# HG changeset patch # User IBBoard # Date 1577633488 0 # Node ID 0ebd8efeef04912290581c2b732ddcafc75b9319 # Parent d4b2bdfe47a6c6b9803141d1a08d83e01f20dd08# Parent 47750947f4dcaeebfb05bd27335c9a5ae8e5a868 Merge Puppet divergences and fix SSL chain issues it caused diff -r 47750947f4dc -r 0ebd8efeef04 common/fail2ban/ibb-sshd-bad-user.conf --- a/common/fail2ban/ibb-sshd-bad-user.conf Sun Dec 22 09:41:45 2019 -0500 +++ b/common/fail2ban/ibb-sshd-bad-user.conf Sun Dec 29 15:31:28 2019 +0000 @@ -10,7 +10,7 @@ # (?:::f{4,6}:)?(?P[\w\-.^_]+) # Values: TEXT # -failregex = Failed password for invalid user ([0-9]+|[0-9a-z][0-9a-z]?|([0-9a-z])\2{2,}|abc123|abused|adm|admin[0-9]+|administrateur|administracion|altibase|alumni|amavisd?|anwenderschnittstelle|anonymous|ansible|aptproxy|arkserver|asterisk|avis|backlog|backup(s|er|pc|user)?|bf2|bitnami|bitrix|boinc|botmaster|build|buscador|cacti(user)?|catchall|cemergen|chef|cinema|cliente?[0-9]*|clouduser|com|comercial|control|cpanel|create|cron|(cs(s|go|cz)|arma|mc|tf2?|sdtd|web|pz)se?rve?r?|cyrus|daemon|danger|debian|dell|deploy(er)?|desktop|devteam|dietpi|django|dotblot|download|easy|ec2-user|edu(cation)?[0-9]*|e-shop|engin(eer)?|events|exports?|facebook|factorio|fax|filter|fuser|games|gdm|geniuz|ggc_user|ghost|git(olite?|blit|lab(_ci)?)?|gmail|guest|hadoop|harvard|helpdesk|httpd?|huawei|iceuser|imscp|info(rmix)?|java|jboss|jira|jsboss|kafka|kodi|library|libsys|linode|linux|login|logout|mailer|mailman|majordomo|man|mantis|marketing|master|minecraft|modem|mongo(db|user)|monitor|more|moher|mpiuser|musi[ck]bot|(my|pg)sq(ue)?l|nagios|nasa|netdump|netzplatz|newadmin|nexus|(nfs)?nobody|noc|nothing|NpC|nux|odoo|odroid|onyxeye|openbravo|openvpn|operador|operator|ops(code)?|oprofile|ora(cle|prod)|osmc|papernet|password|payments|pay_?pal|pentaho|PlcmSpIp(PlcmSpIp)?|postfix|postgres|print|privoxy|puppet|qhsupport|rabbit(mq)?|radiusd?|redis|redmine|root[0-9]+|rpc(user)?|rtorrent|sales[0-9]+|s?bin|(samba|sshd|git|student|tomcat|abc|web|info|(vpn|appl?|my|b)?(use?r|server|manager|mgr)|account)[0-9]*|saslauth|scaner|screen|search|setup|service|(s|u|ams|admin|inss|pro)?ftp(d|_?user|home|_?test)?[0-9]*|shop|sinusbot|smmsp|socket|software|splunk|squid|squirrelmail|sshusr|staffc|steam(cmd)?|superuser|support|svnroot|sysadmin|system|teamspeak3?|telkom|test((ing|ftp|man|use?r|u)[0-9]*|[0-9]+)?|(test)?username|tomcat|tools|toor|ts[23](serv(er)?|(musi[ck])?bot)?|tunstall|ubnt|ubuntu|upload|unity|USERID|user[0-9]*|usuario|uucp|vagrant|vbox|ventrilo|vhbackup|virusalter|vmadmin|vmail|vyatta|weblogic|webmaster|WinD3str0y|wp-?user|write|www|(www|web|coin|fax|sys|db2|rsync|tc)-?(adm(in)?|run|user|data)|xbian|xoadmin|yahoo|zabbix|zimbra|zookeeper|0fordn1on@#\$%%\^&|P@\$\$w0rd|pass123?4?)? from port [0-9]+ ssh2 +failregex = Failed password for invalid user ([0-9]+|[0-9a-z][0-9a-z]?|([0-9a-z])\2{2,}|abc123|abused|adm|Admin|admin[0-9]+|administrateur|administracion|altibase|alumni|amavisd?|anwenderschnittstelle|anonymous|ansible|aptproxy|arkserver|asterisk|avis|backlog|backup(s|er|pc|user)?|bf2|bitnami|bitrix|boinc|botmaster|build|buscador|cacti(user)?|catchall|cemergen|chef|cinema|cliente?[0-9]*|clouduser|com|comercial|control|cpanel|create|cron|(cs(s|go|cz)|arma|mc|tf2?|sdtd|web|pz)se?rve?r?|cyrus|daemon|danger|debian|dell|deploy(er)?|desktop|devteam|dietpi|django|dotblot|download|dovecot|easy|ec2-user|edu(cation)?[0-9]*|e-shop|engin(eer)?|events|exports?|facebook|factorio|fax|filter|fuser|games|gdm|geniuz|ggc_user|ghost|git(olite?|blit|lab(_ci)?)?|gmail|guest|hacker|hadoop|harvard|helpdesk|home|host|httpd?|huawei|iceuser|imscp|info(rmix)?|java|jboss|jira|jsboss|kafka|kodi|library|libsys|linode|linux|login|logout|mailer|mailman|majordomo|man|mantis|marketing|master|minecraft|modem|mongo(db|user)|monitor|more|moher|mpiuser|musi[ck]bot|(my|pg)sq(ue)?l|nagios|nasa|netdump|netzplatz|newadmin|nexus|(nfs)?nobody|noc|nothing|NpC|nux|odoo|odroid|onyxeye|openbravo|openvpn|operador|operator|ops(code)?|oprofile|ora(cle|prod)|osmc|papernet|password|payments|pay_?pal|pentaho|PlcmSpIp(PlcmSpIp)?|postfix|postgres|print|privoxy|puppet|qhsupport|rabbit(mq)?|radiusd?|redis|redmine|root[0-9]+|rpc(user)?|RPM|rtorrent|sales[0-9]+|s?bin|(samba|sshd|git|student|tomcat|abc|web|info|(vpn|appl?|my|b)?(use?r|server|manager|mgr)|account)[0-9]*|saslauth|scaner|screen|search|setup|service|(s|u|ams|admin|inss|pro)?ftp(d|_?user|home|_?test)?[0-9]*|shop|sinusbot|smmsp|socket|software|splunk|squid|squirrelmail|sshusr|staffc|steam(cmd)?|superuser|support|svnroot|sysadmin|system|teamspeak3?|telkom|test((ing|ftp|man|use?r|u)[0-9]*|[0-9]+)?|(test)?username|text|tomcat|tools|toor|ts[23](serv(er)?|(musi[ck])?bot)?|tunstall|ubnt|ubuntu|upload|unity|USERID|user[0-9]*|usuario|uucp|vagrant|vbox|ventrilo|vhbackup|virusalter|vmadmin|vmail|vyatta|weblogic|webmaster|WinD3str0y|wp-?user|write|www|(www|web|coin|fax|sys|db2|rsync|tc)-?(adm(in)?|run|user|data)|xbian|xoadmin|yahoo|zabbix|zimbra|zookeeper|0fordn1on@#\$%%\^&|P@\$\$w0rd|pass123?4?)? from port [0-9]+ ssh2 # Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored. diff -r 47750947f4dc -r 0ebd8efeef04 manifests/templates.pp --- a/manifests/templates.pp Sun Dec 22 09:41:45 2019 -0500 +++ b/manifests/templates.pp Sun Dec 29 15:31:28 2019 +0000 @@ -802,7 +802,7 @@ } # Notify of available updates cron { 'check-yum-updates': - command => '/usr/bin/yum check-updates | tail -2 | grep -Ev "^ \* \w+: \w+"', + command => '/usr/bin/yum check-updates | tail -2 | grep -Ev "^ \* [[:alnum:]-]+: [[:alnum:]\.]+$"', hour => '4', minute => '30', weekday => '0-6/3', #Sunday, Wednesday and Saturday morning diff -r 47750947f4dc -r 0ebd8efeef04 modules/website/manifests/https.pp --- a/modules/website/manifests/https.pp Sun Dec 22 09:41:45 2019 -0500 +++ b/modules/website/manifests/https.pp Sun Dec 29 15:31:28 2019 +0000 @@ -106,7 +106,10 @@ $sslkey = "/etc/letsencrypt/live/${::fqdn}/privkey.pem" } - if $ssl_ca_chain != '' { + if $ssl_ca_chain == '' and '' in [$ssl_ca_chain] { + # Special case where we're directly under the CA and don't want to unnecessarily send the CA cert + $ssl_chain = undef + } elsif $ssl_ca_chain != undef { $ssl_chain = "/etc/pki/custom/$ssl_ca_chain" if ! defined(File[$ssl_chain]) { file { $ssl_chain: @@ -115,9 +118,6 @@ notify => Service['httpd'], } } - } elsif $ssl_ca_chain == '' and '' in [$ssl_ca_chain] { - # Special case where we're directly under the CA and don't want to unnecessarily send the CA cert - $ssl_chain = undef } elsif $letsencrypt_name != undef { $ssl_chain = "/etc/letsencrypt/live/${letsencrypt_name}/chain.pem" } else { diff -r 47750947f4dc -r 0ebd8efeef04 modules/website/manifests/https/redir.pp --- a/modules/website/manifests/https/redir.pp Sun Dec 22 09:41:45 2019 -0500 +++ b/modules/website/manifests/https/redir.pp Sun Dec 29 15:31:28 2019 +0000 @@ -71,7 +71,10 @@ $sslkey = "/etc/letsencrypt/live/${::fqdn}/privkey.pem" } - if $ssl_ca_chain != '' { + if $ssl_ca_chain == '' and '' in [$ssl_ca_chain] { + # Special case where we're directly under the CA and don't want to unnecessarily send the CA cert + $ssl_chain = undef + } elsif $ssl_ca_chain != undef { $ssl_chain = "/etc/pki/custom/$ssl_ca_chain" if ! defined(File[$ssl_chain]) { file { $ssl_chain: @@ -80,9 +83,6 @@ notify => Service['httpd'], } } - } elsif $ssl_ca_chain == '' and '' in [$ssl_ca_chain] { - # Special case where we're directly under the CA and don't want to unnecessarily send the CA cert - $ssl_chain = undef } elsif $letsencrypt_name != undef { $ssl_chain = "/etc/letsencrypt/live/${letsencrypt_name}/chain.pem" } else { diff -r 47750947f4dc -r 0ebd8efeef04 modules/website/manifests/init.pp --- a/modules/website/manifests/init.pp Sun Dec 22 09:41:45 2019 -0500 +++ b/modules/website/manifests/init.pp Sun Dec 29 15:31:28 2019 +0000 @@ -48,7 +48,10 @@ } apache::mod { 'rewrite':; - 'expires':; 'setenvif':; 'headers':; + 'expires':; + 'env':; + 'setenvif':; + 'headers':; 'version':; } @@ -132,7 +135,13 @@ hour => '*/12', minute => '21', } + if $operatingsystem == 'CentOS' and versioncmp($operatingsystemrelease, '8') >= 0 { + $certbot_package = 'python3-certbot-apache' + } else { + $certbot_package = 'python2-certbot-apache' + } package { 'python-certbot-apache': + name => $certbot_package, ensure => installed, } } diff -r 47750947f4dc -r 0ebd8efeef04 modules/website/templates/https_core_conf.erb --- a/modules/website/templates/https_core_conf.erb Sun Dec 22 09:41:45 2019 -0500 +++ b/modules/website/templates/https_core_conf.erb Sun Dec 29 15:31:28 2019 +0000 @@ -1,9 +1,9 @@ Header always set Strict-Transport-Security "max-age=16070400; includeSubDomains" Header always set Content-Security-Policy "upgrade-insecure-requests; <%= @csp_string %>" Header always set Content-Security-Policy-Report-Only "<%= @csp_report_string %>" -Header set X-Xss-Protection "1; mode=block" -Header set X-Content-Type-Options "nosniff" -Header set X-Frame-Options "SAMEORIGIN" +Header always set X-Xss-Protection "1; mode=block" +Header always set X-Content-Type-Options "nosniff" +Header always set X-Frame-Options "SAMEORIGIN" RewriteCond %{HTTP_HOST} !=<%= @primary_name %> RewriteRule ^(.*)$ https://<%= @primary_name %>$1 [R=301,L]