Ansible Role: Security

Important Changes: From version 0.7, this role no longer supports options like security_enforce_strong_passwords, security_log_after_failed_logins, and security_nproc_limit. A bad PAM configuration might lock you out of your system, so a better implementation method is needed.

Keep in mind, protecting YOUR PC/server is YOUR responsibility. This is a basic template, and should be treated as a starting point, not a complete solution.

This role sets up basic security settings on Linux systems based on RedHat/Debian/Archlinux, including:

• Installing and setting up fail2ban to track unsuccessful SSH login attempts.
• Basic SSH enhancements like:
  • Disabling root login.
  • Disabling password authentication.
  • Enabling key-based authentication.
  • Changing the default port.
  • Disabling weak algorithms.
• Setting up automatic updates.
• Basic kernel enhancements.
• Basic hardening of the TCP/IP stack.
• Removing selected packages.
• Disabling core dumps using limits.

Requirements

• After using this role, SSH access will only be available through public keys. Make sure your SSH keys are copied to the remote host first. You can find instructions on copying your SSH keys in this ArchWiki entry.
• You should have a basic understanding of each setting's function.

Role Variables

• SSH
• fail2ban
• Remove Packages
• Kernel Hardening
• TCP/IP Stack Hardening
• Automatic Updates
• PAM

Dependencies

There are no dependencies.

Example Playbook

It's helpful to include an example of how to use this role, such as passing in parameters:

- hosts: server
  vars_files:
    - vars/main.yml

  roles:
    - { role: chzerv.security }

Contents of the vars/main.yml file:

security_kern_go_hardcore: true
security_net_go_hardcore: true
security_autoupdates_enabled: true
security_autoupdates_type: "security"
security_fail2ban_enabled: true
security_fail2ban_harden_service: true

License

MIT / BSD