Merge branch 'secure_ssh' into 'master'
Fail2ban by default See merge request aurore/ansible!23
This commit is contained in:
commit
c38c1aedc1
3 changed files with 45 additions and 2 deletions
10
roles/basesecurity/handlers/main.yml
Normal file
10
roles/basesecurity/handlers/main.yml
Normal file
|
@ -0,0 +1,10 @@
|
|||
---
|
||||
- name: Restart sshd service
|
||||
service:
|
||||
name: sshd
|
||||
state: restarted
|
||||
|
||||
- name: Restart fail2ban service
|
||||
service:
|
||||
name: fail2ban
|
||||
state: restarted
|
|
@ -1,8 +1,8 @@
|
|||
---
|
||||
- name: Configure sysctl
|
||||
template:
|
||||
src: 'sysctl.d/local.conf.j2'
|
||||
dest: '/etc/sysctl.d/local.conf'
|
||||
src: sysctl.d/local.conf.j2
|
||||
dest: /etc/sysctl.d/local.conf
|
||||
mode: 0644
|
||||
|
||||
# Use this command to list setuid or setgid executables
|
||||
|
@ -23,3 +23,27 @@
|
|||
- /bin/mount # Only root should mount
|
||||
- /bin/umount # Only root should umount
|
||||
ignore_errors: true # Sometimes file won't exist
|
||||
|
||||
# Only SSH keys to log on root
|
||||
- name: Prohibit root SSH with password
|
||||
lineinfile:
|
||||
dest: /etc/ssh/sshd_config
|
||||
regexp: '^PermitRootLogin'
|
||||
insertafter: '^#PermitRootLogin'
|
||||
line: 'PermitRootLogin prohibit-password'
|
||||
notify: Restart sshd service
|
||||
|
||||
# See banned client with `fail2ban-client status sshd`
|
||||
- name: Install fail2ban
|
||||
apt:
|
||||
name: fail2ban
|
||||
register: apt_result
|
||||
retries: 3
|
||||
until: apt_result is succeeded
|
||||
|
||||
- name: Configure fail2ban
|
||||
template:
|
||||
src: fail2ban/jail.d/local.conf.j2
|
||||
dest: /etc/fail2ban/jail.d/local.conf
|
||||
mode: 0644
|
||||
notify: Restart fail2ban service
|
||||
|
|
|
@ -0,0 +1,9 @@
|
|||
# {{ ansible_managed }}
|
||||
|
||||
# Ban a host for 10mn
|
||||
# if it has failed 5 times during the last 10mn
|
||||
[sshd]
|
||||
enabled = true
|
||||
bantime = 600
|
||||
findtime = 600
|
||||
maxretry = 5
|
Loading…
Reference in a new issue