Skip to content

Instantly share code, notes, and snippets.

@nitanka
Created August 14, 2017 09:40
Show Gist options
  • Save nitanka/a84dea249548fd34080470fbd080f5ad to your computer and use it in GitHub Desktop.
Save nitanka/a84dea249548fd34080470fbd080f5ad to your computer and use it in GitHub Desktop.
Ansible: Security setup
---
- name: Fixing some security issues in Ubuntu instance
sudo: yes
hosts: x.x.x.x
vars:
ubuntu_common_ssh_port: 3992
ubuntu_common_required_packages:
- ufw
- fail2ban
- unattended-upgrades
- logwatch
UBUNTU_COMMON_LOGWATCH_EMAIL: <useremail>
tasks:
- name: Updating the System
apt:
update_cache: yes
cache_valid_time: 3600
- name: Upgrading the system
apt:
upgrade: safe
- name: Install required packages
apt:
state: installed
pkg: "{{ item }}"
with_items: ubuntu_common_required_packages
- name: Adjust APT update intervals
copy: src=apt_periodic dest=/etc/apt/apt.conf.d/10periodic
- name: Setup ufw
ufw: state=enabled policy=deny
- name: Allow ssh traffic
ufw: rule=allow port={{ ubuntu_common_ssh_port }} proto=tcp
- name: Set up Postfix to relay mail
debconf:
name: postfix
question: "{{ item.question }}"
value: "{{ item.value }}"
vtype: "{{ item.vtype }}"
with_items:
- { question: 'postfix/mailname', value: '{{ ansible_fqdn }}', vtype: 'string' }
- { question: 'postfix/main_mailer_type', value: 'Internet Site', vtype: 'string' }
- name: Email log summary daily
lineinfile: dest=/etc/cron.daily/00logwatch
regexp="^/usr/sbin/logwatch"
line="/usr/sbin/logwatch --output mail --mailto {{ UBUNTU_COMMON_LOGWATCH_EMAIL }} --detail high"
state=present create=yes
- name: Change ssh port
lineinfile: dest=/etc/ssh/sshd_config
regexp="^Port\s"
line=Port "{{ ubuntu_common_ssh_port }}"
state=present
notify: Restart ssh
handlers:
- name: Restart ssh
service: name=ssh state=restarted
@nitanka
Copy link
Author

nitanka commented Aug 14, 2017

Initial code, need a lot of modification

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment