wip
This commit is contained in:
parent
7123b8e719
commit
5f06a966aa
GPG key ID:
883EDBAA726BD96C
6 changed files with 194 additions and 0 deletions
2
infra/example.inventory.ini
Normal file
2
infra/example.inventory.ini
Normal file
|
|
@ -0,0 +1,2 @@
|
|||
[vipy]
|
||||
your.vps.ip.here ansible_user=debian ansible_port=22
|
||||
121
infra/playbook.yml
Normal file
121
infra/playbook.yml
Normal file
|
|
@ -0,0 +1,121 @@
|
|||
- name: Secure Debian VPS
|
||||
hosts: vipy
|
||||
vars_files:
|
||||
- vars.yml
|
||||
become: true
|
||||
|
||||
tasks:
|
||||
- name: Update and upgrade apt packages
|
||||
apt:
|
||||
update_cache: yes
|
||||
upgrade: full
|
||||
autoremove: yes
|
||||
|
||||
- name: Create new user
|
||||
user:
|
||||
name: "{{ new_user }}"
|
||||
groups: sudo
|
||||
shell: /bin/bash
|
||||
state: present
|
||||
create_home: yes
|
||||
|
||||
- name: Set up SSH directory for new user
|
||||
file:
|
||||
path: "/home/{{ new_user }}/.ssh"
|
||||
state: directory
|
||||
mode: "0700"
|
||||
owner: "{{ new_user }}"
|
||||
group: "{{ new_user }}"
|
||||
|
||||
- name: Change SSH port and disable root login
|
||||
lineinfile:
|
||||
path: /etc/ssh/sshd_config
|
||||
regexp: "{{ item.regexp }}"
|
||||
line: "{{ item.line }}"
|
||||
state: present
|
||||
backrefs: yes
|
||||
loop:
|
||||
- { regexp: "^#?Port .*", line: "Port {{ ssh_port }}" }
|
||||
- { regexp: "^#?PermitRootLogin .*", line: "PermitRootLogin no" }
|
||||
- {
|
||||
regexp: "^#?PasswordAuthentication .*",
|
||||
line: "PasswordAuthentication no",
|
||||
}
|
||||
|
||||
- name: Restart SSH
|
||||
service:
|
||||
name: ssh
|
||||
state: restarted
|
||||
|
||||
- name: Set SSH port to new port
|
||||
set_fact:
|
||||
ansible_port: "{{ ssh_port }}"
|
||||
|
||||
- name: Install UFW
|
||||
apt:
|
||||
name: ufw
|
||||
state: present
|
||||
|
||||
- name: Turn UFW off
|
||||
ufw:
|
||||
state: disabled
|
||||
|
||||
- name: Configure UFW default rules
|
||||
ufw:
|
||||
policy: deny
|
||||
direction: incoming
|
||||
|
||||
- name: Allow outgoing traffic
|
||||
ufw:
|
||||
rule: allow
|
||||
direction: outgoing
|
||||
|
||||
- name: Allow SSH port through UFW
|
||||
ufw:
|
||||
rule: allow
|
||||
port: "{{ ssh_port }}"
|
||||
proto: tcp
|
||||
from_ip: "{{ allow_ssh_from if allow_ssh_from != 'any' else omit }}"
|
||||
|
||||
- name: Turn UFW on
|
||||
ufw:
|
||||
state: enabled
|
||||
|
||||
- name: Install fail2ban
|
||||
apt:
|
||||
name: fail2ban
|
||||
state: present
|
||||
|
||||
- name: Ensure fail2ban is running
|
||||
service:
|
||||
name: fail2ban
|
||||
enabled: yes
|
||||
state: started
|
||||
|
||||
- name: Remove unnecessary services
|
||||
apt:
|
||||
name: "{{ item }}"
|
||||
state: absent
|
||||
purge: yes
|
||||
loop:
|
||||
- exim4
|
||||
- apache2
|
||||
- cups
|
||||
- rpcbind
|
||||
- nfs-common
|
||||
- telnet
|
||||
- ftp
|
||||
- samba
|
||||
|
||||
- name: Install auditd
|
||||
apt:
|
||||
name:
|
||||
- auditd
|
||||
- audispd-plugins
|
||||
state: present
|
||||
|
||||
- name: Enable and start auditd
|
||||
service:
|
||||
name: auditd
|
||||
enabled: yes
|
||||
state: started
|
||||
3
infra/vars.yml
Normal file
3
infra/vars.yml
Normal file
|
|
@ -0,0 +1,3 @@
|
|||
new_user: counterweight
|
||||
ssh_port: 2222
|
||||
allow_ssh_from: "any"
|
||||
Loading…
Add table
Add a link
Reference in a new issue