Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- ---
- ## This Playbook is to harden your server and reduce security risk. It is for ubuntu/Debian based server.
- ## Run this playbook as a root your because it requires various configuration changes and Installation.
- - hosts: servers
- gather_facts: false
- vars_files:
- - vars.yml ## files where varaible should be mentioned which are using in this playbook.
- tasks:
- - name: Installing Python-apt ## This will install ansible dependencies for aptitude module
- apt:
- name=python-apt
- state=present
- - name: Installing aptitude
- apt:
- name=aptitude ## install aptitude module
- state=present
- - name: Update cache
- apt:
- upgrade=yes ## update apt cache
- update_cache=yes
- # cache_valid_time=86400 # One day
- - name: Adding additional user ## this will add a system user and create its ssh keys
- user:
- name='{{ name }}'
- comment="This is a super user"
- groups=sudo
- password='{{ password }}'
- generate_ssh_key=yes
- - name: Adding Authorized key to the above user ## adding your user ssh public key to server's authorized user
- authorized_key:
- user='{{ name }}'
- key="{{ lookup('file', lookup('env', 'HOME') + '/.ssh/id_rsa.pub') }}"
- state=present
- - name: Giving user {{ name }} sudo with NOPASSWD privilege ## this task could be avoided for better security.
- lineinfile:
- dest=/etc/sudoers
- regexp='^%sudo'
- line='{{ N0PASSWDLINE }}' ##
- state=present
- - name: Open a Port for ssh ## this will open another port for ssh
- ufw:
- port='{{ port }}'
- rule=allow
- - name: Making Server to Reboot when out of memory 1 ## this will reboot the server when server get out of memory.
- lineinfile:
- dest='/etc/sysctl.conf'
- insertbefore=BOF
- line={{ item }}
- state=present
- with_items:
- - 'vm.panic_on_oom=1'
- - 'kernel.panic=10'
- - name: Installing Fail2ban ## Install fail2ban. Default setting is enough but you can also modify fail2 ban as per your need.
- apt:
- name=fail2ban
- state=present
- - name: Enable fail2ban
- service:
- name=fail2ban
- state=started
- enabled=yes
- - name: Chnage ssh port ## changing ssh port
- lineinfile:
- dest=/etc/ssh/sshd_config
- regexp="^Port\s"
- line="Port {{ port }}"
- state=present
- - name: Set hostname
- hostname:
- name=srv1.aquevix.com
- - name: Close default Port for ssh ## this will open another port for ssh
- ufw:
- port=22
- rule=deny
- ## after running the playbook. Restart your server to make changes working.
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement