Skip to content

Security

Auto Documentation

Documentation Generated with Python on 2021-04-03

Default Variables

---
security_ssh_port: "22"
security_ssh_password_authentication: "no"
security_ssh_permit_root_login: "no"
security_ssh_usedns: "no"
security_ssh_permit_empty_password: "no"
security_ssh_challenge_response_auth: "no"
security_ssh_gss_api_authentication: "no"
security_ssh_x11_forwarding: "no"
security_sshd_state: started
security_ssh_restart_handler_state: restarted

security_ssh_config_path: /etc/ssh/sshd_config
security_sshd_name: ssh

security_sudoers_passwordless: []
security_sudoers_passworded: []

security_autoupdate_enabled: true
security_autoupdate_blacklist: []

# Autoupdate mail settings used on Debian/Ubuntu only.
security_autoupdate_reboot: "false"
security_autoupdate_reboot_time: "03:00"
security_autoupdate_mail_to: ""
security_autoupdate_mail_on_error: true

security_fail2ban_enabled: true
security_fail2ban_custom_configuration_template: "jail.local.j2"

securit_ufw_allowed_ports:
  - "{{security_ssh_port}}"
  - "443"
  - "80"

Tasks

main.yml

- name: ensure python packages are installed
  apt:
    name: ["python3-pip", python3-venv]
    update_cache: yes
  become: yes

- include: firewall.yml
- include: auto-update.yml
- include: fail2ban.yml
- include: ssh-config.yml

ssh-config.yml

---
- name: Ensure SSH daemon is running.
  service:
    name: "{{ security_sshd_name }}"
    state: "{{ security_sshd_state }}"

- name: Update SSH configuration to be more secure.
  lineinfile:
    dest: "{{ security_ssh_config_path }}"
    regexp: "{{ item.regexp }}"
    line: "{{ item.line }}"
    state: present
    validate: "sshd -T -f %s"
    mode: 0644
  with_items:
    # - regexp: "^PasswordAuthentication"
    #   line: "PasswordAuthentication {{ security_ssh_password_authentication }}"
    - regexp: "^PermitRootLogin"
      line: "PermitRootLogin {{ security_ssh_permit_root_login }}"
    # - regexp: "^Port"
    #   line: "Port {{ security_ssh_port }}"
    # - regexp: "^UseDNS"
    #   line: "UseDNS {{ security_ssh_usedns }}"
    # - regexp: "^PermitEmptyPasswords"
    #   line: "PermitEmptyPasswords {{ security_ssh_permit_empty_password }}"
    - regexp: "^ChallengeResponseAuthentication"
      line: "ChallengeResponseAuthentication {{ security_ssh_challenge_response_auth }}"
    # - regexp: "^GSSAPIAuthentication"
    #   line: "GSSAPIAuthentication {{ security_ssh_gss_api_authentication }}"
    # - regexp: "^X11Forwarding"
    #   line: "X11Forwarding {{ security_ssh_x11_forwarding }}"
  notify: restart ssh

- name: Add configured user accounts to passwordless sudoers.
  lineinfile:
    dest: /etc/sudoers
    regexp: "^{{ item }}"
    line: "{{ item }} ALL=(ALL) NOPASSWD: ALL"
    state: present
    validate: "visudo -cf %s"
    mode: 0644
  with_items: "{{ security_sudoers_passwordless }}"
  when: security_sudoers_passwordless | length > 0

- name: Add configured user accounts to passworded sudoers.
  lineinfile:
    dest: /etc/sudoers
    regexp: "^{{ item }}"
    line: "{{ item }} ALL=(ALL) ALL"
    state: present
    validate: "visudo -cf %s"
    mode: 0644
  with_items: "{{ security_sudoers_passworded }}"
  when: security_sudoers_passworded | length > 0

fail2ban.yml

- name: Install fail2ban (Debian).
  package:
    name: fail2ban
    state: present
  when: ansible_os_family == 'Debian'

- name: Copy fail2ban custom configuration file into place.
  become: yes
  template:
    src: "{{ security_fail2ban_custom_configuration_template }}"
    dest: /etc/fail2ban/jail.local
    owner: root
    group: root
    mode: 0644

- name: Ensure fail2ban is running and enabled on boot.
  become: yes
  service:
    name: fail2ban
    state: started
    enabled: true

firewall.yml

- name: Enable Allowed Ports List
  become: yes
  ufw:
    port: "80"
    rule: allow
  loop: "{{ securit_ufw_allowed_ports }}"

- name: Allow everything and enable UFW
  become: yes
  community.general.ufw:
    state: enabled

auto-update.yml

- name: Install unattended upgrades package.
  become: yes
  package:
    name: unattended-upgrades
    state: present

- name: Copy unattended-upgrades configuration files in place.
  become: yes
  template:
    src: "{{ item }}.j2"
    dest: "/etc/apt/apt.conf.d/{{ item }}"
    owner: root
    group: root
    mode: 0644
  with_items:
    - 10periodic
    - 50unattended-upgrades