From 8679da4cb66a3c40f06e8fcb894b162c188095fe Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Wed, 30 Oct 2019 13:53:47 +0100 Subject: [PATCH] evolinux-base: install /sbin/deny --- CHANGELOG.md | 3 ++- evolinux-base/files/deny.sh | 3 +++ evolinux-base/tasks/system.yml | 11 +++++++++++ 3 files changed, 16 insertions(+), 1 deletion(-) create mode 100644 evolinux-base/files/deny.sh diff --git a/CHANGELOG.md b/CHANGELOG.md index 1afd398e..4314ded2 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -15,8 +15,9 @@ The **patch** part changes incrementally at each release. * apt: remove jessie/buster sources from Gandi servers * certbot : new role to install and configure certbot * evocheck: upstream version 19.10 -* evolinux-base: On debian 10 and later, add noexec on /dev/shm * evolinux-base: default value for "evolinux_ssh_group" +* evolinux-base: install /sbin/deny +* evolinux-base: on debian 10 and later, add noexec on /dev/shm * generate-ldif: support MariaDB 10.3 * haproxy: add a variable to keep the existing configuration * listupgrade: install old-kernel-autoremoval script diff --git a/evolinux-base/files/deny.sh b/evolinux-base/files/deny.sh new file mode 100644 index 00000000..b79c0182 --- /dev/null +++ b/evolinux-base/files/deny.sh @@ -0,0 +1,3 @@ +#!/bin/sh +iptables -I INPUT -s $1 -j DROP +echo $1 >> /root/BLACKLIST-SSH diff --git a/evolinux-base/tasks/system.yml b/evolinux-base/tasks/system.yml index 55749e21..bd799363 100644 --- a/evolinux-base/tasks/system.yml +++ b/evolinux-base/tasks/system.yml @@ -191,4 +191,15 @@ replace: "auto" when: evolinux_system_eni_auto and grep_hotplug_eni.rc == 0 +## /sbin/deny + +- name: "/sbin/deny script is present" + copy: + src: deny.sh + dest: /sbin/deny + mode: "0700" + owner: root + group: root + force: no + - meta: flush_handlers