Merge branch 'secure_ssh' into 'master'
Fail2ban by default See merge request aurore/ansible!23
This commit is contained in:
commit
c38c1aedc1
3 changed files with 45 additions and 2 deletions
10
roles/basesecurity/handlers/main.yml
Normal file
10
roles/basesecurity/handlers/main.yml
Normal file
|
@ -0,0 +1,10 @@
|
||||||
|
---
|
||||||
|
- name: Restart sshd service
|
||||||
|
service:
|
||||||
|
name: sshd
|
||||||
|
state: restarted
|
||||||
|
|
||||||
|
- name: Restart fail2ban service
|
||||||
|
service:
|
||||||
|
name: fail2ban
|
||||||
|
state: restarted
|
|
@ -1,8 +1,8 @@
|
||||||
---
|
---
|
||||||
- name: Configure sysctl
|
- name: Configure sysctl
|
||||||
template:
|
template:
|
||||||
src: 'sysctl.d/local.conf.j2'
|
src: sysctl.d/local.conf.j2
|
||||||
dest: '/etc/sysctl.d/local.conf'
|
dest: /etc/sysctl.d/local.conf
|
||||||
mode: 0644
|
mode: 0644
|
||||||
|
|
||||||
# Use this command to list setuid or setgid executables
|
# Use this command to list setuid or setgid executables
|
||||||
|
@ -23,3 +23,27 @@
|
||||||
- /bin/mount # Only root should mount
|
- /bin/mount # Only root should mount
|
||||||
- /bin/umount # Only root should umount
|
- /bin/umount # Only root should umount
|
||||||
ignore_errors: true # Sometimes file won't exist
|
ignore_errors: true # Sometimes file won't exist
|
||||||
|
|
||||||
|
# Only SSH keys to log on root
|
||||||
|
- name: Prohibit root SSH with password
|
||||||
|
lineinfile:
|
||||||
|
dest: /etc/ssh/sshd_config
|
||||||
|
regexp: '^PermitRootLogin'
|
||||||
|
insertafter: '^#PermitRootLogin'
|
||||||
|
line: 'PermitRootLogin prohibit-password'
|
||||||
|
notify: Restart sshd service
|
||||||
|
|
||||||
|
# See banned client with `fail2ban-client status sshd`
|
||||||
|
- name: Install fail2ban
|
||||||
|
apt:
|
||||||
|
name: fail2ban
|
||||||
|
register: apt_result
|
||||||
|
retries: 3
|
||||||
|
until: apt_result is succeeded
|
||||||
|
|
||||||
|
- name: Configure fail2ban
|
||||||
|
template:
|
||||||
|
src: fail2ban/jail.d/local.conf.j2
|
||||||
|
dest: /etc/fail2ban/jail.d/local.conf
|
||||||
|
mode: 0644
|
||||||
|
notify: Restart fail2ban service
|
||||||
|
|
|
@ -0,0 +1,9 @@
|
||||||
|
# {{ ansible_managed }}
|
||||||
|
|
||||||
|
# Ban a host for 10mn
|
||||||
|
# if it has failed 5 times during the last 10mn
|
||||||
|
[sshd]
|
||||||
|
enabled = true
|
||||||
|
bantime = 600
|
||||||
|
findtime = 600
|
||||||
|
maxretry = 5
|
Loading…
Reference in a new issue