security additions

3 years ago · 3bca425e49
8 changed files with 76 additions and 3 deletions
--- a/README.md
+++ b/README.md
@ -5,6 +5,9 @@ This Ansible Playbook is designed to provision a **Debian-based** server with th
 - Wordpress prerequisites (PHP modules, apache ssl/rewrite, imagemagick)
 - Apache configuration
 - Provisioning of SSL certificate
 - Sets up Firewalld
 - Sets up Fail2Ban
 - Hardens SSHD (public key only)
 ## Usage
 Modify the parameters in *vars.yml* and specify the host in *hosts.ini*, then run
 ```
@ -13,7 +16,5 @@ ansible-playbook -i hosts.ini ./provision.yml
 Note: Root access through public key authentication must be setup on server prior.
 ## To-Do
 Setup provisioning of:
 - firewalld
 - fail2ban
 Provision FTP access?
--- a/provision.yml
+++ b/provision.yml
@ -4,6 +4,7 @@
  remote_user: root
  roles:
          - wordpress
          - security
  vars_files:
          - ./vars.yml
--- a/roles/security/files/fail2ban.conf
+++ b/roles/security/files/fail2ban.conf
@ -0,0 +1,3 @@
 [sshd]
 enabled=true
--- a/roles/security/files/sshd.conf
+++ b/roles/security/files/sshd.conf
@ -0,0 +1,4 @@
 ChallengeResponseAuthentication no
 PasswordAuthentication no
 UsePAM no
--- a/roles/security/handlers/main.yml
+++ b/roles/security/handlers/main.yml
@ -0,0 +1,17 @@
 - name: Restart FirewallD
  service:
          name: firewalld
          state: restarted
          enabled: yes
 - name: Restart Fail2Ban
  service:
          name: fail2ban
          state: restarted
          enabled: yes
 - name: Restart SSHD
  service:
          name: sshd
          state: restarted
          enabled: yes
--- a/roles/security/tasks/main.yml
+++ b/roles/security/tasks/main.yml
@ -0,0 +1,32 @@
 - name: Install FirewallD and Fail2Ban
  apt:
          name: firewalld, fail2ban
          state: present
 - name: Copy FirewallD public.conf
  notify: Restart FirewallD
  template:
          src: firewalld-public.conf
          dest: /etc/firewalld/zones/public.xml
          owner: root
          group: root
          mode: u=rw,g=r,o=r
 - name: Copy Fail2Ban conf
  notify: Restart Fail2Ban
  copy:
          src: fail2ban.conf
          dest: /etc/fail2ban/jail.d/server.conf
          owner: root
          group: root
          mode: u=rw,g=r,o=r
 - name: Copy SSHD conf
  notify: Restart SSHD
  copy:
          src: sshd.conf
          dest: /etc/ssh/sshd_config.d/10-security.conf
          owner: root
          group: root
          mode: u=rw,g=r,o=r
--- a/roles/security/templates/firewalld-public.conf
+++ b/roles/security/templates/firewalld-public.conf
@ -0,0 +1,11 @@
 <?xml version="1.0" encoding="utf-8"?>
 <zone>
  <short>Public</short>
  <description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
  <service name="ssh"/>
  <service name="dhcpv6-client"/>
  {% for service in firewalld_public_services %}
  <service name="{{ service }}"/>
  {% endfor %}
 </zone>
--- a/vars.yml
+++ b/vars.yml
@ -13,3 +13,7 @@ letsencrypt_csrs_dir: /etc/letsencrypt/csrs
 letsencrypt_certs_dir: /etc/letsencrypt/certs
 letsencrypt_account_key: /etc/letsencrypt/account/account.key
 # FirewallD
 firewalld_public_services:
        - https