Excellent exercise in ansible. I’d consider adding offensive ips to an ipset instead. It will look tidy when the list grows on. Naturally, prohibiting root password auth (and password authentication in general) in sshd_config is what one would expect in prod environment.
I would agree with the ip set for sure. Just an easier demo without. Fur me I can’t disable password auth as these are lab systems and for new Linux admins keys would be an issue. Root login is disabled. So no one should attempt to log in as root so us an easy target to block
@@djengines far from pointless. Those failed logins represent malicious IPs you want blocked. Even though root access is nit allowed via ssh their access is not blocked allowing their continued attempts. Sure they won’t get in but they are using your resources.
Well all forms of blocking use resource. My approach is : 1 ACL on router 2 Firewall enabled blocking all incoming other than what is required (belt and braces should ACL on router get bypassed ) 3 Disable root login from SSH. Not dissing your approach though as I like making use of both logs and Ansible. 👍
Ansible still strikes me as an excessively complicated way to do things ... why use Ansible to run a shell script against remote machines when you can skip the middleman and just run the shell script against remote machines directly? In addition, there is already a piece of software that accomplishes what you are doing - fail2ban
YAML files are meant to be more readable than shell script and the Ansible modules do much of the hard work for you. A yum remove ufw will fail where as we can say in Ansible we don't want the ufw package present
You can put conditionals in Shell scripts to handle failures. So Ansible is a complex system for people who don't understand simple shell scripts - got it lol
That was a good one! The amount of foundational knowledge needed to make that work cannot be understated.
Yes a lot of knowledge needed. I have marked it as Intermediate. Thank you for you nice comment
I needed you back in my life!!! 😅
LOL, Thank you
Excellent exercise in ansible. I’d consider adding offensive ips to an ipset instead. It will look tidy when the list grows on. Naturally, prohibiting root password auth (and password authentication in general) in sshd_config is what one would expect in prod environment.
I would agree with the ip set for sure. Just an easier demo without. Fur me I can’t disable password auth as these are lab systems and for new Linux admins keys would be an issue. Root login is disabled. So no one should attempt to log in as root so us an easy target to block
I like this. I wonder if this would work with finding the banned Ip in Fail2ban
That’s what the firewall does. It allows only ssh. We block IPs you try to login as the user root.
A bit pointless if you don't allow root login via ssh.
Also you can set up IP allow list for ssh which is again is much easier to administer.
@@djengines far from pointless. Those failed logins represent malicious IPs you want blocked. Even though root access is nit allowed via ssh their access is not blocked allowing their continued attempts. Sure they won’t get in but they are using your resources.
Well all forms of blocking use resource.
My approach is :
1 ACL on router
2 Firewall enabled blocking all incoming other than what is required (belt and braces should ACL on router get bypassed )
3 Disable root login from SSH.
Not dissing your approach though as I like making use of both logs and Ansible. 👍
Woooooh!!! 🎉🎉🎉
Doesnt the cron job contain an error? I think it is missing the pipe characters?
Yes, he removed it accidentally when he added the EOL markers.
👍Thanks!
Doh...the firewall should block all inbound traffic and then allow only what you need to.
Much safer and much easier to administer.
Ansible still strikes me as an excessively complicated way to do things ... why use Ansible to run a shell script against remote machines when you can skip the middleman and just run the shell script against remote machines directly?
In addition, there is already a piece of software that accomplishes what you are doing - fail2ban
YAML files are meant to be more readable than shell script and the Ansible modules do much of the hard work for you. A yum remove ufw will fail where as we can say in Ansible we don't want the ufw package present
You can put conditionals in Shell scripts to handle failures. So Ansible is a complex system for people who don't understand simple shell scripts - got it lol
@@illegalsmirf thank you for your input.
@@theurbanpenguin 😽