more of the good stuff

This commit is contained in:
Astro 2016-11-16 01:17:28 +01:00
parent 1964c45369
commit 77bddb3d78
13 changed files with 323 additions and 20 deletions

View File

@ -5,8 +5,9 @@ dhcp:
time: 7776000
max-time: 31536000
opts:
#domain-name-servers:
routers: 172.20.73.1
host-opts:
domain-name-servers: upstream1.core
string-opts:
domain-name: serv.zentralwerk.online
@ -17,6 +18,8 @@ dhcp:
max-time: 3600
opts:
routers: 172.20.76.1
host-opts:
domain-name-servers: upstream1.core
string-opts:
domain-name: pub.zentralwerk.online
@ -27,6 +30,8 @@ dhcp:
max-time: 86400
opts:
routers: 172.20.74.1
host-opts:
domain-name-servers: upstream1.core
string-opts:
domain-name: priv1.zentralwerk.online
@ -37,5 +42,7 @@ dhcp:
max-time: 86400
opts:
routers: 172.20.75.1
host-opts:
domain-name-servers: upstream1.core
string-opts:
domain-name: priv2.zentralwerk.online

View File

@ -1,3 +1,4 @@
#!yaml|gpg
switches:
switch-b1:
model: '3com-4200G'
@ -23,6 +24,30 @@ switches:
vlans:
- mgmt
- pub
- up1
- up2
- up3
- up4
- up5
- up6
- up7
- up8
- iso1
- iso2
- iso3
- iso4
- iso5
- iso6
- iso7
- iso8
- iso9
- iso10
- iso11
- iso12
- iso13
- iso14
- iso15
- iso16
switch-d1:
mode: trunk
ports:
@ -59,6 +84,19 @@ switches:
- '2'
- '3'
- '24'
password: |
-----BEGIN PGP MESSAGE-----
hQEMA2PKcvDMvlKLAQgAlqHX0k6S4NiBxHQg6i2hdM7m5o+QNuNsEQJcJHmPJlri
jNnYYmv5XDyYvLX6oHSbV9eeKO+Pi9GkiRJE+hMqo3Spuu41fp8m1TnvXZFgR3F1
koL7M+GGZH9wA2EeFJ+/aKldppT+k/VYG55OKn9um3wzZZraP6aKv2896AOXwond
R/jhjGXjcdATRDZ2aeYbNW/WQxZXaPRLCKISfftZ7CNDFV3rAX/SgphHnKRP7LZS
xFGbSHkc/451ZXIl0DrelrKzngQMVa9dTqCCF6hfjPj/0RuCwByuIyYpDMMWcXxs
nnMuiY2t9OM1D2BWsVHluk7MHymn+MxayPYCPuox2dJbAd2k674qx2Kc65TIpClm
yMsW1bBAqU07/kEB+oKdTkqUBoAfa0pBxC+62MREA0LFl7YavBHx9ksa8at8PzU1
+Dfb4gaZHlR4X2oQOUinVf9qC66gkY1Ndiz7CQ==
=9Zfy
-----END PGP MESSAGE-----
switch-b2:
model: '3com-4200G'
location: Haus B Souterrain
@ -85,6 +123,20 @@ switches:
- '24'
- '37'
- '48'
password: |
-----BEGIN PGP MESSAGE-----
hQEMA2PKcvDMvlKLAQf/V8QXXiydFBlm5j8ETQ/bXzToHGZWx7I4mC2i9r1pHZA2
diDYSGXPEJpiNJo6PTyIRYCMOyB18cVVRX3waga/dsx0KvAC1lwAibhQiV0frPCv
ELQ13gHEhfNt4HJveBRBNKjH4MkUIkTgtV98KoMc6+JRk2TPkJGmvG4oV3eTYW2I
TnG1SB9vgYCEfQUq8hY1FH+Wo7Kl8OGN2b+QUwmxc+vR67Hp3rLXlTPoLcrGPhGj
Vvj5lDTt8ScVd9NKLjmlNV646+XYuMO9FyTfbAq1yTDUpWdCAfaIt25dyss7xbu5
rl/bJzjT20KUraYehHQqcd3c0+/40CQYoJZOVgPojdJbAU7Nlju2xM9WE0CgQHLD
tUjwm10xMBdBPfWEDGxlZNnITWT/bf4y2CRm60uxGpHWNO2TKab9bwobS4PQcD4M
4FiceoeOxxKJHQ0aJL3POfe15nXvkqsSbwfDhQ==
=h3Vr
-----END PGP MESSAGE-----
switch-d1:
model: 'TL-SG3210'
location: Turm D Keller
@ -108,22 +160,106 @@ switches:
mode: access
ports:
- 7-8
password: |
-----BEGIN PGP MESSAGE-----
hQEMA2PKcvDMvlKLAQf+O1OB9gG4JKnASFfKCoAE75Gb4+PD8+ROzBvg18bzqD0j
qjhQL9Ye39oB5R5JmPBso5zgEhGr8vIB3VN3f6vABNaEGPkTh+jf/1X1vwfS0rvW
rQNulEFoq+F9vUfWFolAamVoqCxXsXtf8KyJHCazIIRKGKNysHOW/O+YSvcGgG4H
6YH94a1lZoRQCF/2wHEmDTA6FXSqBfijM0QoO2+i+VuUHXYYMZ/FIEDPWLM/wqSB
aLjMgrDRyUPLvAA88CXrLDT0aO3LzJINtTPVbnohYoFMKI66mAsWwXnJzT29x4sx
2xXwc3KvAgLIJtEvPnuHMl2ogkJZEO9rGP5D8Iuw7dJbAR6AXwVdttVIFY39octW
0Tj934ZZw2GDCNGDxfmV+kn3Ei15Qop8UmK6dsuzSd0M+4yg+yr3359y+s0cDGiW
QwbIX6EZR2TMw6nIf21MRYsXS03gmmfeKXM6Iw==
=ED5P
-----END PGP MESSAGE-----
switch-c1:
model: 'TL-SG3210'
location: Turm D Keller
model: 'HP-procurve-2824'
location: Turm C Keller
ports:
switch-b1:
mode: trunk
ports: 1-4
ports: 21-24
vlans:
- mgmt
- pub
- up1
- up2
- up3
- up4
- up5
- up6
- up7
- up8
- iso1
- iso2
- iso3
- iso4
- iso5
- iso6
- iso7
- iso8
- iso9
- iso10
- iso11
- iso12
- iso13
- iso14
- iso15
- iso16
up1:
mode: access
ports: '1'
up2:
mode: access
ports: '2'
up3:
mode: access
ports: '3'
up4:
mode: access
ports: '4'
up5:
mode: access
ports: '5'
up6:
mode: access
ports: '6'
up7:
mode: access
ports: '7'
up8:
mode: access
ports: '8'
iso1:
mode: access
ports: '9'
iso2:
mode: access
ports: '10'
iso3:
mode: access
ports: '11'
iso4:
mode: access
ports: '12'
mgmt:
mode: access
ports:
- '6'
ports: '20'
pub:
mode: access
ports:
- '5'
- 7-8
ports: 13-19
password: |
-----BEGIN PGP MESSAGE-----
hQEMA2PKcvDMvlKLAQgAhPMG6VKUFLVNZmVfZ6P21CrXRmUeExuxIg4QIrYtKfYe
cxWst/IuHnDyL2TP8yGb00sjz7o0psZ9Z+zRCi/ONONyNzee103ymjXxk0Ygekid
1IGVeSTqskrgOl53mFZEfP4nBcOqzcNFjMkm0c5B2OmHHHOokOJ5Xzsya120SGXk
JnYFVsRD6GFwuF88pgQ5VrGd5/drMaIrNkJ69dyfvYdHRTd0UgtiZFOMesRYFFP7
+QdSW1MFoVZnjZgLeoNF/efIhHnTdClROCMZBYU5Z3pQcHAfE4GN3w+MceP/+5EY
z3wuSNpsuYNr8NnEDvofTJGdOLuclE6JPFvJMg1QptJKASfn3ZlOrL4ohbPGaDQ6
z1P+6DJXliXS7dBdxH0bsB2qRZslmcj286D9bPgTsuvCzOaxcTtkM8y76gVVOVBI
TN+j1/OdlXyVmTM=
=XUUi
-----END PGP MESSAGE-----

View File

@ -7,6 +7,10 @@ vlans:
up2: 11
up3: 12
up4: 13
up5: 14
up6: 15
up7: 16
up8: 17
priv1: 40
priv2: 41
priv3: 42
@ -23,3 +27,19 @@ vlans:
priv14: 53
priv15: 54
priv16: 55
iso1: 101
iso2: 102
iso3: 103
iso4: 104
iso5: 105
iso6: 106
iso7: 107
iso8: 108
iso9: 109
iso10: 110
iso11: 111
iso12: 112
iso13: 113
iso14: 114
iso15: 115
iso16: 116

View File

@ -12,6 +12,11 @@ subnet {{ subnet.split('/')[0] }} netmask {{ netmasks[subnet.split('/')[1]] }} {
{%- for name, value in conf['opts'].items() %}
option {{ name }} {{ value }};
{%- endfor %}
{%- for name, value in conf['host-opts'].items() %}
{%- set host = value.split('.')[0] %}
{%- set net = value.split('.')[1] %}
option {{ name }} {{ pillar['hosts-inet'][net][host] }};
{%- endfor %}
{%- for name, value in conf['string-opts'].items() %}
option {{ name }} "{{ value }}";
{%- endfor %}

View File

@ -4,7 +4,7 @@
spawn telnet {{ pillar['hosts-inet']['mgmt'][hostname] }}
expect "Password:"
send "secret\r"
send "{{ switch['password'] }}\r"
expect ">"
send "system-view\r"
expect "]"
@ -18,14 +18,14 @@ send "screen-length 0\r"
expect "ui-vty0-4]"
send "user privilege level 3\r"
expect "ui-vty0-4]"
send "set authentication password simple secret\r"
send "set authentication password simple {{ switch['password'] }}\r"
expect "ui-vty0-4]"
send "quit\r"
expect "{{ hostname }}]"
send "local-user admin\r"
expect -- "-luser-admin]"
send "password simple secret\r"
send "password simple {{ switch['password'] }}\r"
expect -- "-luser-admin]"
send "quit\r"
expect "{{ hostname }}]"
@ -70,6 +70,7 @@ send "port link-aggregation group {{ group }}\r"
expect "]"
send "port link-type trunk\r"
expect "]"
# Set dummy default vlan
send "port trunk pvid vlan 4094\r"
expect "]"
{%- for vlan_name in conf['vlans'] %}

View File

@ -0,0 +1,88 @@
{# #}
{%- import_yaml "netmasks.yaml" as netmasks -%}
#!/usr/bin/expect -f
spawn ssh admin@{{ pillar['hosts-inet']['mgmt'][hostname] }}
expect "password: "
send "{{ switch['password'] }}\r"
expect "Press any key to continue"
send "\r"
expect "# "
send "configure terminal\r"
expect "(config)# "
send "hostname {{ hostname }}\r"
expect "(config)# "
send "snmp-server location \"{{ switch['location'] }}\"\r"
expect "(config)# "
send "snmp-server contact \"astro@spaceboyz.net\"\r"
expect "(config)# "
send "password manager\r"
expect "New password for Manager: "
send "{{ switch['password'] }}\r"
expect "Please retype new password for Manager: "
send "{{ switch['password'] }}\r"
expect "(config)# "
# TODO: ssh, password
{%- for name, vlan in pillar['vlans'].items() %}
send "vlan {{ vlan }}\r"
expect "(vlan-{{ vlan }})#"
send "name {{ name }}\r"
expect "(vlan-{{ vlan }})#"
{# Actually only used for mgmt_vlan, switches are not routers #}
{%- set net_hosts = pillar['hosts-inet'].get(name) %}
{%- set ipaddr = net_hosts and net_hosts.get(hostname) %}
{%- if ipaddr %}
send "ip address {{ ipaddr }} {{ netmasks[pillar['subnets-inet'][name].split('/')[1]] }}\r"
expect "(vlan-{{ vlan }})#"
{%- endif %}
send "exit\r"
expect "(config)# "
{%- if name == 'mgmt' %}
send "management-vlan {{ vlan }}\r"
expect "(config)# "
{%- else %}
# If not mgmt, reset all VLAN mappings
send "no vlan {{ vlan }} tagged all\r"
expect "(config)# "
send "no vlan {{ vlan }} untagged all\r"
expect "(config)# "
{%- endif %}
{%- endfor %}
{%- set group = 0 %}
{%- for name, conf in switch['ports'].items() %}
{%- if conf['mode'] == 'trunk' %}
{%- set group = group + 1 %}
send "no trunk {{ conf['ports'] }}\r"
expect "(config)# "
send "trunk {{ conf['ports'] }} trk{{ group }} lacp\r"
expect "(config)# "
{%- for vlan_name in conf['vlans'] %}
send "vlan {{ pillar['vlans'][vlan_name] }} tagged trk{{ group }}\r"
expect "(config)# "
{%- endfor %}
{%- elif conf['mode'] == 'access' %}
send "vlan {{ pillar['vlans'][name] }} untagged {{ conf['ports'] }}\r"
expect "(config)# "
{%- endif %}
{%- endfor %}
send "write memory\r"
expect "{{ hostname }}# "
send "exit\r"
expect "{{ hostname }}> "
send "exit\r"
expect "Do you want to log out "
expect "y/n]? "
send "y"

View File

@ -6,7 +6,7 @@
#stty raw -echo
spawn telnet {{ pillar['hosts-inet']['mgmt'][hostname] }}
expect "Password:"
send "secret\r"
send "{{ switch['password'] }}\r"
expect ">"
send "\r"
expect ">"
@ -17,13 +17,13 @@ expect "#"
send "configure\r"
expect "(config)#"
send "enable secret 0 secret\r"
send "enable secret 0 {{ switch['password'] }}\r"
expect "(config)#"
#send "enable password 0 secret\r"
#send "enable password 0 {{ switch['password'] }}\r"
#expect "(config)#"
send "service password-encryption\r"
expect "(config)#"
send "user name admin privilege admin secret 0 secret\r"
send "user name admin privilege admin secret 0 {{ switch['password'] }}\r"
expect "(config)#"
send "hostname \"{{ hostname }}\"\r"
@ -40,7 +40,7 @@ send "telnet enable\r"
expect "(config)#"
send "line vty 0 15\r"
expect "(config-line)#"
send "password 0 secret\r"
send "password 0 {{ switch['password'] }}\r"
expect "(config-line)#"
send "exit\r"
expect "(config)#"

View File

@ -6,6 +6,6 @@
- context:
hostname: {{ hostname }}
switch: {{ switch }}
- mode: 744
- mode: 755
{%- endfor %}

View File

@ -9,6 +9,6 @@ iptables:
- template: 'jinja'
- context:
interface: {{ interface }}
- mode: 744
- mode: 755
- require:
- pkg: iptables

View File

@ -19,7 +19,7 @@ log /var/log/openvpn-{{ name }}.log
#ifconfig-noexec
route 0.0.0.0 0.0.0.0
#route-nopull
#up /etc/openvpn/ipredator-up.sh
up /etc/openvpn/{{ name }}.up
script-security 2
auth-user-pass /etc/openvpn/{{ name }}.auth

View File

@ -1,6 +1,19 @@
openvpn:
pkg.installed: []
/dev/net:
file.directory:
- mode: 0755
/dev/net/tun:
file.mknod:
- ntype: 'c'
- major: 10
- minor: 200
- mode: 0666
- require:
- file: /dev/net
{%- for name, conf in pillar['openvpn'].items() %}
hostroutes-{{ name }}:
@ -28,6 +41,14 @@ hostroutes-{{ name }}:
name: {{ name }}
- mode: 600
/etc/openvpn/{{ name }}.up:
file.managed:
- source: salt://vpn/up
- template: 'jinja'
- context:
name: {{ name }}
- mode: 755
autostart-{{ name }}:
service.enabled:
@ -35,6 +56,8 @@ autostart-{{ name }}:
require_in:
- file: /etc/openvpn/{{ name }}.conf
- file: /etc/openvpn/{{ name }}.auth
require:
- file: /dev/net/tun
start-{{ name }}:
service.running:
@ -42,6 +65,8 @@ start-{{ name }}:
require_in:
- file: /etc/openvpn/{{ name }}.conf
- file: /etc/openvpn/{{ name }}.auth
require:
- file: /dev/net/tun
{%- endfor %}

9
salt/vpn/up Normal file
View File

@ -0,0 +1,9 @@
#!/bin/sh
export IFACE={{ name }}
for f in /etc/network/if-pre-up.d/*; do
$f
done
for f in /etc/network/if-up.d/*; do
$f
done

12
security.md Normal file
View File

@ -0,0 +1,12 @@
## Security checklist
- [ ] ssh shut from internet
- [ ] dns shut from internet
- [ ] no source routing
- [ ] rp_filter
- [ ] restrict upstream routing/dns resolvers to associated priv nets?
- [ ] container caps dropped?
- [ ] ssh/telnet passwords
- [ ] no ospf outside core net
- [ ] no traffic between vlans