tarefa/firewall (EticaAI/aguia-pescadora#34): criado firewall-debug.y…

…ml para aplicar NMAP de localhost e sugerido sites gratuitos que podem permitir escanear de IPs externos
EticaAI · Jul 21, 2019 · eff7f66 · eff7f66
1 parent 7865857
commit eff7f66
Show file tree

Hide file tree

Showing 3 changed files with 80 additions and 12 deletions.
diff --git a/tarefa/firewall/README.md b/tarefa/firewall/README.md
@@ -1,18 +1,49 @@
 # firewall
 
-> **:warning: Cuidado ao usar esta tarefa diretamente e/ou em produção em especial sem especificar os hosts :warning:**
+> **:warning: Use `--check` (modo do Ansible testar sem executar) mesmo que você
+saiba o que está fazendo**
+
+> :green_heart: `firewall.yml`, para proteger usuários, não irá bloquear acesso
+a porta 22 SSH por padrão (porém irá limitar brute forces). Então _na pior das
+hipóteses_ poderá abrir porta 22 que não estava bloqueada antes e/ou bloquear
+outras portas mas não vai trancar um usuário de acessar o próprio servidor.
 
 ```bash
 # Caso esteja no diretório tarefa/firewall/, use:
+ansible-playbook -i hosts firewall.yml --check
 ansible-playbook -i hosts firewall.yml
 
 # Do contrário, use o caminho completo
+ansible-playbook -i inventory/1-node-example/inventory.ini tarefa/firewall/firewall.yml --check
 ansible-playbook -i inventory/1-node-example/inventory.ini tarefa/firewall/firewall.yml
 ```
 
-## Testar antes de aplicar
+## Debug
+
+### Acessando maquina remota
+
+```bash
+ssh [email protected]
+sudo ufw status verbose
+```
+
+### Escanear portas com NMAP
+
+```bash
+# Escaneia hosts remotos com programa NMAP instalado localmente (scan rápido)
+ansible-playbook -i hosts firewall-debug.yml
+```
+
+### Escanear usando serviços gratúitos externos
+
+Alguns sites podem permitir que você escaneie de um IP que não deveria acessar
+portas de seu servidor. Note que maioria dos hosts gratuitos não permite
+escaneamento completo.
 
-_TODO: considerar https://github.com/ansible/ansible/issues/45604 (fititnt, 2019-07-21 05:07 BRT)_
+- <http://www.t1shopper.com/tools/port-scan/>
+- <https://pentest-tools.com/network-vulnerability-scanning/tcp-port-scanner-online-nmap>
+- <http://www.ipv6scanner.com/cgi-bin/main.py>
+- <https://hackertarget.com/nmap-online-port-scanner/>
 
 # Licença
 [![Domínio Público](../../img/public-domain.png)](UNLICENSE)

diff --git a/tarefa/firewall/firewall-debug.yml b/tarefa/firewall/firewall-debug.yml
@@ -0,0 +1,29 @@
+---
+# ---------------------------------------------------------------------------- #
+# LICENSE: Public Domain <https://unlicense.org/>                              #
+#                                                                              #
+# Work dedicated to the public domain. This file (whole or parts) can          #
+# be used without needing to quote from previous source. You can relicense.    #
+# -----------------------------------------------------------------------------#
+
+- hosts: all
+  gather_facts: no
+  tasks:
+
+## [localhost] nmap {{ inventory_hostname }} ___________________________________
+  - name: "[localhost] nmap {{ inventory_hostname }}"
+    shell: "nmap {{ inventory_hostname }}"
+    delegate_to: localhost
+    register: localhost_nmap
+
+  - name: "ufw status verbose print (after)"
+    debug: var=localhost_nmap.stdout_lines
+
+## Recomend remote scanners ___________________________________
+  - name: "[remote hosts] try NMAP from free scanners to {{ inventory_hostname }}"
+    debug:
+      msg: "http://www.t1shopper.com/tools/port-scan/ , https://pentest-tools.com/network-vulnerability-scanning/tcp-port-scanner-online-nmap, http://www.ipv6scanner.com/cgi-bin/main.py, https://hackertarget.com/nmap-online-port-scanner/"
+    #when: "1 = 1"
+
+## TODO: implementar debug da maquina local usando nmap (fititnt, 2019-07-21 06:29 BRT)
+## TODO: implementar debug de maquina remota apontando para alvo (fititnt, 2019-07-21 06:29 BRT)
diff --git a/tarefa/firewall/firewall.yml b/tarefa/firewall/firewall.yml
@@ -29,23 +29,31 @@
   - name: "ufw status verbose print (before)"
     debug: var=ufw_status_verbose1.stdout_lines
 
-## Port 22 (ssh) tcp: limit ____________________________________________________
-  - name: "Port 22 (ssh) tcp: limit"
+## :22 (SSH) tcp LIMIT _________________________________________________________
+  - name: ":22 (SSH) tcp LIMIT"
     ufw:
       rule: limit
       port: "22"
       proto: tcp
-      comment: "aguia-pescadora/firewall: 22 rate limit"
+      comment: "[aguia-pescadora/firewall] :22 (SSH) tcp LIMIT"
 
-#- name: Allow SSH in UFW
-#  ufw: rule=allow port=22 proto=tcp
+## :80 (HTTP) tcp ALLOW IN * ______________________________________________________
+  - name: ":80 (HTTP) tcp ALLOW IN *"
+    ufw:
+      rule: allow
+      port: "80"
+      proto: tcp
+      comment: "[aguia-pescadora/firewall] :80 (HTTP) tcp ALLOW IN *"
 
-#- name: Set firewall default policy
-#  ufw: state=enabled policy=reject
-#  sudo: true
+## :443 (HTTPS) tcp ALLOW IN * ____________________________________________________
+  - name: ":443 (HTTPS) tcp ALLOW IN *"
+    ufw:
+      rule: allow
+      port: "443"
+      proto: tcp
+      comment: "[aguia-pescadora/firewall] :443 (HTTPS) tcp ALLOW IN *"
 
 ## Enable UFW (default: deny all) ______________________________________________
-
   - name: "Enable UFW (policy: deny)"
     ufw:
       state: enabled