++++++++++++++++++++++++--------- 3 files changed, 204 insertions(+), 38 deletions(-) create mode 100644 ansible/nginx.conf diff --git a/.gitignore b/.gitignore index e4b0bd1..4834585 100644 --- a/.gitignore +++ b/.gitignore @@ -10,3 +10,5 @@ # Locally genenerated mtz /*.mtz + +ansible/inventory.txt diff --git a/ansible/nginx.conf b/ansible/nginx.conf new file mode 100644 index 0000000..27d07c6 --- /dev/null +++ b/ansible/nginx.conf @@ -0,0 +1,35 @@ +server { + # dummy server for let's encrypt + listen 80; + listen [::]:80; + root /var/www/html; + server_name _; + try_files $uri @redirect; + + location @redirect { + return 302 https://github.com/MISP/MISP-maltego; + } +} + +server { + # true reverse proxy for plume + listen 443 ssl default_server; + listen [::]:443 ssl default_server; + ssl_certificate /etc/letsencrypt/live/misp-maltego.misp-project.org/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/misp-maltego.misp-project.org/privkey.pem; + + root /var/www/html; + server_name _; + + + location / { + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $remote_addr; + proxy_pass http://127.0.0.1:8080; + proxy_intercept_errors on; + error_page 404 = @redirect; # redirect to the github when page not found + } + location @redirect { + return 302 https://github.com/MISP/MISP-maltego; + } +} \ No newline at end of file diff --git a/ansible/plume.yaml b/ansible/plume.yaml index 77e8de1..aea4c72 100644 --- a/ansible/plume.yaml +++ b/ansible/plume.yaml @@ -3,7 +3,7 @@ # # DO NOT USE THIS UNLESS YOU REALLY KNOW YOU NEED THIS # - Most people usually probably want to use the local transforms -# - Others the 'ATT&CK - MISP' form the Transform Hub +# - Others the 'ATT&CK - MISP' from the Transform Hub # # First install your ubuntu system, # Then run ansible-playbook -i inventory.txt plume.yaml @@ -19,51 +19,81 @@ # Save as "paired_config.mtz", upload on TDS - hosts: all - remote_user: ubuntu become: yes vars: - misp_maltego_version: 1.4.1 # FIXME change this !!! + misp_maltego_version: 1.4.4 # TODO change this !!! + host_locale: en_US.UTF-8 + host_locale_dict: { + LANG: "{{ host_locale }}", + LC_COLLATE: "{{ host_locale }}", + LC_CTYPE: "{{ host_locale }}", + LC_MESSAGES: "{{ host_locale }}", + LC_MONETARY: "{{ host_locale }}", + LC_NUMERIC: "{{ host_locale }}", + LC_TIME: "{{ host_locale }}", + LC_ALL: "{{ host_locale }}", + } + tasks: - name: install python3-pip - apt: + package: name: python3-pip state: present - name: install python libs pip: - executable: pip3 - name: ['canari', 'PyMISP'] + executable: /usr/bin/pip3 + name: ['canari', 'pymisp'] state: latest - # use the public pip package - - name: install MISP-maltego - pip: - executable: pip3 - name: ['MISP-maltego'] - state: latest - - # use local git repo instead, useful for development - # - name: bundle MISP-maltego - # delegate_to: 127.0.0.1 - # command: - # cmd: python setup.py sdist - # chdir: ../ - # become: no - # - name: copy MISP-maltego - # copy: - # src: ../dist/MISP_maltego-{{misp_maltego_version}}.tar.gz - # dest: /usr/local/src/ - # - name: install MISP-maltego - # pip: - # executable: pip3 - # name: file:///usr/local/src/MISP_maltego-{{misp_maltego_version}}.tar.gz - # state: forcereinstall - # - name: remove local MISP-maltego bundle - # delegate_to: 127.0.0.1 - # file: - # path: ../dist/MISP_maltego-{{misp_maltego_version}}.tar.gz - # state: absent - # become: no + # NGINX reverse proxy + # ###### + - name: install nginx + package: + name: nginx + state: present + - name: