security additions

README.md

@@ -5,6 +5,9 @@ This Ansible Playbook is designed to provision a **Debian-based** server with th
 - Wordpress prerequisites (PHP modules, apache ssl/rewrite, imagemagick)
 - Apache configuration
 - Provisioning of SSL certificate
+- Sets up Firewalld
+- Sets up Fail2Ban
+- Hardens SSHD (public key only)
 ## Usage
 Modify the parameters in *vars.yml* and specify the host in *hosts.ini*, then run
 ```
@@ -13,7 +16,5 @@ ansible-playbook -i hosts.ini ./provision.yml
 Note: Root access through public key authentication must be setup on server prior.
 
 ## To-Do
-Setup provisioning of:
-- firewalld
-- fail2ban
+Provision FTP access?
 

provision.yml

@@ -4,6 +4,7 @@
   remote_user: root
   roles:
           - wordpress
+          - security
   vars_files:
           - ./vars.yml
 

roles/security/files/fail2ban.conf

@@ -0,0 +1,3 @@
+[sshd]
+enabled=true
+

roles/security/files/sshd.conf

@@ -0,0 +1,4 @@
+ChallengeResponseAuthentication no
+PasswordAuthentication no
+UsePAM no
+

roles/security/handlers/main.yml

@@ -0,0 +1,17 @@
+- name: Restart FirewallD
+  service:
+          name: firewalld
+          state: restarted
+          enabled: yes
+
+- name: Restart Fail2Ban
+  service:
+          name: fail2ban
+          state: restarted
+          enabled: yes
+
+- name: Restart SSHD
+  service:
+          name: sshd
+          state: restarted
+          enabled: yes

roles/security/tasks/main.yml

@@ -0,0 +1,32 @@
+- name: Install FirewallD and Fail2Ban
+  apt:
+          name: firewalld, fail2ban
+          state: present
+
+- name: Copy FirewallD public.conf
+  notify: Restart FirewallD
+  template:
+          src: firewalld-public.conf
+          dest: /etc/firewalld/zones/public.xml
+          owner: root
+          group: root
+          mode: u=rw,g=r,o=r
+
+- name: Copy Fail2Ban conf
+  notify: Restart Fail2Ban
+  copy:
+          src: fail2ban.conf
+          dest: /etc/fail2ban/jail.d/server.conf
+          owner: root
+          group: root
+          mode: u=rw,g=r,o=r
+
+- name: Copy SSHD conf
+  notify: Restart SSHD
+  copy:
+          src: sshd.conf
+          dest: /etc/ssh/sshd_config.d/10-security.conf
+          owner: root
+          group: root
+          mode: u=rw,g=r,o=r
+

roles/security/templates/firewalld-public.conf

@@ -0,0 +1,11 @@
+<?xml version="1.0" encoding="utf-8"?>
+<zone>
+  <short>Public</short>
+  <description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
+  <service name="ssh"/>
+  <service name="dhcpv6-client"/>
+  {% for service in firewalld_public_services %}
+  <service name="{{ service }}"/>
+  {% endfor %}
+</zone>
+

vars.yml

@@ -13,3 +13,7 @@ letsencrypt_csrs_dir: /etc/letsencrypt/csrs
 letsencrypt_certs_dir: /etc/letsencrypt/certs
 letsencrypt_account_key: /etc/letsencrypt/account/account.key
 
+# FirewallD
+firewalld_public_services:
+        - https
+