CHANGELOG.md

@@ -15,8 +15,9 @@ The **patch** part changes incrementally at each release.
 * apt: remove jessie/buster sources from Gandi servers
 * certbot : new role to install and configure certbot
 * evocheck: upstream version 19.10
-* evolinux-base: On debian 10 and later, add noexec on /dev/shm
 * evolinux-base: default value for "evolinux_ssh_group"
+* evolinux-base: install /sbin/deny
+* evolinux-base: on debian 10 and later, add noexec on /dev/shm
 * generate-ldif: support MariaDB 10.3
 * haproxy: add a variable to keep the existing configuration
 * listupgrade: install old-kernel-autoremoval script

evolinux-base/files/deny.sh

@@ -0,0 +1,3 @@
+#!/bin/sh
+iptables -I INPUT -s $1 -j DROP
+echo $1 >> /root/BLACKLIST-SSH

evolinux-base/tasks/system.yml

@@ -191,4 +191,15 @@
     replace: "auto"
   when: evolinux_system_eni_auto and grep_hotplug_eni.rc == 0
 
+## /sbin/deny
+
+- name: "/sbin/deny script is present"
+  copy:
+    src: deny.sh
+    dest: /sbin/deny
+    mode: "0700"
+    owner: root
+    group: root
+    force: no
+
 - meta: flush_handlers