Ansible – Looking At Basic Security (Raspberry Pi)

Ansible and netstat

Ansible is allowing me to control some devices, so what can I do with it to improve security on my Pi network?

Note: This post forms part of the my collection of posts on Ansible including installation; SSH set-up and the basics of a playbook/commands.

Chage

geektechstuff_ansible_chage
Chage shows when an accounts password was last changed

Raspbian has a function called chage that lets you see when an account last had it’s password changed. To use it type:

chage -l USERACCOUNT

e.g. for my Pi user account this would be chage -l pi

By default Raspbian doesn’t have a password expiration date set on accounts. It can be set using:

chage -M DAYS_PASSWORD_IS_VALID USERACCOUNT

e.g. for my Pi user account and a validity period of 365 days this would be  chage -M 365 pi

Note: -M and -m are different. -M is the maximum days of validity, -m is the minimum days of validity.

When setting a password validity period it is recommended to set a warning period as well, so that the user is notified that their password is about to expire. This is done via:

chage -W DAYS_BEFORE_PASSWORD_EXPIRATION USERACCOUNT

e.g. to warn my Pi user 3 days before their password expires would be chage -W 3 pi

So chage allows for a password policy to be created for a user account, but what happens if an account has been compromised? chage also lets you lock an account.

chage -E DATE_TO_LOCK_ACCOUNT_FROM USERACCOUNT

So if I thought my Pi user had been hi-jacked today (28th June 2019) I would run:

chage -E 2019-06-28 pi

You may be wondering what this has to do with ansible. Imagine you have multiple devices with an account on each, and the account has been hacked. Ansible would only you to lock out the account on all the devices using one command, with for my Pi_Collection (see the earlier ansible blog posts for details) would be:

ansible Pi_Collection -a “chage -E 2019-06-28 pi” -b

Open Ports (netstat)

I once wrote a port scanner in Python, but as ansible can already connect to the devices it can show all the open ports and their statuses.

geektechstuff_ansible_netstat
Ansible and netstat

This uses the shell module to send the netstat command. Running against my Pi_Collection this is:

ansible Pi_Collection -m shell -a “netstat -plntu” -b

UFW

In an earlier blog post I looked at installing a firewall called UFW and configuring UFW. Both great for an individual system, but once I started looking at ansible I decided to see if I could do the install across multiple sites using a playbook.

geektechstuff_ansible_ufw
Ansible and UFW
# geektechstuff UFW playbook to install firewall
– hosts: Pi_Collection
tasks:
– name: Install UFW
become: yes
apt:
pkg:
– ufw
state: present
update_cache: yes
– name: UFW Logging On
become: yes
ufw:
logging: on
– name: UFW Allow Local Traffic
become: yes
ufw:
rule: allow
src: 192.168.0.0/24
– name: Turn UFC on
become: yes
ufw:
state: enabled
policy: allow

And ansible can then be used to check the status of the firewall using ansible Pi_Collection -m shell -a “ufw status” -b.

geektechstuff_ansible_ufw_status
Ansible shell to check UFW status

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.