blob: 75f21bb262076d55d91a576fda36563cfe329202 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
|
- name: fail if system is not debian/ubuntu
ansible.builtin.assert:
that: "'debian' in ansible_facts.os_family.lower() or 'ubuntu' in ansible_facts.distribution.lower()"
fail_msg: "this playbook supports only debian-based systems"
- name: remove snap and snapd
apt:
name:
- snap
- snapd
state: absent
purge: true
- name: clean apt cache
apt:
autoclean: yes
- name: clear /etc/issue and /etc/motd
copy:
content: ""
dest: "{{ item }}"
loop:
- /etc/issue
- /etc/motd
- name: check if /etc/update-motd.d directory exists
stat:
path: /etc/update-motd.d
register: motd_dir
- name: find files in /etc/update-motd.d
find:
paths: /etc/update-motd.d
file_type: file
register: motd_files
when: motd_dir.stat.exists
- name: remove execute permissions from all files in /etc/update-motd.d
file:
path: "{{ item.path }}"
mode: u-x,g-x,o-x
loop: "{{ motd_files.files }}"
when: motd_dir.stat.exists
- name: enforce root-only cron/at
file:
path: "{{ item }}"
state: touch
owner: root
group: root
mode: '0600'
loop:
- /etc/cron.allow
- /etc/at.allow
- name: remove deny files for cron and at
file:
path: "{{ item }}"
state: absent
loop:
- /etc/cron.deny
- /etc/at.deny
- name: backup sshd_config
copy:
src: /etc/ssh/sshd_config
dest: "/etc/ssh/sshd_config.bak_{{ ansible_date_time.iso8601_basic }}"
remote_src: yes
- name: harden sshd_config
copy:
dest: /etc/ssh/sshd_config
content: |
Port 22
Banner /etc/issue
UsePAM yes
Protocol 2
Subsystem sftp /usr/lib/openssh/sftp-server
LogLevel verbose
PrintMotd no
AcceptEnv LANG LC_*
MaxSessions 5
StrictModes yes
Compression no
MaxAuthTries 3
IgnoreRhosts yes
PrintLastLog yes
AddressFamily inet
X11Forwarding no
PermitRootLogin yes
AllowTcpForwarding no
ClientAliveInterval 1200
AllowAgentForwarding no
PermitEmptyPasswords no
ClientAliveCountMax 0
GSSAPIAuthentication no
KerberosAuthentication no
IgnoreUserKnownHosts yes
PermitUserEnvironment no
ChallengeResponseAuthentication no
MACs hmac-sha2-512,hmac-sha2-256
Ciphers aes128-ctr,aes192-ctr,aes256-ctr
- name: regenerate SSH host keys
shell: |
rm -f /etc/ssh/ssh_host_*key*
ssh-keygen -t ed25519 -f /etc/ssh/ssh_host_ed25519_key -N ""
ssh-keygen -t rsa -b 4096 -f /etc/ssh/ssh_host_rsa_key -N ""
args:
creates: /etc/ssh/ssh_host_ed25519_key
notify: restart ssh
- name: enable unattended-upgrades
shell: dpkg-reconfigure --priority=low unattended-upgrades
args:
creates: /etc/apt/apt.conf.d/50unattended-upgrades
- name: enable unattended-upgrades service
systemd:
name: unattended-upgrades
enabled: true
state: started
- name: disable ipv6 in grub
lineinfile:
path: /etc/default/grub
regexp: '^GRUB_CMDLINE_LINUX='
line: 'GRUB_CMDLINE_LINUX="ipv6.disable=1"'
notify: update grub
- name: allow ssh port and enable ufw
ufw:
rule: allow
port: 22
proto: tcp
- name: enable ufw
ufw:
state: enabled
policy: deny
- name: deploy custom fail2ban jail.local
template:
src: templates/jail.local.j2
dest: /etc/fail2ban/jail.local
owner: root
group: root
mode: '0644'
notify:
- restart fail2ban
- reload fail2ban
- name: enable and start fail2ban
systemd:
name: fail2ban
enabled: true
state: started
|