Ansible and Ubiquiti Security

This is another post around my use of ansible to automate simple tasks. In this example I enhance the security of my Ubiquiti routers.

Problem I want to address

I regularly scan my own home network with the scanner from http://www.openvas.org/. When scanning my two internal Ubiquiti routers, it flags up a few additional harding items I should consider applying. The three items it suggests for me are

  • tighten the MACs in use
  • improve the Ciphers in use
  • disable TCP timestamps

I couldnt easily find how to make these changes via the rouetrs configuration, infact Im quite sure that disabling TCP timestamps wont be there. For an enterprise customer this could mean they fail Compliance tests etc.

Of course you can just SSH in and apply the settings, but that wont survive a reboot. You could hack a file somewhere (such as rc.local) to make the changes apply after a reboot but certainly a firmware upgrade removes all such customisation. So I decided to write a small script to apply these changes for me. Here is an example of what that script looks link.

---
- hosts: routers
  tasks:
  - name: ensure the MACs are set
    lineinfile:
      path: /etc/ssh/sshd_config
      regexp: '^MACs'
      insertafter: '^UseDNS*'
      line: 'MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com'
    notify: restart sshd

  - name: ensure the Ciphers are set
    lineinfile:
      path: /etc/ssh/sshd_config
      regexp: '^Ciphers'
      insertafter: '^UseDNS*'
      line: 'Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr'
    notify: restart sshd

  - name: disable TCP timestamps
    sysctl:
      name: net.ipv4.tcp_timestamps
      value: '0'
      reload: yes

  handlers:
  - name: restart sshd
    service:
      name: ssh
      state: restarted

This does the trick and the scan now shows that these items are now resolved, but it means I still need to make sure this is scheduled to run on a regular bases. Now this could just be a simple cron job but as I have an Ansible Tower instance running, I simply use this to run the playbook every 10 or 10 mins. Now whenever I do a firmware upgrade, within a short timeframe I know that these additional security measures will be applied

If you are interested in playing with Ansible Tower, do checkout the upstream version of it as Red Hat, shortly after purchasing Ansible, Open Sourced it - more info can be found at this site https://www.ansible.com/products/awx-project