letsencrypt certbot ppa + apt_repository: + repo: ppa:certbot/certbot + + - name: letsencrypt certbot install + package: + name: ['certbot', 'python-certbot-nginx'] + state: present + + # FIXME generate the cert automagically, while answering the questions + # creates: /etc/letsencrypt/live/misp-maltego.misp-project.org/privkey.pem + # Requires input: + # - email address + # - agree terms + # - no sharing email with EFF + + - name: nginx disable default config + file: + path: /etc/nginx/sites-enabled/default + state: absent + + - name: nginx copy config + copy: + src: nginx.conf + dest: /etc/nginx/sites-available/plume + notify: restart nginx + + - name: nginx enable plume config + file: + src: /etc/nginx/sites-available/plume + dest: /etc/nginx/sites-enabled/plume + state: link + notify: restart nginx + + - name: letsencrypt auto-renew + cron: + name: "letsencrypt auto-renew SSL certificate" + special_time: daily + job: "/usr/sbin/certbot -q renew" + + # PLUME + ####### - name: create nobody group - needed by plume group: name: nobody @@ -76,7 +106,51 @@ environment: LC_ALL: 'C.UTF-8' LANG: 'C.UTF-8' - # LATER maybe we want to run plume with TLS? + + - name: Start service plume at boot + file: + src: /etc/init.d/plume + dest: /etc/rc{{item}}.d/S20plume + state: link + with_items: + - 3 + - 4 + - 5 + # LATER migrate to systemd service + + + # use the public pip package + - name: install MISP-maltego + pip: + executable: pip3 + name: ['MISP-maltego'] + state: latest + notify: restart plume + + # use local git repo instead, useful for development + # - name: bundle MISP-maltego + # delegate_to: 127.0.0.1 + # command: + # cmd: python3 setup.py sdist + # chdir: ../ + # become: no + # - name: copy MISP-maltego + # copy: + # src: ../dist/MISP_maltego-{{misp_maltego_version}}.tar.gz + # dest: /usr/local/src/ + # - name: install MISP-maltego + # pip: + # executable: /usr/bin/pip3 + # name: file:///usr/local/src/MISP_maltego-{{misp_maltego_version}}.tar.gz + # state: forcereinstall + # environment: "{{host_locale_dict}}" + # notify: restart plume + # - name: remove local MISP-maltego bundle + # delegate_to: 127.0.0.1 + # file: + # path: ../dist/MISP_maltego-{{misp_maltego_version}}.tar.gz + # state: absent + # become: no - name: load plume package command: @@ -89,10 +163,65 @@ PLUME_ROOT: '/var/plume' notify: restart plume - # FIXME /etc/init.d/plume start at boot + - name: Start service plume, if not started + service: + name: plume + state: started + + # FIREWALLING + ############# + - name: firewall logging + ufw: + logging: 'low' + + - name: firewall inbound rate limited + ufw: + rule: limit + port: '2245' # ssh + proto: tcp + direction: in + + - name: firewall inbound + ufw: + rule: allow + port: "{{item}}" + proto: tcp + direction: in + loop: + - '80' # nginx + - '443' # nginx plume + - '25324' # monitoring + + - name: firewall outbound + ufw: + rule: allow + port: "{{ item.port }}" + proto: "{{ item.proto }}" + direction: out + loop: + - { port: '53', proto: 'udp'} + - { port: '123', proto: 'udp'} + - { port: '53', proto: 'tcp'} + - { port: '80', proto: 'tcp'} + - { port: '443', proto: 'tcp'} + - { port: '32526', proto: 'tcp'} # waagent + + - name: firewall default rule + ufw: + state: enabled + default: deny + direction: '{{ item }}' + loop: + - incoming + - outgoing handlers: - name: restart plume service: name: plume - state: restarted \ No newline at end of file + state: restarted + + - name: restart nginx + service: + name: nginx + state: restarted