This is a good example of how to respond to an issue with Ansible to ensure that your infrastructure is secure and that the measures you take are consistent across your inventory and are documented.
See the full article here for more details.
The example is am using is an issue that cropped up in the Logwatch report for one of our servers. Logwatch is a utility that scans your logs for patterns that may indicate malicious activity. It is commonly used in partnership with fail2Ban and IPtables to ward of common attacks. In this case the line in the log was:
Connection attempts using mod_proxy:
1.164.40.29 -> mx3.mail2000.com.tw:25: 1 Time(s)
This indicates that someone is attempting to use the server as a proxy to connect to a mailserver. The required plan to mitigate this is:
- ensure that non of the proxy modules are enabled on the server
- limit the use of the CONNECT verb in Apache
So using Ansible we can do the following:
- Provide a list of modules we always want to see disabled on a server and create a task that will ensure they are disabled.
- Provide a default configuration file on the server to limit use of the CONNECT verb and create a task that puts that in the correct place and restarts the web server. Note that the examples will require adaptation for some distros (i.e. Centos) and will require a handler for the Apache restart. In most cases these would be additions to your existuing playbook for controlling your web servers.
Refs: I originally came this in a non-Ansible approach at http://www.davekb.com/browse_computer_tips:logwatch_connection_attempts_using_mod_proxy:txt