Merge branch 'secure_ssh' into 'master'

Fail2ban by default

See merge request aurore/ansible!23
This commit is contained in:
Alexandre IOOSS 2019-03-14 15:49:12 +01:00
commit c38c1aedc1
3 changed files with 45 additions and 2 deletions

View file

@ -0,0 +1,10 @@
---
- name: Restart sshd service
service:
name: sshd
state: restarted
- name: Restart fail2ban service
service:
name: fail2ban
state: restarted

View file

@ -1,8 +1,8 @@
---
- name: Configure sysctl
template:
src: 'sysctl.d/local.conf.j2'
dest: '/etc/sysctl.d/local.conf'
src: sysctl.d/local.conf.j2
dest: /etc/sysctl.d/local.conf
mode: 0644
# Use this command to list setuid or setgid executables
@ -23,3 +23,27 @@
- /bin/mount # Only root should mount
- /bin/umount # Only root should umount
ignore_errors: true # Sometimes file won't exist
# Only SSH keys to log on root
- name: Prohibit root SSH with password
lineinfile:
dest: /etc/ssh/sshd_config
regexp: '^PermitRootLogin'
insertafter: '^#PermitRootLogin'
line: 'PermitRootLogin prohibit-password'
notify: Restart sshd service
# See banned client with `fail2ban-client status sshd`
- name: Install fail2ban
apt:
name: fail2ban
register: apt_result
retries: 3
until: apt_result is succeeded
- name: Configure fail2ban
template:
src: fail2ban/jail.d/local.conf.j2
dest: /etc/fail2ban/jail.d/local.conf
mode: 0644
notify: Restart fail2ban service

View file

@ -0,0 +1,9 @@
# {{ ansible_managed }}
# Ban a host for 10mn
# if it has failed 5 times during the last 10mn
[sshd]
enabled = true
bantime = 600
findtime = 600
maxretry = 5