--- - name: Configure sysctl template: src: sysctl.d/local.conf.j2 dest: /etc/sysctl.d/local.conf mode: 0644 # Use this command to list setuid or setgid executables # find / -type f -perm /6000 -ls 2>/dev/null - name: Desactivate setuid/setgid on unused binaries file: path: "{{ item }}" mode: u-s,g-s loop: - /usr/lib/openssh/sshkeysign # Not used - /usr/bin/gpasswd # No group auth - /usr/bin/passwd # Only root should change passwd - /usr/bin/expiry # With re2o - /usr/bin/newgrp # No group auth - /usr/bin/chage # With re2o - /usr/bin/chsh # With re2o - /usr/bin/chfn # With re2o - /bin/mount # Only root should mount - /bin/umount # Only root should umount ignore_errors: true # Sometimes file won't exist # Only SSH keys to log on root - name: Prohibit root SSH with password lineinfile: dest: /etc/ssh/sshd_config regexp: '^{{ item.0 }}' insertafter: '^#{{ item.0 }}' line: '{{ item.0 }} {{ item.1 }}' loop: - ["PermitRootLogin", "prohibit-password"] - ["AllowAgentForwarding", "no"] - ["X11Forwarding", "no"] - ["TCPKeepAlive", "yes"] notify: Restart sshd service # See banned client with `fail2ban-client status sshd` - name: Install fail2ban apt: name: fail2ban state: present register: apt_result retries: 3 until: apt_result is succeeded - name: Configure fail2ban ini_file: path: /etc/fail2ban/jail.d/local.conf section: "{{ item.section }}" option: "{{ item.option }}" value: "{{ item.value }}" state: present notify: Restart fail2ban service loop: - section: sshd option: ignoreip value: 10.128.0.254 # Whitelist bastion - section: sshd option: enabled value: "true" - section: sshd option: bantime value: 600 - section: sshd option: findtime value: 600 - section: sshd option: maxretry value: 5 # See altered packages and configurations with `debsums -ca` - name: Install debsums apt: name: debsums state: present register: apt_result retries: 3 until: apt_result is succeeded