Last active
September 9, 2017 17:43
-
-
Save tarunsinghaldotme/e9859c78cb7f06e7405759268b41cc59 to your computer and use it in GitHub Desktop.
This is an Ansible Playbook is to harden your server and reduce security risk. It is for ubuntu/Debian based server.Run this playbook as a root because it requires various configuration changes and Installation.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
--- | |
## This is an Ansible Playbook is to harden your server and reduce security risk. It is for ubuntu/Debian based server. | |
## Run this playbook as a root because it requires various configuration changes and Installation. | |
- hosts: servers | |
gather_facts: false | |
vars_files: | |
- vars.yml ## files where varaible should be mentioned which are using in this playbook. | |
tasks: | |
- name: Installing Python-apt ## This will install ansible dependencies for aptitude module | |
apt: | |
name=python-apt | |
state=present | |
- name: Installing aptitude | |
apt: | |
name=aptitude ## install aptitude module | |
state=present | |
- name: Update cache | |
apt: | |
upgrade=yes ## update apt cache | |
update_cache=yes | |
# cache_valid_time=86400 # One day | |
- name: Adding additional user ## this will add a system user and create its ssh keys | |
user: | |
name='{{ name }}' | |
comment="This is a super user" | |
groups=sudo | |
password='{{ password }}' | |
generate_ssh_key=yes | |
- name: Adding Authorized key to the above user ## adding your user ssh public key to server's authorized user | |
authorized_key: | |
user='{{ name }}' | |
key="{{ lookup('file', lookup('env', 'HOME') + '/.ssh/id_rsa.pub') }}" | |
state=present | |
- name: Giving user {{ name }} sudo with NOPASSWD privilege ## this task could be avoided for better security. | |
lineinfile: | |
dest=/etc/sudoers | |
regexp='^%sudo' | |
line='{{ N0PASSWDLINE }}' ## | |
state=present | |
- name: Open a Port for ssh ## this will open another port for ssh | |
ufw: | |
port='{{ port }}' | |
rule=allow | |
- name: Making Server to Reboot when out of memory 1 ## this will reboot the server when server get out of memory. | |
lineinfile: | |
dest='/etc/sysctl.conf' | |
insertbefore=BOF | |
line={{ item }} | |
state=present | |
with_items: | |
- 'vm.panic_on_oom=1' | |
- 'kernel.panic=10' | |
- name: Installing Fail2ban ## Install fail2ban. Default setting is enough but you can also modify fail2 ban as per your need. | |
apt: | |
name=fail2ban | |
state=present | |
- name: Enable fail2ban | |
service: | |
name=fail2ban | |
state=started | |
enabled=yes | |
- name: Chnage ssh port ## changing ssh port | |
lineinfile: | |
dest=/etc/ssh/sshd_config | |
regexp="^Port\s" | |
line="Port {{ port }}" | |
state=present | |
- name: Set hostname | |
hostname: | |
name=srv1.aquevix.com | |
- name: Close default Port for ssh ## this will open another port for ssh | |
ufw: | |
port=22 | |
rule=deny | |
## after running the playbook. Restart your server to make changes working. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
--- | |
port: port-no | |
name: username | |
password: changeme | |
N0PASSWDLINE: "%sudo ALL=(ALL:ALL) NOPASSWD: ALL" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment