{"id":18445637,"url":"https://github.com/voronenko/devops-bootstrap-box-template","last_synced_at":"2025-04-15T01:14:24.152Z","repository":{"id":145345086,"uuid":"46123012","full_name":"Voronenko/devops-bootstrap-box-template","owner":"Voronenko","description":"Basic repository for setting up secured remove ubuntu 14.04 LTS box","archived":false,"fork":false,"pushed_at":"2015-11-13T14:32:08.000Z","size":0,"stargazers_count":1,"open_issues_count":1,"forks_count":3,"subscribers_count":2,"default_branch":"master","last_synced_at":"2025-04-15T01:14:20.448Z","etag":null,"topics":["devops","oops-to-devops"],"latest_commit_sha":null,"homepage":null,"language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Voronenko.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2015-11-13T13:18:45.000Z","updated_at":"2019-02-05T05:52:13.000Z","dependencies_parsed_at":"2023-04-12T18:15:45.252Z","dependency_job_id":null,"html_url":"https://github.com/Voronenko/devops-bootstrap-box-template","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Voronenko%2Fdevops-bootstrap-box-template","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Voronenko%2Fdevops-bootstrap-box-template/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Voronenko%2Fdevops-bootstrap-box-template/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Voronenko%2Fdevops-bootstrap-box-template/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Voronenko","download_url":"https://codeload.github.com/Voronenko/devops-bootstrap-box-template/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248986316,"owners_count":21194025,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["devops","oops-to-devops"],"created_at":"2024-11-06T07:06:39.796Z","updated_at":"2025-04-15T01:14:24.135Z","avatar_url":"https://github.com/Voronenko.png","language":"Shell","readme":"Prepare your box for deployment\n=======================================\n\n# Background\n\nNowadays deployments moved from bare metal servers to a quickly started virtual machines,\nlike the one provided by Amazon, Digital Ocean, OpenStack based providers.\nThus no longer configuration of the box requires manual administration steps.\nOne of the options is ready to use pre-configured box images.  Another approach is to\nstart from initial system restart and provision it according to project needs with some provisioner like\nAnsible, Chef or Puppet.\n\nThe first step to proceed with custom provisioning - is to perform basic box securing,\nas in some cases you are given with freshly installed box with the root password.s\n\nLet me share with you quick recipe on initial box securing , which should be good for most of web deployments.\n\n## Challenges to address\n  At the end of the article we should be able secure  ubuntu 14.04 LTS virtual server\n\n- configure firewall, allow only 22, 443 and 80 in.\n- register your public key(s) for deploy user\n- secure ssh to allow only authorization by keys.\n- put automatic process in play to ban open ssh port lovers from the  internet.\n\n# Bootstrap box role\nAnsible comes with a nice concept of reusing deployment snippets, called roles. So let's take a look,\nwhat *sa-box-bootstrap* role does:\n\n## Configuration options\nFollowing variables might be overwritten:\n- root_dir  - required, [Ansible developer recipes](https://github.com/Voronenko/ansible-developer_recipes) repository\n- option_enforce_ssh_keys_login (true|false) - whenever to enforce ssh security\n- ufw_rules_default - default firewall policy. In most cases is not touched\n- ufw_rules_allow - set of inbound rules to be configured\n- sshd_config_lines - needed changes in SSHD config to secure the box.\n- option_file2ban - when true, file2ban package will additionally introduced\n- whitelistedips - set of ips that are considered safe - your office gateway, build server etc; To prevent you being accidentaly blocked\n\n## Step 1 : Put firewall on\n1-st step install and configure ufw firewall:\n\u003cpre\u003e\n- include: \"{{root_dir}}/tasks_ufw.yml\"\n\u003c/pre\u003e\nby default, following firewall rules apply (outgoing any, http https \u0026 ssh are allowed inside):\n\u003cpre\u003e\nufw_rules_default:\n  - {\n      policy: deny,\n      direction: incoming\n    }\n  - {\n      policy: allow,\n      direction: outgoing\n    }\n\nufw_rules_allow:\n  - {\n      port: 80,\n      proto: tcp\n     }\n  - {\n      port: 443,\n      proto: tcp\n    }\n  - {\n      port: 22,\n      proto: tcp\n     }\n\u003c/pre\u003e\nYou can override these variables to match your needs.\n\n## Step 2: Create deploy user\nIf you intend to work \u0026 provision this box, most likely you don't want to do it under the root.\nThus, second step is - create deploy user, authorized by set of provided ssh keys, allowed to become sudoer w/o password (base requirement for automated provisioning)\n\u003cpre\u003e\n- include: \"{{root_dir}}/use/__create_deploy_user.yml user={{deploy_user}} group={{deploy_user}} home=/home/{{deploy_user}}\"\n  when: deploy_user is defined\n\n- name: SSH | Authorize keys\n  authorized_key: user={{deploy_user}} key=\"{{ lookup('file', item) }}\"\n  when: deploy_user_keys is defined\n  with_items: \"{{deploy_user_keys}}\"\n  sudo: yes\n\u003c/pre\u003e\n\nYou might define the user in your playbook, for example, in this way:\n\u003cpre\u003e\njenkins_user: jenkins\njenkins_authorized_keys:\n  - \"{{playbook_dir}}/components/files/ssh/vyacheslav.pub\"\n\u003c/pre\u003e\n\nand later pass this as a parameters to role:\n\u003cpre\u003e\nroles:\n   - {\n       role: \"sa-box-bootstrap\",\n       root_dir: \"{{playbook_dir}}/public/ansible_developer_recipes\",\n       deploy_user: \"{{jenkins_user}}\",\n       deploy_user_keys: \"{{jenkins_authorized_keys}}\"\n     }\n\u003c/pre\u003e\n\n## Step 3: Secure SSH (optional)\n\u003cpre\u003e\n- name: SSH | Enforce SSH keys security\n  lineinfile: dest=/etc/ssh/sshd_config regexp=\"{{item.regexp}}\" line=\"{{item.line}}\"\n  with_items: sshd_config_lines\n  when: option_enforce_ssh_keys_login\n  sudo: yes\n  tags: ssh\n\u003c/pre\u003e\n\nIf var *option_enforce_ssh_keys_login* is set to true, sshd config is modified according to\nsshd_config_lines rules.  By default, it is using v2 protocol, prohibiting root login,\nprohibiting password authenticaton.\n\n## Step 4: Ban strange persons guessing your ssh user access\nIf var option_file2ban is set to true. Special tool file2ban is installed.\nIt will watch out for failure ssh logging attempts and ban out intruders.\nTo prevent yourself from being accidentally blocked, good idea to whitelist your ips, both single IPs and network masks are supported, for example:\n\u003cpre\u003e\nwhitelistedips:\n - 127.0.0.1\n - 127.0.0.1/8\n\u003c/pre\u003e\n\n# Creating your own box bootstrap project\n\nLet's prepare basic bootstrap project, that can be used in the future.\nIt includes following files:\n\n- *bootstrap.sh* - installs ansible alongside with dependences.\n- *init.sh* - initializes\n- *.projmodules* - fully compatible with .gitmodules git syntax,  specifies list of the dependencies\nthat will be used by the playbook.\nIn particular, it includes ansible- by default developer_recipes (repository with set of handy deployment recipes)\nand ansible role called  *sa-box-bootstrap* responsible for box securing steps.\n\n\u003cpre\u003e\n[submodule \"public/ansible_developer_recipes\"]\n\tpath = public/ansible_developer_recipes\n\turl = git@github.com:Voronenko/ansible-developer_recipes.git\n[submodule \"roles/sa-box-bootstrap\"]\n        path = roles/sa-box-bootstrap\n        url = git@github.com:softasap/sa-box-bootstrap.git\n\u003c/pre\u003e\n- *hosts* - list here the initial box credentials, that were provided to you for the server\n\u003cpre\u003e\n[bootstrap]\nbox_bootstrap ansible_ssh_host=192.168.0.17 ansible_ssh_user=your_user ansible_ssh_pass=your_password\n\u003c/pre\u003e\n- *box_vars.yml* - set here specific environment overrides, like your preffered deploy user name and keys.\n- *box_bootstrap.yml* - here you put your box provisioning steps. Box securing is only the first step.\nIn order, to override params for *sa-box-bootstrap* - pass the parameters like in example below.\n\n\u003cpre\u003e\n\n- hosts: all\n\n  vars_files:\n    - ./box_vars.yml\n  roles:\n     - {\n         role: \"sa-box-bootstrap\",\n         root_dir: \"{{playbook_dir}}/public/ansible_developer_recipes\",\n         deploy_user: \"{{my_deploy_user}}\",\n         deploy_user_keys: \"{{my_deploy_authorized_keys}}\"\n       }\n       \n\u003c/pre\u003e\n\n\n\n\n\n# Code in action\n\nCode can be downloaded from repository [https://github.com/Voronenko/devops-bootstrap-box-template](https://github.com/Voronenko/devops-bootstrap-box-template)\nIn order to use it - fork it, adjust parameters to your needs, and use.\nAdjusting includes: creation of box_vars.yml file. You can override there any of mentioned above variables.\nThe minimal required set is deploy_user and your public keys.\n\n\u003cpre\u003e\nbox_deploy_user: jenkins\nbox_deploy_authorized_keys:\n  - \"{{playbook_dir}}/components/files/ssh/vyacheslav.pub\"\n\u003c/pre\u003e\n\nEnsure, you have ansible (bootstrap.sh to install) and cloned roles directories (init.sh)\nThan run setup.sh.  If everything is configured correctly, you will see smth like that:\n\u003cpre\u003e\nPLAY [all] ********************************************************************\n\nGATHERING FACTS ***************************************************************\nok: [box_bootstrap]\n\nTASK: [sa-box-bootstrap | Sets correctly hostname] ****************************\nchanged: [box_bootstrap]\n\nTASK: [sa-box-bootstrap | debug var=\"ufw_rules_allow\"] ************************\nok: [box_bootstrap] =\u003e {\n    \"var\": {\n        \"ufw_rules_allow\": [\n            {\n                \"port\": 80,\n                \"proto\": \"tcp\"\n            },\n            {\n                \"port\": 443,\n                \"proto\": \"tcp\"\n            },\n            {\n                \"port\": 22,\n                \"proto\": \"tcp\"\n            }\n        ]\n    }\n}\n\nTASK: [sa-box-bootstrap | UFW | Reset it] *************************************\nok: [box_bootstrap]\n\nTASK: [sa-box-bootstrap | UFW | Configure incoming/outgoing defaults] *********\nok: [box_bootstrap] =\u003e (item={'policy': 'deny', 'direction': 'incoming'})\nok: [box_bootstrap] =\u003e (item={'policy': 'allow', 'direction': 'outgoing'})\n\nTASK: [sa-box-bootstrap | UFW | Configure rules to allow incoming traffic] ****\nok: [box_bootstrap] =\u003e (item={'port': 80, 'proto': 'tcp'})\nok: [box_bootstrap] =\u003e (item={'port': 443, 'proto': 'tcp'})\nok: [box_bootstrap] =\u003e (item={'port': 22, 'proto': 'tcp'})\n\nTASK: [sa-box-bootstrap | UFW | Configure rules to allow incoming traffic from specific hosts] ***\nskipping: [box_bootstrap] =\u003e (item=ufw_rules_allow_from_hosts)\n\nTASK: [sa-box-bootstrap | UFW | Enable it] ************************************\nchanged: [box_bootstrap]\n\nTASK: [sa-box-bootstrap | Monit | Check if is installed] **********************\nchanged: [box_bootstrap]\n\nTASK: [sa-box-bootstrap | Monit | libssl-dev dependency] **********************\nchanged: [box_bootstrap]\n\nTASK: [sa-box-bootstrap | Monit | Download] ***********************************\nchanged: [box_bootstrap]\n\nTASK: [sa-box-bootstrap | Monit | Install] ************************************\nchanged: [box_bootstrap]\n\nTASK: [sa-box-bootstrap | debug msg=\"Creating deploy user {{my_deploy_user}}:{{my_deploy_user}} with home directory /home/{{my_deploy_user}}\"] ***\nok: [box_bootstrap] =\u003e {\n    \"msg\": \"Creating deploy user jenkins:jenkins with home directory /home/jenkins\"\n}\n\nTASK: [sa-box-bootstrap | Deploy User | Creating group] ***********************\nchanged: [box_bootstrap]\n\nTASK: [sa-box-bootstrap | Deploy User | Creating user] ************************\nchanged: [box_bootstrap]\n\nTASK: [sa-box-bootstrap | Deploy User | Check key presence] *******************\nok: [box_bootstrap]\n\nTASK: [sa-box-bootstrap | Deploy User | Copy authorized_keys from {{ansible_user_id}}] ***\nskipping: [box_bootstrap]\n\nTASK: [sa-box-bootstrap | Deploy User | Set permission on authorized_keys] ****\nskipping: [box_bootstrap]\n\nTASK: [sa-box-bootstrap | Deploy User | Ensuring sudoers no pwd prompting] ****\nchanged: [box_bootstrap]\n\nTASK: [sa-box-bootstrap | SSH | Authorize keys] *******************************\nchanged: [box_bootstrap] =\u003e (item=/home/slavko/labs/devops-bootstrap-box-template/components/files/ssh/vyacheslav.pub)\n\nTASK: [sa-box-bootstrap | SSH | Enforce SSH keys security] ********************\nok: [box_bootstrap] =\u003e (item={'regexp': '^Protocol.*', 'line': 'Protocol 2'})\nchanged: [box_bootstrap] =\u003e (item={'regexp': '^PermitRootLogin.*', 'line': 'PermitRootLogin no'})\nok: [box_bootstrap] =\u003e (item={'regexp': '^RSAAuthentication.*', 'line': 'RSAAuthentication yes'})\nok: [box_bootstrap] =\u003e (item={'regexp': '^PubkeyAuthentication.*', 'line': 'PubkeyAuthentication yes'})\nok: [box_bootstrap] =\u003e (item={'regexp': '^ChallengeResponseAuthentication.*', 'line': 'ChallengeResponseAuthentication no'})\nchanged: [box_bootstrap] =\u003e (item={'regexp': '^PasswordAuthentication.*', 'line': 'PasswordAuthentication no'})\nchanged: [box_bootstrap] =\u003e (item={'regexp': '^MaxAuthTries.*', 'line': 'MaxAuthTries 3'})\n\nTASK: [sa-box-bootstrap | SSH | Restart SSHD] *********************************\nchanged: [box_bootstrap]\n\nTASK: [sa-box-bootstrap | Install base Ubuntu packages] ***********************\nchanged: [box_bootstrap] =\u003e (item=unzip,mc)\n\nPLAY RECAP ********************************************************************\nbox_bootstrap              : ok=21   changed=13   unreachable=0    failed=0   \n\u003c/pre\u003e\n\nFinally - you have the secured box, with the sudoer - deployed user you specified,\nallowed to authorize only with keys you set. Root is not allowed to login. Only\nsome inbound ports are allowed according to your rules.\n\nCheck with NMap and try to login:\n\u003cpre\u003e\n\nssh  192.168.0.17\nPermission denied (publickey).\n\nssh -ldeploy_user 192.168.0.17\nWelcome to Ubuntu 14.04.2 LTS (GNU/Linux 3.13.0-32-generic x86_64)\ndeploy_user@LABBOX17:~$\n\n\u003c/pre\u003e\n\n# Points of interest\n\nYou can reuse this playbook to create your own box bootstaping projects, and\nreuse the role to configure your environments quicker in secure way with ansible\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fvoronenko%2Fdevops-bootstrap-box-template","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fvoronenko%2Fdevops-bootstrap-box-template","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fvoronenko%2Fdevops-bootstrap-box-template/lists"}