diff --git a/roles/basesecurity/handlers/main.yml b/roles/basesecurity/handlers/main.yml new file mode 100644 index 0000000..4891585 --- /dev/null +++ b/roles/basesecurity/handlers/main.yml @@ -0,0 +1,10 @@ +--- +- name: Restart sshd service + service: + name: sshd + state: restarted + +- name: Restart fail2ban service + service: + name: fail2ban + state: restarted diff --git a/roles/basesecurity/tasks/main.yml b/roles/basesecurity/tasks/main.yml index d21ad5e..501bf4a 100644 --- a/roles/basesecurity/tasks/main.yml +++ b/roles/basesecurity/tasks/main.yml @@ -1,8 +1,8 @@ --- - name: Configure sysctl template: - src: 'sysctl.d/local.conf.j2' - dest: '/etc/sysctl.d/local.conf' + src: sysctl.d/local.conf.j2 + dest: /etc/sysctl.d/local.conf mode: 0644 # Use this command to list setuid or setgid executables @@ -23,3 +23,27 @@ - /bin/mount # Only root should mount - /bin/umount # Only root should umount ignore_errors: true # Sometimes file won't exist + +# Only SSH keys to log on root +- name: Prohibit root SSH with password + lineinfile: + dest: /etc/ssh/sshd_config + regexp: '^PermitRootLogin' + insertafter: '^#PermitRootLogin' + line: 'PermitRootLogin prohibit-password' + notify: Restart sshd service + +# See banned client with `fail2ban-client status sshd` +- name: Install fail2ban + apt: + name: fail2ban + register: apt_result + retries: 3 + until: apt_result is succeeded + +- name: Configure fail2ban + template: + src: fail2ban/jail.d/local.conf.j2 + dest: /etc/fail2ban/jail.d/local.conf + mode: 0644 + notify: Restart fail2ban service diff --git a/roles/basesecurity/templates/fail2ban/jail.d/local.conf.j2 b/roles/basesecurity/templates/fail2ban/jail.d/local.conf.j2 new file mode 100644 index 0000000..cddbecd --- /dev/null +++ b/roles/basesecurity/templates/fail2ban/jail.d/local.conf.j2 @@ -0,0 +1,9 @@ +# {{ ansible_managed }} + +# Ban a host for 10mn +# if it has failed 5 times during the last 10mn +[sshd] +enabled = true +bantime = 600 +findtime = 600 +maxretry = 5