andrewvaughan / ansible-role-server-harden Goto Github PK
View Code? Open in Web Editor NEWImplements server security standards that should exist for every server.
License: MIT License
Implements server security standards that should exist for every server.
License: MIT License
No Python files are being used in this - just Ansible tasks.
Add ability to configure logwatch to not use the server default; or set the server default for all emails.
Add the deploy
user with full sudo access.
The following are the available variables for configuration of this feature, along with their defaults:
vars:
server_harden:
users:
deploy:
sudo : true
password : true
ssh_keys:
- PUB...KEY1
- PUB...KEY2
If users
is set to false, user configuration will be skipped.
As many users as needed can be created with the users
block. By default, only the deploy
user will be created, and the script will prompt for that user's password.
The sudo
option will give the user full sudo access. Partial sudo is not currently supported.
true
to auto-generate a password for the userfalse
for no password (not recommended)ssh_keys
can either be a string or an array. Note that if you don't set any SSH keys and password-login is disabled for SSH, a warning will be thrown, but configuration will continue.
This should be done last, as is prevents the root
user from accessing via Ansible Ensure documentation provides an example of how to switch to a non-root user mid-playbook.
Set the following two lines in the /etc/ssh/sshd_config
file:
PermitRootLogin no
PasswordAuthentication no
Then restart the SSH service with service ssh restart
The following are the available variables for configuration of this feature, along with their defaults:
vars:
server_harden:
ssh:
root_login : false
password_auth : false
If ssh
is set to false
, configuration is skipped.
No configuration required (for now). May add some capabilities at a later time.
The following are the available variables for configuration of this feature, along with their defaults:
vars:
server_harden:
fail2ban: true
fail2ban
can be set to false
to skip installation.
Configure UFW to allow ports 22, 80, and 443 by default.
Call ufw enable
when complete.
The following are the available variables for configuration of this feature, along with their defaults:
vars:
firewall:
- 22
- 80
- 443
firewall
can be set to false
to skip firewall configuration.
Firewall takes an array of ports to open on the server. A warning should be shown if port 22 is not included, but configuration should continue.
Install apt-get install unattended-upgrades
Update /etc/apt/apt.conf.d/10periodic
to:
APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Download-Upgradeable-Packages "1";
APT::Periodic::AutocleanInterval "7";
APT::Periodic::Unattended-Upgrade "1";
The following are the available variables for configuration of this feature, along with their defaults:
vars:
unattended_upgrades: true
unattended_upgrades
can be set to false
to skip setting up Unattended Upgrades.
Install LogWatch with apt-get install logwatch
If a mail option is provided, edit vim /etc/cron.daily/00logwatch
to add this line:
/usr/sbin/logwatch --output mail --mailto [email protected] --detail high
The following are the available variables for configuration of this feature, along with their defaults:
vars:
logwatch:
email: # (undefined)
If email
is set (and valid), the line will be added to logwatch to send emails.
Add support for:
Add appropriate badges to the README
Emphasize that these hardening techniques are specific to my needs, and that they may not work for everyone. The changes (link) should be reviewed thoroughly before use. That said, all options can be turned on or off in the configuration (link).
Warn the user that this role is intended for untouched, just-provisioned servers, and that some of the changes may produce undesired effects if they are not fully understood. Provide a link to the README section that explains all changes that are made.
Make the user press "Y" in a [yN]
prompt to continue, by default.
The following are the available variables for configuration of this feature, along with their defaults:
vars:
server_harden:
warning:
prompt : true
message : >
WARNING! The server-harden role is intended to be used to secure servers.
It has the potential to cause irreparable harm to the target system,
including access lockout and data loss. It is vital that you understand
the full context of this role before continuing execution.
Additionally, warning
can be set to false
to skip the warning entirely.
Run the following:
apt-get update -y
apt-get update -y
apt-get autoremove
The following are the available variables for configuration of this feature, along with their defaults:
vars:
server_harden:
package_update: true
Setting package_update
to false
will skip this step.
Provide an option to enter the server's root password.
The following are the available variables for configuration of this feature, along with their defaults:
vars:
server_harden:
root:
password: # (undefined)
ssh_keys: false
If root
is set to false
, root user configuration will be skipped.
password
can be set to the following:
true
to auto-generate a root password for the userfalse
to skip setting the root passwordssh_keys
can be one of the following:
false
to remove all SSH keys (default)Note that if you set SSH keys, but root login is disabled for SSH, a warning will be thrown, but configuration will continue.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.