commit
3cdc37f493
@ -0,0 +1,4 @@ |
||||
--- |
||||
# Variables listed here are applicable to all host groups |
||||
|
||||
username: "{{ lookup('env', 'USER') }}" |
@ -0,0 +1,7 @@ |
||||
--- |
||||
# This playbook installs and enables fail2ban with its default config. |
||||
|
||||
- name: Install fail2ban |
||||
ansible.builtin.apt: |
||||
name: fail2ban |
||||
state: present |
@ -0,0 +1,74 @@ |
||||
# Hardened SSHD config |
||||
# Reference: https://www.digitalocean.com/community/tutorials/how-to-harden-openssh-on-ubuntu-20-04 |
||||
# See the sshd_config(5) manpage for details |
||||
|
||||
|
||||
## Authentication |
||||
|
||||
# Enable public key authentication |
||||
PubkeyAuthentication yes |
||||
|
||||
# Disable PAM (when enabled, it can improperly allow access to locked accounts) |
||||
# For more info, see https://arlimus.github.io/articles/usepam/ |
||||
UsePAM no |
||||
|
||||
# Disable password authentication |
||||
PasswordAuthentication no |
||||
|
||||
# Disable rhosts authentication |
||||
IgnoreRhosts yes |
||||
|
||||
# Disable challenge-response authentication |
||||
ChallengeResponseAuthentication no |
||||
|
||||
# Disable kerberos authentication |
||||
KerberosAuthentication no |
||||
|
||||
|
||||
## Login |
||||
|
||||
# Disable root login |
||||
PermitRootLogin no |
||||
|
||||
# Disallow empty passwords |
||||
PermitEmptyPasswords no |
||||
|
||||
# Set maximum authentication attempts, prevent brute-force attacks |
||||
MaxAuthTries 3 |
||||
|
||||
# Restrict authentication time between connect and auth |
||||
LoginGraceTime 20 |
||||
|
||||
# Use DNS hostname checking |
||||
UseDNS yes |
||||
|
||||
|
||||
## Security |
||||
|
||||
# Disable X11 forwarding |
||||
X11Forwarding no |
||||
|
||||
# Disable environment variable passing |
||||
PermitUserEnvironment no |
||||
|
||||
# Disable forwarding/tunneling |
||||
AllowAgentForwarding no |
||||
AllowTcpForwarding no |
||||
PermitTunnel no |
||||
|
||||
# Deny vulnerable SSH protocol 1 |
||||
Protocol 2 |
||||
|
||||
# Disable verbose ssh banner |
||||
DebianBanner no |
||||
|
||||
## Other features |
||||
|
||||
# Print motd after interactive login |
||||
PrintMotd yes |
||||
|
||||
|
||||
## Notes |
||||
|
||||
# Restricting user shell: https://www.digitalocean.com/community/tutorials/how-to-harden-openssh-on-ubuntu-20-04#step-3-restricting-the-shell-of-a-user |
||||
# User-specific hardening: https://www.digitalocean.com/community/tutorials/how-to-harden-openssh-on-ubuntu-20-04#step-4-advanced-hardening |
@ -0,0 +1,12 @@ |
||||
--- |
||||
# OpenSSH hardening handlers. |
||||
|
||||
- name: validate sshd config |
||||
ansible.builtin.command: "sshd -t" |
||||
listen: "reload sshd config" |
||||
|
||||
- name: restart sshd |
||||
ansible.builtin.service: |
||||
name: sshd |
||||
state: restarted |
||||
listen: "reload sshd config" |
@ -0,0 +1,9 @@ |
||||
--- |
||||
# This playbook installs a hardened OpenSSH server configuration and restarts |
||||
# the service. |
||||
|
||||
- name: install hardened OpenSSH server config |
||||
ansible.builtin.copy: |
||||
src: harden.conf |
||||
dest: /etc/ssh/sshd_config.d/harden.conf |
||||
notify: reload sshd config |
@ -0,0 +1,17 @@ |
||||
--- |
||||
# This playbook installs ufw, allows the OpenSSH profile, then starts the |
||||
# service. |
||||
|
||||
- name: install ufw |
||||
ansible.builtin.apt: |
||||
name: ufw |
||||
state: present |
||||
|
||||
- name: enable OpenSSH ufw profile |
||||
community.general.ufw: |
||||
rule: allow |
||||
name: OpenSSH |
||||
|
||||
- name: enable ufw |
||||
community.general.ufw: |
||||
state: enabled |
@ -0,0 +1,18 @@ |
||||
--- |
||||
# This playbook creates a sudo-enabled user matching the execution user's name. |
||||
|
||||
- name: create new user |
||||
ansible.builtin.user: |
||||
name: "{{ username }}" |
||||
groups: |
||||
- sudo |
||||
append: yes |
||||
|
||||
# Required to prevent user lockout because PAM will be disabled |
||||
- name: set impossible password for user |
||||
ansible.builtin.command: "usermod -p '*' {{ username }}" |
||||
|
||||
- name: copy ssh public key from host |
||||
ansible.posix.authorized_key: |
||||
user: "{{ username }}" |
||||
key: "{{ lookup('file', '/home/{{username}}/.ssh/id_rsa.pub') }}" |
@ -0,0 +1,9 @@ |
||||
--- |
||||
# Create new user (with username matching host's username) and allow sudo |
||||
# escalation without password. (because this new user will not have a password) |
||||
|
||||
- name: Include create user tasks |
||||
include_tasks: create-user.yml |
||||
|
||||
- name: Include passwordless sudo tasks |
||||
include_tasks: passwordless-sudo.yml |
@ -0,0 +1,9 @@ |
||||
--- |
||||
# This playbook modifies the sudoers config to allow passwordless sudo. |
||||
|
||||
- name: allow passwordless sudo for sudo group users |
||||
ansible.builtin.lineinfile: |
||||
path: /etc/sudoers |
||||
regexp: "^%sudo" |
||||
line: "%sudo\tALL=(ALL:ALL) NOPASSWD: ALL" |
||||
validate: "visudo -cf %s" |
@ -0,0 +1,34 @@ |
||||
--- |
||||
# This playbook sets up a new server by creating your user account, hardening |
||||
# OpenSSH's configuration, and installing ufw and fail2ban. |
||||
|
||||
- name: create user |
||||
hosts: all |
||||
remote_user: root |
||||
|
||||
roles: |
||||
- user |
||||
|
||||
- name: harden OpenSSH |
||||
hosts: all |
||||
remote_user: "{{ username }}" |
||||
become: yes |
||||
|
||||
roles: |
||||
- harden-openssh |
||||
|
||||
- name: install ufw |
||||
hosts: all |
||||
remote_user: "{{ username }}" |
||||
become: yes |
||||
|
||||
roles: |
||||
- ufw |
||||
|
||||
- name: install fail2ban |
||||
hosts: all |
||||
remote_user: "{{ username }}" |
||||
become: yes |
||||
|
||||
roles: |
||||
- fail2ban |
Loading…
Reference in new issue