153 lines
8.9 KiB
Plaintext
153 lines
8.9 KiB
Plaintext
config
|
|
{
|
|
profiles:
|
|
{
|
|
###################################################################
|
|
### Security Model ###
|
|
### ###
|
|
### +-1-> CONTRACT ###
|
|
### | ###
|
|
### start-here +---5---> DATACENTER ###
|
|
### | | ###
|
|
### +-2-> CORP -----4------> DEV -6---> ADMINS ###
|
|
### | ^ ###
|
|
### 3 4 ###
|
|
### | | ###
|
|
### +--> IT-AND-SEC ---+ ###
|
|
### ###
|
|
### CORP/IT-AND-SEC have the same IPs but not the API access ###
|
|
### ADMINS/DATACENTER have the same IPs but not the API access ###
|
|
### ###
|
|
### at each step: ###
|
|
### attributes[0] must match validGroups ###
|
|
### attributes[1] is the login for the next security checks ###
|
|
### attributes[2] is used as a salt for mfa generation ###
|
|
### ###
|
|
### Security Checks: ###
|
|
### ###
|
|
### 1/2: check AD groups and password. get mail address ###
|
|
### 3: user must be in some AD security group (IT or SEC) ###
|
|
### 4: mail must be in infra LDAP. User must have a ssh key ###
|
|
### 5: user must be in the datacenter group in infra ldap ###
|
|
### 6: user must be in the infra/net groups in infra ldap ###
|
|
### ###
|
|
### mfa setup is set according the mfa attribute of the final ###
|
|
### group reached ###
|
|
### ###
|
|
###################################################################
|
|
CONTRACT:
|
|
{
|
|
servers: [ "dc-11.office.daily","dc-12.office.daily","dc-13.office.daily" ]
|
|
baseDN: "ou=Users_External,OU=Dailymotion,DC=office,DC=daily",
|
|
bindCn: "CN=VPN Service,OU=Services,OU=Dailymotion,DC=office,DC=daily",
|
|
bindPw: "********************",
|
|
searchFilter: "(&(sAMAccountName=%s))"
|
|
attributes: [ "memberOf", "mail", "extensionAttribute8" ]
|
|
validGroups:
|
|
[
|
|
"CN=SEC_VPN_Users_External,OU=Security,OU=Groups,OU=Dailymotion,DC=office,DC=daily",
|
|
]
|
|
mfa: "internal"
|
|
IPRange: "192.168.207.1 - 192.168.207.254",
|
|
routes:
|
|
[
|
|
"10.189.10.9 255.255.255.255",
|
|
"10.190.32.2 255.255.255.255",
|
|
"10.190.32.20 255.255.255.255",
|
|
"10.190.22.1 255.255.255.255",
|
|
"10.190.22.2 255.255.255.255",
|
|
"188.65.124.35 255.255.255.255",
|
|
"195.8.215.129 255.255.255.255",
|
|
"195.8.215.140 255.255.255.255",
|
|
"10.190.52.100 255.255.255.255",
|
|
"10.190.62.150 255.255.255.255",
|
|
]
|
|
}
|
|
CORP:
|
|
{
|
|
servers: [ "dc-11.office.daily","dc-12.office.daily","dc-13.office.daily" ]
|
|
baseDN: "OU=Dailymotion,DC=office,DC=daily",
|
|
bindCn: "CN=VPN Service,OU=Services,OU=Dailymotion,DC=office,DC=daily",
|
|
bindPw: "********************",
|
|
searchFilter: "(&(sAMAccountName=%s))"
|
|
attributes: [ "memberOf", "mail", "extensionAttribute8" ]
|
|
validGroups:
|
|
[
|
|
"CN=SEC_VPN,OU=Security,OU=Groups,OU=Dailymotion,DC=office,DC=daily",
|
|
]
|
|
mfa: ""
|
|
IPRange: "192.168.201.1-192.168.203.254"
|
|
}
|
|
IT-AND-SEC:
|
|
{
|
|
servers: [ "dc-11.office.daily","dc-12.office.daily","dc-13.office.daily" ]
|
|
baseDN: "OU=Dailymotion,DC=office,DC=daily",
|
|
bindCn: "CN=VPN Service,OU=Services,OU=Dailymotion,DC=office,DC=daily",
|
|
bindPw: "********************",
|
|
searchFilter: "(&(mail=%s))"
|
|
attributes: [ "memberOf", "mail", "extensionAttribute8" ]
|
|
upgradeFrom: [ "CORP" ]
|
|
validGroups:
|
|
[
|
|
"CN=IT-Office,OU=Security,OU=Groups,OU=Dailymotion,DC=office,DC=daily",
|
|
"CN=Security,OU=Security,OU=Groups,OU=Dailymotion,DC=office,DC=daily",
|
|
]
|
|
mfa: ""
|
|
IPRange: "192.168.201.1-192.168.203.254"
|
|
}
|
|
|
|
DEV:
|
|
{
|
|
servers: [ "ldap-auth.vip.dailymotion.com" ]
|
|
baseDN: "dc=dailymotion,dc=com"
|
|
bindCn: "cn=readonly,dc=dailymotion,dc=com"
|
|
bindPw: "**********"
|
|
searchFilter: "(&(mail=%s))"
|
|
attributes: [ "description", "sshPublicKey" ]
|
|
upgradeFrom: [ "CORP", "IT-AND-SEC" ]
|
|
mfa: ""
|
|
IPRange: "192.168.204.1-192.168.206.254"
|
|
}
|
|
ADMINS:
|
|
{
|
|
validGroups:
|
|
[
|
|
"infra",
|
|
"net",
|
|
]
|
|
upgradeFrom: [ "DEV" ]
|
|
mfa: "internal"
|
|
IPRange: "192.168.200.2-192.168.200.254"
|
|
}
|
|
DATACENTER:
|
|
{
|
|
validGroups:
|
|
[
|
|
"datacenter",
|
|
]
|
|
upgradeFrom: [ "DEV" ]
|
|
mfa: "internal"
|
|
IPRange: "192.168.200.2-192.168.200.254"
|
|
}
|
|
}
|
|
openvpnPort: "127.0.0.1:4000"
|
|
http:
|
|
{
|
|
port: ":8443"
|
|
ca: "/usr/local/share/ca-certificates/Dailymotion.crt"
|
|
key: "/etc/ssl/private/server-key.pem"
|
|
cert: "/etc/ssl/certs/server-bundle.pem"
|
|
startAuth: "CORP"
|
|
reqAuth: [ "ADMINS", "IP-AND-SEC" ]
|
|
}
|
|
cacheDir: "/var/run/openvpn/"
|
|
authCa: "/usr/local/share/ca-certificates/Dailymotion.crt"
|
|
masterSecrets: [ "********************************" ]
|
|
vpnLogUrl: "https://install.dm.gg/vpn-log.php"
|
|
mailRelay: "mailrelay.dailymotion.com:25"
|
|
mailFrom: "engineering-infra@dailymotion.com"
|
|
ccPwnPassword: "security-incident-report@dailymotion.com"
|
|
pwnTemplate: "Mime-Version: 1.0;\nContent-Type: text/html; charset=\"ISO-8859-1\";\nContent-Transfer-Encoding: 7bit;\nFrom: {{.MailFrom}}\nSubject: [Dailymotion] Your current okta password is compromised\nTo: {{.Mail}}\nCc: {{.CcPwnPassword}}\n\n<html><body>Hello<br>\n<br>\nWe have detected that you recently connected to the dailymotion's corporate VPN with login {{.Login}} and a password which was part a password-related breach - possibly related to your own account on a third party website - and which is now widely known to hackers.<br>\n<br>\nPlease contact the security team and go to the Okta homepage to change your password immediately : <a href=\"https://dailymotion.okta.com\">https://dailymotion.okta.com</a>/<br>\n<br>\nIf you were using the same unsafe password anywhere else, you should change it everywhere and make sure you use a unique password for every service (password managers make this feasible).<br>\n<br>\nWe remind you that you should always keep your passwords strong and strictly unique, especially when it comes to your dailymotion accounts. A robust password can, for example, be generated using an easily remembered phrase and retaining certain letters: for example, the phrase \"a bird in the hand is worth two in the bush\" would give the password \"1bitH=2itB\" (this example must not be used as a password).<br>\n<br>\nRegards,<br>\n<br>\n--<br>\nThe Dailymotion Security Team</body></html>"
|
|
newAsTemplate: "From: {{.MailFrom}}\nSubject: A new connection from you to the Dailymotion VPN\nTo: {{.Mail}}\n\nHello\n\nWe have detected a new connection to the vpn from {{.Login}}.\nIt was detected the {{.Time}} coming from the ip {{.IP}} ({{.AsName}}).\n\nIt's not the usual internet provider you connect to the Dailymotion VPN from.\nOr maybe it's the first time you use the VPN from this location.\n\nIf you think there is something suspicious, please contact {{.CcPwnPassword}}\nIf it's you who connected to the VPN, we are sorry for the spam. You won't receive another mail if you connect from this location.\n\nRegards,\n\n--\nThe Dailymotion Infra and Security Teams"
|
|
}
|