---## This Playbook is to harden your server and reduce security risk. It is fo

1. ---
2. ## This Playbook is to harden your server and reduce security risk. It is for ubuntu/Debian based server.
3. ## Run this playbook as a root your because it requires various configuration changes and Installation.
4. - hosts: servers
5. gather_facts: false
6. vars_files:
7. - vars.yml ## files where varaible should be mentioned which are using in this playbook.
8. tasks:
9. - name: Installing Python-apt ## This will install ansible dependencies for aptitude module
10. apt:
11. name=python-apt
12. state=present
13.  
14. - name: Installing aptitude
15. apt:
16. name=aptitude ## install aptitude module
17. state=present
18.  
19. - name: Update cache
20. apt:
21. upgrade=yes ## update apt cache
22. update_cache=yes
23. # cache_valid_time=86400 # One day
24.  
25. - name: Adding additional user ## this will add a system user and create its ssh keys
26. user:
27. name='{{ name }}'
28. comment="This is a super user"
29. groups=sudo
30. password='{{ password }}'
31. generate_ssh_key=yes
32.  
33. - name: Adding Authorized key to the above user ## adding your user ssh public key to server's authorized user
34. authorized_key:
35. user='{{ name }}'
36. key="{{ lookup('file', lookup('env', 'HOME') + '/.ssh/id_rsa.pub') }}"
37. state=present
38.  
39. - name: Giving user {{ name }} sudo with NOPASSWD privilege ## this task could be avoided for better security.
40. lineinfile:
41. dest=/etc/sudoers
42. regexp='^%sudo'
43. line='{{ N0PASSWDLINE }}' ##
44. state=present
45.  
46. - name: Open a Port for ssh ## this will open another port for ssh
47. ufw:
48. port='{{ port }}'
49. rule=allow
50.  
51. - name: Making Server to Reboot when out of memory 1 ## this will reboot the server when server get out of memory.
52. lineinfile:
53. dest='/etc/sysctl.conf'
54. insertbefore=BOF
55. line={{ item }}
56. state=present
57. with_items:
58. - 'vm.panic_on_oom=1'
59. - 'kernel.panic=10'
60.  
61.  
62. - name: Installing Fail2ban ## Install fail2ban. Default setting is enough but you can also modify fail2 ban as per your need.
63. apt:
64. name=fail2ban
65. state=present
66.  
67. - name: Enable fail2ban
68. service:
69. name=fail2ban
70. state=started
71. enabled=yes
72.  
73. - name: Chnage ssh port ## changing ssh port
74. lineinfile:
75. dest=/etc/ssh/sshd_config
76. regexp="^Port\s"
77. line="Port {{ port }}"
78. state=present
79.  
80. - name: Set hostname
81. hostname:
82. name=srv1.aquevix.com
83.  
84. - name: Close default Port for ssh ## this will open another port for ssh
85. ufw:
86. port=22
87. rule=deny
88.  
89. ## after running the playbook. Restart your server to make changes working.