Last active
February 25, 2020 14:59
-
-
Save V1V1/e121645862263c7c01f774e287f6f672 to your computer and use it in GitHub Desktop.
New server provisioning and hardening with Ansible
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
--- | |
- hosts: all | |
vars: | |
# To generate a sha512 password (mkpasswd --method=sha-512) | |
deploy_username: vivi | |
deploy_user_password: '$6$09OkVQ6vcbd1$k5.V0M4369M77OwjaN8zulWjWQWl6/7V./BOmvEY4XaQXasIobhrHwkdzeOFrpsUunNP.yS.oQZr.ZHvIjXb81' # v1v1 | |
root_user_password: '$6$tpxurhzMuV0drO$gaePtwj1QJc44jncbziUwtWiNDvWDJhR1iPlQq.WIz3rs59LqRSy2bFewG8YZCD7ACm03XpUsFSts0C8CawEE1' # Pass12!! | |
# SSH key to assign to deploy user - can add multiple key locations | |
ssh_public_keys: | |
- ./ssh-keys/deploy.key.pub | |
# Packages you wanna install | |
required_package_install: | |
- sudo | |
- vim | |
- wget | |
- curl | |
- screen | |
- lsof | |
- man-db | |
- locate | |
- unattended-upgrades | |
- ufw | |
- fail2ban | |
- zip | |
- unzip | |
- apt-transport-https | |
- git | |
- ca-certificates | |
- python | |
- python-pip | |
- python3 | |
- python-pip | |
- python3-pip | |
# VPN IPs SSH login & limited port access will be restricted to | |
firewall_vpn_ips: | |
- 1.2.3.4 | |
- 1.2.3.4 | |
- 1.2.3.4 | |
# New SSH port to configure (disable port 22) | |
firewall_ssh_port: 12345 | |
# Additional ports other than SSH that only VPN IPs can access | |
firewall_limited_ports: | |
- 7443 | |
# Ports to allow access from any IP (allow all) | |
firewall_allow_ports: | |
- 80 | |
- 443 | |
- 8080 | |
- 8443 | |
tasks: | |
# User management | |
- name: Change root password | |
user: name=root password="{{ root_user_password }}" | |
- name: Add deploy user | |
user: name={{ deploy_username }} password="{{ deploy_user_password }}" shell=/bin/bash | |
- name: Add authorized SSH keys for deploy user | |
authorized_key: user={{ deploy_username }} state=present key="{{ item }}" | |
with_file: "{{ ssh_public_keys }}" | |
- name: Add deploy user to sudoers | |
lineinfile: dest=/etc/sudoers | |
regexp="{{ deploy_username }} ALL" | |
line="{{ deploy_username }} ALL=(ALL) ALL" | |
state=present | |
# Server upgrade and package installation | |
- name: Update APT package cache | |
apt: update_cache=yes cache_valid_time=3600 | |
- name: Upgrade installed packages | |
apt: upgrade=safe | |
- name: Install required packages | |
apt: state=present pkg={{ item }} | |
with_items: "{{ required_package_install }}" | |
# Configure auto update | |
- name: Backup apt config file | |
command: mv /etc/apt/apt.conf.d/10periodic /etc/apt/apt.conf.d/10periodic.bak | |
- name: Configure apt auto update | |
blockinfile: | |
path: "/etc/apt/apt.conf.d/10periodic" | |
create: yes | |
block: | | |
APT::Periodic::Update-Package-Lists "1"; | |
APT::Periodic::Download-Upgradeable-Packages "1"; | |
APT::Periodic::AutocleanInterval "7"; | |
APT::Periodic::Unattended-Upgrade "1"; | |
# Change timezone | |
- name: Change timezone | |
timezone: | |
name: Europe/Moscow | |
# Screen config (allow scrolling in screen and increase scrollback limit) | |
- name: Screen config | |
blockinfile: | |
path: "/home/{{ deploy_username }}/.screenrc" | |
create: yes | |
block: | | |
termcapinfo xterm* ti@:te@ | |
defscrollback 10000 | |
# Firewall rules | |
- name: Setup firewall rules | |
ufw: state=enabled policy=deny | |
- name: Allow SSH traffic from VPN IPs only | |
ufw: rule=allow port={{ firewall_ssh_port }} proto=tcp src="{{ item }}" | |
with_items: "{{ firewall_vpn_ips }}" | |
- name: Limit traffic to select ports to VPN IPs only | |
ufw: rule=allow port="{{ item[0] }}" proto=tcp src="{{ item[1] }}" | |
with_nested: | |
- "{{ firewall_limited_ports }}" | |
- "{{ firewall_vpn_ips }}" | |
- name: Allow traffic to custom ports from any IP | |
ufw: rule=allow port={{ item }} proto=tcp | |
with_items: "{{ firewall_allow_ports }}" | |
# SSH config | |
- name: Backup SSH config file | |
copy: | |
src: /etc/ssh/sshd_config | |
dest: /etc/ssh/sshd_config.bak | |
remote_src: yes | |
- name: Change SSH port | |
lineinfile: dest=/etc/ssh/sshd_config | |
regexp="^Port\s" | |
line="Port {{ firewall_ssh_port }}" | |
state=present | |
notify: Restart ssh | |
- name: Disallow password authentication | |
lineinfile: dest=/etc/ssh/sshd_config | |
regexp="^PasswordAuthentication" | |
line="PasswordAuthentication no" | |
state=present | |
notify: Restart ssh | |
- name: Disallow root SSH access | |
lineinfile: dest=/etc/ssh/sshd_config | |
regexp="^PermitRootLogin" | |
line="PermitRootLogin no" | |
state=present | |
notify: Restart ssh | |
handlers: | |
- name: Restart ssh | |
service: name=ssh state=restarted |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment