Browse Source

security additions

master
Nareshkumar Rao 3 years ago
parent
commit
3bca425e49
  1. 7
      README.md
  2. 1
      provision.yml
  3. 3
      roles/security/files/fail2ban.conf
  4. 4
      roles/security/files/sshd.conf
  5. 17
      roles/security/handlers/main.yml
  6. 32
      roles/security/tasks/main.yml
  7. 11
      roles/security/templates/firewalld-public.conf
  8. 4
      vars.yml

7
README.md

@ -5,6 +5,9 @@ This Ansible Playbook is designed to provision a **Debian-based** server with th
- Wordpress prerequisites (PHP modules, apache ssl/rewrite, imagemagick) - Wordpress prerequisites (PHP modules, apache ssl/rewrite, imagemagick)
- Apache configuration - Apache configuration
- Provisioning of SSL certificate - Provisioning of SSL certificate
- Sets up Firewalld
- Sets up Fail2Ban
- Hardens SSHD (public key only)
## Usage ## Usage
Modify the parameters in *vars.yml* and specify the host in *hosts.ini*, then run Modify the parameters in *vars.yml* and specify the host in *hosts.ini*, then run
``` ```
@ -13,7 +16,5 @@ ansible-playbook -i hosts.ini ./provision.yml
Note: Root access through public key authentication must be setup on server prior. Note: Root access through public key authentication must be setup on server prior.
## To-Do ## To-Do
Setup provisioning of:
- firewalld
- fail2ban
Provision FTP access?

1
provision.yml

@ -4,6 +4,7 @@
remote_user: root remote_user: root
roles: roles:
- wordpress - wordpress
- security
vars_files: vars_files:
- ./vars.yml - ./vars.yml

3
roles/security/files/fail2ban.conf

@ -0,0 +1,3 @@
[sshd]
enabled=true

4
roles/security/files/sshd.conf

@ -0,0 +1,4 @@
ChallengeResponseAuthentication no
PasswordAuthentication no
UsePAM no

17
roles/security/handlers/main.yml

@ -0,0 +1,17 @@
- name: Restart FirewallD
service:
name: firewalld
state: restarted
enabled: yes
- name: Restart Fail2Ban
service:
name: fail2ban
state: restarted
enabled: yes
- name: Restart SSHD
service:
name: sshd
state: restarted
enabled: yes

32
roles/security/tasks/main.yml

@ -0,0 +1,32 @@
- name: Install FirewallD and Fail2Ban
apt:
name: firewalld, fail2ban
state: present
- name: Copy FirewallD public.conf
notify: Restart FirewallD
template:
src: firewalld-public.conf
dest: /etc/firewalld/zones/public.xml
owner: root
group: root
mode: u=rw,g=r,o=r
- name: Copy Fail2Ban conf
notify: Restart Fail2Ban
copy:
src: fail2ban.conf
dest: /etc/fail2ban/jail.d/server.conf
owner: root
group: root
mode: u=rw,g=r,o=r
- name: Copy SSHD conf
notify: Restart SSHD
copy:
src: sshd.conf
dest: /etc/ssh/sshd_config.d/10-security.conf
owner: root
group: root
mode: u=rw,g=r,o=r

11
roles/security/templates/firewalld-public.conf

@ -0,0 +1,11 @@
<?xml version="1.0" encoding="utf-8"?>
<zone>
<short>Public</short>
<description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
<service name="ssh"/>
<service name="dhcpv6-client"/>
{% for service in firewalld_public_services %}
<service name="{{ service }}"/>
{% endfor %}
</zone>

4
vars.yml

@ -13,3 +13,7 @@ letsencrypt_csrs_dir: /etc/letsencrypt/csrs
letsencrypt_certs_dir: /etc/letsencrypt/certs letsencrypt_certs_dir: /etc/letsencrypt/certs
letsencrypt_account_key: /etc/letsencrypt/account/account.key letsencrypt_account_key: /etc/letsencrypt/account/account.key
# FirewallD
firewalld_public_services:
- https

Loading…
Cancel
Save