blob: b6a80a90dd4832bb9e548fe6a4b1273abf338602 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
|
- name: remove snap and snapd
apt:
name:
- snap
- snapd
state: absent
purge: true
- name: clean apt cache
apt:
autoclean: true
- name: clear /etc/issue and /etc/motd
copy:
content: ""
dest: "{{ item }}"
loop:
- /etc/issue
- /etc/motd
- name: check if /etc/update-motd.d directory exists
stat:
path: /etc/update-motd.d
register: motd_dir
- name: find files in /etc/update-motd.d
find:
paths: /etc/update-motd.d
file_type: file
register: motd_files
when: motd_dir.stat.exists
- name: remove execute permissions from all files in /etc/update-motd.d
file:
path: "{{ item.path }}"
mode: u-x,g-x,o-x
loop: "{{ motd_files.files }}"
when: motd_dir.stat.exists
- name: enforce root-only cron/at
file:
path: "{{ item }}"
state: touch
owner: root
group: root
mode: '0600'
loop:
- /etc/cron.allow
- /etc/at.allow
- name: remove deny files for cron and at
file:
path: "{{ item }}"
state: absent
loop:
- /etc/cron.deny
- /etc/at.deny
- name: backup sshd_config
copy:
src: /etc/ssh/sshd_config
dest: "/etc/ssh/sshd_config.bak_{{ ansible_date_time.iso8601_basic }}"
remote_src: true
- name: harden sshd_config
copy:
dest: /etc/ssh/sshd_config
content: |
Port 22
Banner /etc/issue
UsePAM yes
Protocol 2
Subsystem sftp /usr/lib/openssh/sftp-server
LogLevel verbose
PrintMotd no
AcceptEnv LANG LC_*
MaxSessions 5
StrictModes yes
Compression no
MaxAuthTries 3
IgnoreRhosts yes
PrintLastLog yes
AddressFamily inet
X11Forwarding no
PermitRootLogin yes
AllowTcpForwarding no
ClientAliveInterval 1200
AllowAgentForwarding no
PermitEmptyPasswords no
ClientAliveCountMax 0
GSSAPIAuthentication no
KerberosAuthentication no
IgnoreUserKnownHosts yes
PermitUserEnvironment no
ChallengeResponseAuthentication no
MACs hmac-sha2-512,hmac-sha2-256
Ciphers aes128-ctr,aes192-ctr,aes256-ctr
- name: regenerate SSH host keys
shell: |
rm -f /etc/ssh/ssh_host_*key*
ssh-keygen -t ed25519 -f /etc/ssh/ssh_host_ed25519_key -N ""
ssh-keygen -t rsa -b 4096 -f /etc/ssh/ssh_host_rsa_key -N ""
args:
creates: /etc/ssh/ssh_host_ed25519_key
- name: restart ssh
systemd:
name: ssh
state: restarted
enabled: true
when: ansible_service_mgr == 'systemd'
- name: enable unattended-upgrades
shell: dpkg-reconfigure --priority=low unattended-upgrades
args:
creates: /etc/apt/apt.conf.d/50unattended-upgrades
- name: restart unattended-upgrades
systemd:
name: unattended-upgrades
state: restarted
enabled: true
when: ansible_service_mgr == 'systemd'
- name: disable ipv6 in grub
lineinfile:
path: /etc/default/grub
regexp: '^GRUB_CMDLINE_LINUX='
line: 'GRUB_CMDLINE_LINUX="ipv6.disable=1"'
- name: update grub
command: update-grub
- name: allow ssh port and enable ufw
ufw:
rule: allow
port: 22
proto: tcp
- name: enable ufw
ufw:
state: enabled
policy: deny
- name: restart ufw
systemd:
name: ufw
state: restarted
enabled: true
when: ansible_service_mgr == 'systemd'
- name: deploy custom fail2ban jail.local
template:
src: templates/jail.local.j2
dest: /etc/fail2ban/jail.local
owner: root
group: root
mode: '0644'
- name: restart fail2ban
systemd:
name: fail2ban
state: restarted
enabled: true
when: ansible_service_mgr == 'systemd'
- name: reload fail2ban
command: fail2ban-client reload
|