Created
August 14, 2017 09:40
-
-
Save nitanka/a84dea249548fd34080470fbd080f5ad to your computer and use it in GitHub Desktop.
Ansible: Security setup
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
--- | |
- name: Fixing some security issues in Ubuntu instance | |
sudo: yes | |
hosts: x.x.x.x | |
vars: | |
ubuntu_common_ssh_port: 3992 | |
ubuntu_common_required_packages: | |
- ufw | |
- fail2ban | |
- unattended-upgrades | |
- logwatch | |
UBUNTU_COMMON_LOGWATCH_EMAIL: <useremail> | |
tasks: | |
- name: Updating the System | |
apt: | |
update_cache: yes | |
cache_valid_time: 3600 | |
- name: Upgrading the system | |
apt: | |
upgrade: safe | |
- name: Install required packages | |
apt: | |
state: installed | |
pkg: "{{ item }}" | |
with_items: ubuntu_common_required_packages | |
- name: Adjust APT update intervals | |
copy: src=apt_periodic dest=/etc/apt/apt.conf.d/10periodic | |
- name: Setup ufw | |
ufw: state=enabled policy=deny | |
- name: Allow ssh traffic | |
ufw: rule=allow port={{ ubuntu_common_ssh_port }} proto=tcp | |
- name: Set up Postfix to relay mail | |
debconf: | |
name: postfix | |
question: "{{ item.question }}" | |
value: "{{ item.value }}" | |
vtype: "{{ item.vtype }}" | |
with_items: | |
- { question: 'postfix/mailname', value: '{{ ansible_fqdn }}', vtype: 'string' } | |
- { question: 'postfix/main_mailer_type', value: 'Internet Site', vtype: 'string' } | |
- name: Email log summary daily | |
lineinfile: dest=/etc/cron.daily/00logwatch | |
regexp="^/usr/sbin/logwatch" | |
line="/usr/sbin/logwatch --output mail --mailto {{ UBUNTU_COMMON_LOGWATCH_EMAIL }} --detail high" | |
state=present create=yes | |
- name: Change ssh port | |
lineinfile: dest=/etc/ssh/sshd_config | |
regexp="^Port\s" | |
line=Port "{{ ubuntu_common_ssh_port }}" | |
state=present | |
notify: Restart ssh | |
handlers: | |
- name: Restart ssh | |
service: name=ssh state=restarted |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Initial code, need a lot of modification