This is another post around my use of ansible to automate simple tasks. In this example I enhance the security of my Ubiquiti routers.
Problem I want to address
I regularly scan my own home network with the scanner from http://www.openvas.org/. When scanning my two internal Ubiquiti routers, it flags up a few additional harding items I should consider applying. The three items it suggests for me are
- tighten the MACs in use
- improve the Ciphers in use
- disable TCP timestamps
I couldnt easily find how to make these changes via the rouetrs configuration, infact Im quite sure that disabling TCP timestamps wont be there. For an enterprise customer this could mean they fail Compliance tests etc.
Of course you can just SSH in and apply the settings, but that wont survive a reboot. You could hack a file somewhere (such as rc.local) to make the changes apply after a reboot but certainly a firmware upgrade removes all such customisation. So I decided to write a small script to apply these changes for me. Here is an example of what that script looks link.
--- - hosts: routers tasks: - name: ensure the MACs are set lineinfile: path: /etc/ssh/sshd_config regexp: '^MACs' insertafter: '^UseDNS*' line: 'MACs firstname.lastname@example.org,email@example.com,firstname.lastname@example.org,hmac-sha2-512,hmac-sha2-256,email@example.com' notify: restart sshd - name: ensure the Ciphers are set lineinfile: path: /etc/ssh/sshd_config regexp: '^Ciphers' insertafter: '^UseDNS*' line: 'Ciphers firstname.lastname@example.org,email@example.com,firstname.lastname@example.org,aes256-ctr,aes192-ctr,aes128-ctr' notify: restart sshd - name: disable TCP timestamps sysctl: name: net.ipv4.tcp_timestamps value: '0' reload: yes handlers: - name: restart sshd service: name: ssh state: restarted
This does the trick and the scan now shows that these items are now resolved, but it means I still need to make sure this is scheduled to run on a regular bases. Now this could just be a simple cron job but as I have an Ansible Tower instance running, I simply use this to run the playbook every 10 or 10 mins. Now whenever I do a firmware upgrade, within a short timeframe I know that these additional security measures will be applied
If you are interested in playing with Ansible Tower, do checkout the upstream version of it as Red Hat, shortly after purchasing Ansible, Open Sourced it - more info can be found at this site https://www.ansible.com/products/awx-project