tarunsinghaldotme/Ansible-server-hardening-ubuntu.yml

## Ansible-server-hardening-ubuntu.yml
---
## This is an Ansible Playbook is to harden your server and reduce security risk. It is for ubuntu/Debian based server.
## Run this playbook as a root because it requires various configuration changes and Installation.
- hosts: servers
  gather_facts: false
  vars_files:
    - vars.yml     ## files where varaible should be mentioned which are using in this playbook.
  tasks:
  - name: Installing Python-apt  ## This will install ansible dependencies for aptitude module
    apt:
      name=python-apt
      state=present

  - name: Installing aptitude
    apt:
      name=aptitude        ## install aptitude module
      state=present

  - name: Update cache
    apt:
      upgrade=yes             ## update apt cache
      update_cache=yes
      # cache_valid_time=86400  # One day

  - name: Adding additional user    ## this will add a system user and create its ssh keys
    user:
      name='{{ name }}'
      comment="This is a super user"
      groups=sudo
      password='{{ password }}'
      generate_ssh_key=yes

  - name: Adding Authorized key to the above user   ## adding your user ssh public key to server's authorized user
    authorized_key:
      user='{{ name }}'
      key="{{ lookup('file', lookup('env', 'HOME') + '/.ssh/id_rsa.pub') }}"
      state=present

  - name: Giving user {{ name }} sudo with NOPASSWD privilege     ## this task could be avoided for better security.
    lineinfile:
      dest=/etc/sudoers
      regexp='^%sudo'
      line='{{ N0PASSWDLINE }}'           ##
      state=present

  - name: Open a Port for ssh   ## this will open another port for ssh
    ufw:
      port='{{ port }}'
      rule=allow

  - name: Making Server to Reboot when out of memory 1    ## this will reboot the server when server get out of memory.
    lineinfile:
      dest='/etc/sysctl.conf'
      insertbefore=BOF
      line={{ item }}
      state=present
    with_items:
        - 'vm.panic_on_oom=1'
        - 'kernel.panic=10'


  - name: Installing Fail2ban    ## Install fail2ban. Default setting is enough but you can also modify fail2 ban as per your need.
    apt:
      name=fail2ban
      state=present

  - name: Enable fail2ban
    service:
      name=fail2ban
      state=started
      enabled=yes

  - name: Chnage ssh port   ## changing ssh port
    lineinfile:
      dest=/etc/ssh/sshd_config
      regexp="^Port\s"
      line="Port {{ port }}"
      state=present

  - name: Set hostname
    hostname:
      name=srv1.aquevix.com

  - name: Close default Port for ssh   ## this will open another port for ssh
    ufw:
      port=22
      rule=deny

## after running the playbook. Restart your server to make changes working.

## vars.yml
---

port: port-no
name: username
password: changeme
N0PASSWDLINE: "%sudo	ALL=(ALL:ALL) NOPASSWD: ALL"
	---
	## This is an Ansible Playbook is to harden your server and reduce security risk. It is for ubuntu/Debian based server.
	## Run this playbook as a root because it requires various configuration changes and Installation.
	- hosts: servers
	gather_facts: false
	vars_files:
	- vars.yml ## files where varaible should be mentioned which are using in this playbook.
	tasks:
	- name: Installing Python-apt ## This will install ansible dependencies for aptitude module
	apt:
	name=python-apt
	state=present

	- name: Installing aptitude
	apt:
	name=aptitude ## install aptitude module
	state=present

	- name: Update cache
	apt:
	upgrade=yes ## update apt cache
	update_cache=yes
	# cache_valid_time=86400 # One day

	- name: Adding additional user ## this will add a system user and create its ssh keys
	user:
	name='{{ name }}'
	comment="This is a super user"
	groups=sudo
	password='{{ password }}'
	generate_ssh_key=yes

	- name: Adding Authorized key to the above user ## adding your user ssh public key to server's authorized user
	authorized_key:
	user='{{ name }}'
	key="{{ lookup('file', lookup('env', 'HOME') + '/.ssh/id_rsa.pub') }}"
	state=present

	- name: Giving user {{ name }} sudo with NOPASSWD privilege ## this task could be avoided for better security.
	lineinfile:
	dest=/etc/sudoers
	regexp='^%sudo'
	line='{{ N0PASSWDLINE }}' ##
	state=present

	- name: Open a Port for ssh ## this will open another port for ssh
	ufw:
	port='{{ port }}'
	rule=allow

	- name: Making Server to Reboot when out of memory 1 ## this will reboot the server when server get out of memory.
	lineinfile:
	dest='/etc/sysctl.conf'
	insertbefore=BOF
	line={{ item }}
	state=present
	with_items:
	- 'vm.panic_on_oom=1'
	- 'kernel.panic=10'


	- name: Installing Fail2ban ## Install fail2ban. Default setting is enough but you can also modify fail2 ban as per your need.
	apt:
	name=fail2ban
	state=present

	- name: Enable fail2ban
	service:
	name=fail2ban
	state=started
	enabled=yes

	- name: Chnage ssh port ## changing ssh port
	lineinfile:
	dest=/etc/ssh/sshd_config
	regexp="^Port\s"
	line="Port {{ port }}"
	state=present

	- name: Set hostname
	hostname:
	name=srv1.aquevix.com

	- name: Close default Port for ssh ## this will open another port for ssh
	ufw:
	port=22
	rule=deny

	## after running the playbook. Restart your server to make changes working.
	---

	port: port-no
	name: username
	password: changeme
	N0PASSWDLINE: "%sudo ALL=(ALL:ALL) NOPASSWD: ALL"