chore: add all the roles
some via submodules
This commit is contained in:
parent
ad2c717ffb
commit
43d3a1c1a1
9
roles/fastnetmon/README.md
Normal file
9
roles/fastnetmon/README.md
Normal file
@ -0,0 +1,9 @@
|
||||
# ansible-fastnetmon
|
||||
this role builds fastnetmon from source on a fedora machine
|
||||
|
||||
## License
|
||||
GPLv3
|
||||
|
||||
## Author
|
||||
wanderer@git.dotya.ml
|
||||
|
22
roles/fastnetmon/defaults/main.yml
Normal file
22
roles/fastnetmon/defaults/main.yml
Normal file
@ -0,0 +1,22 @@
|
||||
---
|
||||
fastnetmon_clone_dir: /tmp/fastnetmon-ng
|
||||
netflow_on: on
|
||||
netflow_port: 2055
|
||||
|
||||
ban_time: 1900
|
||||
|
||||
ban_for_pps: on
|
||||
ban_for_bandwidth: on
|
||||
ban_for_flows: off
|
||||
|
||||
threshold_pps: 20000
|
||||
threshold_mbps: 1000
|
||||
threshold_flows: 3500
|
||||
|
||||
threshold_tcp_pps: 100000
|
||||
threshold_udp_pps: 100000
|
||||
threshold_icmp_pps: 100000
|
||||
|
||||
ban_for_tcp_pps: on
|
||||
ban_for_udp_pps: on
|
||||
ban_for_icmp_pps: on
|
40
roles/fastnetmon/tasks/main.yml
Normal file
40
roles/fastnetmon/tasks/main.yml
Normal file
@ -0,0 +1,40 @@
|
||||
|
||||
---
|
||||
- firewalld:
|
||||
port: "{{netflow_port}}/udp"
|
||||
permanent: true
|
||||
state: enabled
|
||||
|
||||
- name: check if fastnetmon dir exists
|
||||
stat:
|
||||
path: "{{fastnetmon_clone_dir}}"
|
||||
register: dir_present
|
||||
|
||||
- name: get fastnetmon sources
|
||||
shell:
|
||||
cmd: git clone https://git.dotya.ml/wanderer/fastnetmon-ng {{fastnetmon_clone_dir}}
|
||||
when: not dir_present.stat.exists
|
||||
|
||||
- name: build and install fastnetmon
|
||||
shell:
|
||||
cmd:
|
||||
cd {{fastnetmon_clone_dir}}/src;
|
||||
git checkout fresh-ndpi;
|
||||
git apply patches/dev-ndpi.patch;
|
||||
cmake -D"USE_NEW_ATOMIC_BUILTINS=ON" -D"ENABLE_AFPACKET_SUPPORT=ON" -D"ENABLE_GOBGP_SUPPORT=ON" -D"BUILD_PLUGIN_RUNNER=ON" -D"BUILD_TESTS=OFF" -DCMAKE_CXX_FLAGS="$CMAKE_CXX_FLAGS -Wall -Wextra" . &&
|
||||
make clean fastnetmon all install
|
||||
chdir: "{{fastnetmon_clone_dir}}/src"
|
||||
|
||||
- name: run ldconfig
|
||||
shell:
|
||||
cmd: ldconfig
|
||||
|
||||
- name: copy config
|
||||
template:
|
||||
src: fastnetmon.conf.j2
|
||||
dest: /etc/fastnetmon.conf
|
||||
mode: '0755'
|
||||
backup: yes
|
||||
ignore_errors: true
|
||||
|
||||
|
320
roles/fastnetmon/templates/fastnetmon.conf.j2
Normal file
320
roles/fastnetmon/templates/fastnetmon.conf.j2
Normal file
@ -0,0 +1,320 @@
|
||||
{{ ansible_managed | comment }}
|
||||
###
|
||||
### Main configuration params
|
||||
###
|
||||
|
||||
### Logging configuration
|
||||
|
||||
# enable this option if you want to send logs to local syslog facility
|
||||
logging:local_syslog_logging = off
|
||||
|
||||
# enable this option if you want to send logs to a remote syslog server via UDP
|
||||
logging:remote_syslog_logging = off
|
||||
|
||||
# specify a custom server and port for remote logging
|
||||
logging:remote_syslog_server = 10.10.10.10
|
||||
logging:remote_syslog_port = 514
|
||||
|
||||
# Enable/Disable any actions in case of attack
|
||||
enable_ban = on
|
||||
|
||||
# Enable ban for IPv6
|
||||
enable_ban_ipv6 = on
|
||||
|
||||
# disable processing for certain direction of traffic
|
||||
process_incoming_traffic = on
|
||||
process_outgoing_traffic = on
|
||||
|
||||
# How many packets will be collected from attack traffic
|
||||
ban_details_records_count = 50
|
||||
|
||||
# How long (in seconds) we should keep an IP in blocked state
|
||||
# If you set 0 here it completely disables unban capability
|
||||
ban_time = {{ ban_time }}
|
||||
|
||||
# Check if the attack is still active, before triggering an unban callback with this option
|
||||
# If the attack is still active, check each run of the unban watchdog
|
||||
unban_only_if_attack_finished = on
|
||||
|
||||
# enable per subnet speed meters
|
||||
# For each subnet, list track speed in bps and pps for both directions
|
||||
enable_subnet_counters = off
|
||||
|
||||
# list of all your networks in CIDR format
|
||||
networks_list_path = /etc/networks_list
|
||||
|
||||
# list networks in CIDR format which will be not monitored for attacks
|
||||
white_list_path = /etc/networks_whitelist
|
||||
|
||||
# redraw period for client's screen
|
||||
check_period = 1
|
||||
|
||||
# Connection tracking is very useful for attack detection because it provides huge amounts of information,
|
||||
# but it's very CPU intensive and not recommended in big networks
|
||||
enable_connection_tracking = on
|
||||
|
||||
# Different approaches to attack detection
|
||||
ban_for_pps = {{ ban_for_pps }}
|
||||
ban_for_bandwidth = {{ ban_for_bandwidth }}
|
||||
ban_for_flows = {{ ban_for_flows }}
|
||||
|
||||
# Limits for Dos/DDoS attacks
|
||||
threshold_pps = {{ threshold_pps }}
|
||||
threshold_mbps = {{ threshold_mbps }}
|
||||
threshold_flows = {{ threshold_flows }}
|
||||
|
||||
# Per protocol attack thresholds
|
||||
# We don't implement per protocol flow limits
|
||||
# These limits should be smaller than global pps/mbps limits
|
||||
|
||||
threshold_tcp_mbps = 100000
|
||||
threshold_udp_mbps = 100000
|
||||
threshold_icmp_mbps = 100000
|
||||
|
||||
threshold_tcp_pps = {{ threshold_tcp_pps }}
|
||||
threshold_udp_pps = {{ threshold_udp_pps }}
|
||||
threshold_icmp_pps = {{ threshold_icmp_pps }}
|
||||
|
||||
ban_for_tcp_bandwidth = off
|
||||
ban_for_udp_bandwidth = off
|
||||
ban_for_icmp_bandwidth = off
|
||||
|
||||
ban_for_tcp_pps = {{ ban_for_tcp_pps }}
|
||||
ban_for_udp_pps = {{ ban_for_udp_pps }}
|
||||
ban_for_icmp_pps = {{ ban_for_icmp_pps }}
|
||||
|
||||
###
|
||||
### Traffic capture methods
|
||||
###
|
||||
|
||||
# PF_RING traffic capture, fast enough but the wirespeed version needs a paid license
|
||||
mirror = off
|
||||
|
||||
# Port mirroring sample rate
|
||||
pfring_sampling_ratio = 1
|
||||
|
||||
# Netmap traffic capture (very fast but needs patched drivers)
|
||||
mirror_netmap = off
|
||||
|
||||
# AF_PACKET capture engine
|
||||
# Please use it only with modern Linux kernels (3.6 and more)
|
||||
# And please install birq for irq ditribution over cores
|
||||
mirror_afpacket = off
|
||||
|
||||
# You can use this option to multiply all incoming traffc by this value
|
||||
# It may be useful for sampled mirror ports
|
||||
mirror_af_packet_custom_sampling_rate = 1
|
||||
|
||||
# AF_PACKET fanout mode mode, http://man7.org/linux/man-pages/man7/packet.7.html
|
||||
# Available modes: cpu, lb, hash, random, rollover, queue_mapping
|
||||
mirror_af_packet_fanout_mode = cpu
|
||||
|
||||
# This option should be enabled if you are using Juniper with mirroring of the first X bytesof packet: maximum-packet-length 110;
|
||||
af_packet_read_packet_length_from_ip_header = off
|
||||
|
||||
# Port mirroring sampling ratio
|
||||
netmap_sampling_ratio = 1
|
||||
|
||||
# This option should be enabled if you are using Juniper with mirroring of the first X bytesof packet: maximum-packet-length 110;
|
||||
netmap_read_packet_length_from_ip_header = off
|
||||
|
||||
# Pcap mode, very slow and thus not suitable for production
|
||||
pcap = off
|
||||
# Netflow capture method with v5, v9 and IPFIX support
|
||||
netflow = {{ netflow_on }}
|
||||
# sFLOW capture suitable for switches
|
||||
sflow = off
|
||||
|
||||
# PF_RING configuration
|
||||
# If you have a license for PF_RING ZC, enable this mode and it might achieve wire speed for10GE
|
||||
enable_pf_ring_zc_mode = off
|
||||
|
||||
# Configuration for netmap, mirror, pcap modes
|
||||
# For pcap and PF_RING we could specify "any"
|
||||
# For netmap and PF_RING we could specify multiple interfaces separated by comma
|
||||
interfaces = eth3,eth4
|
||||
|
||||
# We use average values for traffic speed to certain IP and we calculate average over this time slice
|
||||
average_calculation_time = 5
|
||||
|
||||
# We use average values for traffic speed for subnet and we calculate average over this timeslice
|
||||
average_calculation_time_for_subnets = 5
|
||||
|
||||
# Delay between traffic recalculation attempts
|
||||
speed_calculation_delay = 1
|
||||
|
||||
# Netflow configuration
|
||||
|
||||
# it's possible to specify multiple ports here, using commas as delimiter
|
||||
netflow_port = {{ netflow_port }}
|
||||
netflow_host = 0.0.0.0
|
||||
|
||||
# To bind to all interfaces for all protocols: not possible yet
|
||||
# To bind to all interfaces for a specific protocol: :: or 0.0.0.0
|
||||
# To bind to localhost for a specific protocol: ::1 or 127.0.0.1
|
||||
|
||||
# Netflow v9 and IPFIX agents use different and very complex approaches for notifying about sample ratio
|
||||
# Here you could specify a sampling ratio for all this agents
|
||||
# For NetFLOW v5 we extract sampling ratio from packets directely and this option not used
|
||||
netflow_sampling_ratio = 1
|
||||
|
||||
# sFlow configuration
|
||||
|
||||
# It's possible to specify multiple ports here, using commas as delimiter
|
||||
sflow_port = 6343
|
||||
# sflow_port = 6343,6344
|
||||
sflow_host = 0.0.0.0
|
||||
|
||||
# Some vendors may lie about full packet length in sFlow packet. To avoid this issue we can switch to using IP packet length from parsed header
|
||||
sflow_read_packet_length_from_ip_header = off
|
||||
|
||||
|
||||
###
|
||||
### Actions when attack detected
|
||||
###
|
||||
|
||||
# This script executed for ban, unban and attack detail collection
|
||||
notify_script_path = /usr/local/bin/notify_about_attack.sh
|
||||
|
||||
# pass attack details to notify_script via stdin
|
||||
# Pass details only in case of "ban" call
|
||||
# No details will be passed for "unban" call
|
||||
notify_script_pass_details = on
|
||||
|
||||
# collect a full dump of the attack with full payload in pcap compatible format
|
||||
collect_attack_pcap_dumps = on
|
||||
|
||||
# Execute Deep Packet Inspection on captured PCAP packets
|
||||
process_pcap_attack_dumps_with_dpi = on
|
||||
|
||||
# Save attack details to Redis
|
||||
redis_enabled = off
|
||||
|
||||
# Redis configuration
|
||||
redis_port = 6379
|
||||
redis_host = 127.0.0.1
|
||||
|
||||
# specify a custom prefix here
|
||||
redis_prefix = mydc1
|
||||
|
||||
# We could store attack information to MongoDB
|
||||
mongodb_enabled = off
|
||||
mongodb_host = localhost
|
||||
mongodb_port = 27017
|
||||
mongodb_database_name = fastnetmon
|
||||
|
||||
# announce blocked IPs with BGP protocol with ExaBGP
|
||||
exabgp = off
|
||||
exabgp_command_pipe = /var/run/exabgp.cmd
|
||||
exabgp_community = 65001:666
|
||||
|
||||
# specify multiple communities with this syntax:
|
||||
# exabgp_community = [65001:666 65001:777]
|
||||
|
||||
# specify different communities for host and subnet announces
|
||||
# exabgp_community_subnet = 65001:667
|
||||
# exabgp_community_host = 65001:668
|
||||
|
||||
exabgp_next_hop = 10.0.3.114
|
||||
|
||||
# In complex cases you could have both options enabled and announce host and subnet simultaneously
|
||||
|
||||
# Announce /32 host itself with BGP
|
||||
exabgp_announce_host = on
|
||||
|
||||
# Announce origin subnet of IP address instead IP itself
|
||||
exabgp_announce_whole_subnet = off
|
||||
|
||||
# Announce Flow Spec rules when we could detect certain attack type
|
||||
# Please we aware! Flow Spec announce triggered when we collect some details about attack,
|
||||
# i.e. when we call attack_details script
|
||||
# Please disable exabgp_announce_host and exabgp_announce_whole_subnet if you want to use this feature
|
||||
# Please use ExaBGP v4 only (Git version), for more details: https://github.com/pavel-odintsov/fastnetmon/blob/master/docs/BGP_FLOW_SPEC.md
|
||||
exabgp_flow_spec_announces = off
|
||||
|
||||
# GoBGP intergation
|
||||
gobgp = on
|
||||
|
||||
# Configuration for IPv4 announces
|
||||
gobgp_next_hop = 0.0.0.0
|
||||
gobgp_announce_host = on
|
||||
gobgp_announce_whole_subnet = off
|
||||
|
||||
gobgp_community_host = 65001:666
|
||||
gobgp_community_subnet = 65001:777
|
||||
|
||||
# Configuration for IPv6 announces
|
||||
gobgp_next_hop_ipv6 = 100::1
|
||||
gobgp_announce_host_ipv6 = off
|
||||
gobgp_announce_whole_subnet_ipv6 = off
|
||||
|
||||
gobgp_community_host_ipv6 = 65001:666
|
||||
gobgp_community_subnet_ipv6 = 65001:777
|
||||
|
||||
# Graphite monitoring
|
||||
# InfluxDB is also supported, please check our reference:
|
||||
# https://github.com/pavel-odintsov/fastnetmon/blob/master/docs/INFLUXDB_INTEGRATION.md
|
||||
graphite = off
|
||||
# Please use only IP because domain names are not allowed here
|
||||
graphite_host = 127.0.0.1
|
||||
graphite_port = 2003
|
||||
|
||||
# Default namespace for Graphite data
|
||||
graphite_prefix = fastnetmon
|
||||
|
||||
# Before using InfluxDB you need to create database using influx tool:
|
||||
# create database fastnetmon
|
||||
|
||||
# InfluxDB
|
||||
influxdb = off
|
||||
influxdb_host = 127.0.0.1
|
||||
influxdb_port = 8086
|
||||
influxdb_database = fastnetmon
|
||||
|
||||
# InfluxDB auth
|
||||
influxdb_auth = off
|
||||
influxdb_user = fastnetmon
|
||||
influxdb_password = secure
|
||||
|
||||
# Add local IP addresses and aliases to monitoring list
|
||||
# Works only for Linux
|
||||
monitor_local_ip_addresses = on
|
||||
|
||||
# Add IP addresses for OpenVZ / Virtuozzo VEs to network monitoring list
|
||||
monitor_openvz_vps_ip_addresses = off
|
||||
|
||||
# Create group of hosts with non-standard thresholds
|
||||
# You should create this group before (in configuration file) specifying any limits
|
||||
# hostgroup = my_hosts:10.10.10.221/32,10.10.10.222/32
|
||||
|
||||
# Configure this group
|
||||
my_hosts_enable_ban = off
|
||||
|
||||
my_hosts_ban_for_pps = off
|
||||
my_hosts_ban_for_bandwidth = off
|
||||
my_hosts_ban_for_flows = off
|
||||
|
||||
my_hosts_threshold_pps = 20000
|
||||
my_hosts_threshold_mbps = 1000
|
||||
my_hosts_threshold_flows = 3500
|
||||
|
||||
# Path to pid file for checking "if another copy of tool is running", it's useful when you run multiple instances of tool
|
||||
pid_path = /var/run/fastnetmon.pid
|
||||
|
||||
# Path to file where we store IPv4 traffic information for fastnetmon_client
|
||||
cli_stats_file_path = /tmp/fastnetmon.dat
|
||||
|
||||
# Path to file where we store IPv6 traffic information for fastnetmon_client
|
||||
cli_stats_ipv6_file_path = /tmp/fastnetmon_ipv6.dat
|
||||
|
||||
# Enable gRPC api (required for fastnetmon_api_client tool)
|
||||
enable_api = on
|
||||
|
||||
###
|
||||
### Client configuration
|
||||
###
|
||||
|
||||
# Field used for sorting in client, valid values are: packets, bytes or flows
|
||||
sort_parameter = packets
|
||||
# How much IPs will be listed for incoming and outgoing channel eaters
|
||||
max_ips_in_list = 7
|
1
roles/fastnetmon/vars/main.yml
Normal file
1
roles/fastnetmon/vars/main.yml
Normal file
@ -0,0 +1 @@
|
||||
---
|
9
roles/ndpi/README.md
Normal file
9
roles/ndpi/README.md
Normal file
@ -0,0 +1,9 @@
|
||||
# ansible-ndpi
|
||||
this role builds nDPI from source on a fedora machine
|
||||
|
||||
## License
|
||||
GPLv3
|
||||
|
||||
## Author
|
||||
wanderer@git.dotya.ml
|
||||
|
3
roles/ndpi/defaults/main.yml
Normal file
3
roles/ndpi/defaults/main.yml
Normal file
@ -0,0 +1,3 @@
|
||||
---
|
||||
ndpi_compat_version: 1.7
|
||||
ndpi_clone_dir: /tmp/ndpi
|
27
roles/ndpi/tasks/main.yml
Normal file
27
roles/ndpi/tasks/main.yml
Normal file
@ -0,0 +1,27 @@
|
||||
---
|
||||
- name: check if nDPI dir exists
|
||||
stat:
|
||||
path: "{{ndpi_clone_dir}}"
|
||||
register: dir_present
|
||||
|
||||
- name: get nDPI sources
|
||||
shell:
|
||||
cmd: git clone https://github.com/ntop/nDPI.git {{ndpi_clone_dir}}
|
||||
when: dir_present.stat.exists == false
|
||||
|
||||
- name: build and install nDPI
|
||||
shell:
|
||||
cmd:
|
||||
cd {{ndpi_clone_dir}};
|
||||
git checkout {{ndpi_compat_version}};
|
||||
./autogen.sh &&
|
||||
./configure &&
|
||||
make &&
|
||||
make install &&
|
||||
make clean &&
|
||||
git switch - ;
|
||||
./autogen.sh &&
|
||||
./configure &&
|
||||
make &&
|
||||
make install
|
||||
chdir: "{{ndpi_clone_dir}}"
|
9
roles/waitpls/README.md
Normal file
9
roles/waitpls/README.md
Normal file
@ -0,0 +1,9 @@
|
||||
# ansible-waitpls
|
||||
this role is used to wait until conditions for running are met
|
||||
|
||||
## License
|
||||
GPLv3
|
||||
|
||||
## Author
|
||||
wanderer@git.dotya.ml
|
||||
|
1
roles/waitpls/defaults/main.yml
Normal file
1
roles/waitpls/defaults/main.yml
Normal file
@ -0,0 +1 @@
|
||||
---
|
8
roles/waitpls/tasks/main.yml
Normal file
8
roles/waitpls/tasks/main.yml
Normal file
@ -0,0 +1,8 @@
|
||||
---
|
||||
- name: Wait until the file /tmp/gopls is present before continuing
|
||||
delay: 10
|
||||
wait_for:
|
||||
path: /.plsgo
|
||||
timeout: 1200
|
||||
become: false
|
||||
|
1
roles/waitpls/vars/main.yml
Normal file
1
roles/waitpls/vars/main.yml
Normal file
@ -0,0 +1 @@
|
||||
---
|
Loading…
Reference in New Issue
Block a user