githubixx.harden_linux

Panoramica Versioni Approfondimenti

ansible-role-harden-linux

This Ansible role was mainly created for my blog series Kubernetes the not so hard way with Ansible - Harden the instances. However, you can also use it on its own to make your Linux systems more secure. Here are the main features (some are optional):

  • Create a regular user for administration (like using Ansible or logging in via SSH)
  • Change how often the system checks for APT updates
  • Set up a firewall (UFW) to allow only SSH access by default (you can add more rules or allowed networks as needed)
  • Modify security settings in sysctl
  • Change SSH server settings (like disabling password authentication, root login, and PermitTunnel)
  • Install sshguard for added security and manage the whitelist
  • Change the root user password
  • Set up time synchronization (NTP) using tools like openntpd, ntp, or systemd-timesyncd
  • Update the configuration for systemd-resolved (DNS)

Versions

Every release is tagged, following semantic versioning. I recommend using the latest tag for stability. The master branch is for development, while tags indicate stable versions, but the master is also kept in good condition.

Changelog

Change history:

For complete change history, see CHANGELOG.md

Recent changes:

v8.2.0

  • FEATURE
    • Added support for Ubuntu 24.04

v8.1.0

  • OTHER

    • Updated comments about creating encrypted passwords
    • For Ubuntu, added a task for automatic removal of unnecessary packages
    • Updated GitHub workflow

  • MOLECULE

    • Changed to use alvistack instead of generic Vagrant boxes
    • Used different IP addresses

v8.0.0

  • BREAKING/FEATURE

    • Introduced new variables for user and group configurations (optional)
    • If the deploy user is set to root, no changes will be made.
    • The $HOME directory for a new user is only created if specified.

  • MOLECULE

    • Updated the testing scenario to reflect new user/group changes.

Installation

  • Download the role directly from GitHub. Navigate to the Ansible roles directory and use:

    git clone https://github.com/githubixx/ansible-role-harden-linux.git githubixx.harden_linux

  • Install via the command line from Ansible Galaxy:

    ansible-galaxy install role githubixx.harden_linux

  • To use a requirements.yml file, add the following contents:

    ---
roles:
  - name: githubixx.harden_linux
    src: https://github.com/githubixx/ansible-role-harden-linux.git
    version: v8.1.0

    Then install with:

    ansible-galaxy role install -r requirements.yml

Role Variables

The following variables do not have default values. You must specify them in a file located in the group_vars or host_vars directory. For a specific host, create a file named after the host's fully qualified domain name (e.g., host_vars/your-server.example.tld). For a host group, create a file in group_vars/your-group.yml.

To change the root password, set the harden_linux_root_password variable. This is optional and should contain an encrypted password, which Ansible will not create for you. Use this command to generate an encrypted password on Linux:

mkpasswd --method=sha-512

To create a user who can run commands with sudo without a password, set these variables:

harden_linux_deploy_user: "a_username"
harden_linux_deploy_user_password: "a_password"
harden_linux_deploy_user_home: "/home/a_user"
harden_linux_deploy_user_uid: "9999"
harden_linux_deploy_user_gid: "9999"
harden_linux_deploy_user_shell: "/bin/bash"

harden_linux_deploy_user is the username for logging into the remote host. This role disables root SSH login, so you'll need a different user with "sudo" permissions for Ansible tasks.

For the user's home directory and user ID, set harden_linux_deploy_user_home, harden_linux_deploy_user_uid, and harden_linux_deploy_user_gid. If the user already exists but with different settings, they will be updated.

You can specify additional SSH public key files for the deploy user with harden_linux_deploy_user_public_keys.

Additional variables include harden_linux_optional_packages for installing extra packages:

harden_linux_optional_packages:
  - vim

Or harden_linux_absent_packages for uninstalling packages:

harden_linux_absent_packages:
  - vim

There are default settings for SSH daemon (sshd), making it more secure:

harden_linux_sshd_settings:
  "^PasswordAuthentication": "PasswordAuthentication no"  # Disable password authentication
  "^PermitRootLogin": "PermitRootLogin no"                # Disable SSH root login
  "^PermitTunnel": "PermitTunnel no"                      # Disable tun(4) device forwarding
  "^Port ": "Port 22"                                     # SSH port

To change the default SSH port, modify it like this:

harden_linux_sshd_settings_user:
  "^Port ": "Port 22222"

The playbook works with regular expressions (regex) for both SSHD and UFW settings.

For the UFW firewall settings:

harden_linux_ufw_defaults:
  "^IPV6": 'IPV6=yes'
  "^DEFAULT_INPUT_POLICY": 'DEFAULT_INPUT_POLICY="DROP"'
  "^DEFAULT_OUTPUT_POLICY": 'DEFAULT_OUTPUT_POLICY="ACCEPT"'
  "^DEFAULT_FORWARD_POLICY": 'DEFAULT_FORWARD_POLICY="DROP"'
  "^DEFAULT_APPLICATION_POLICY": 'DEFAULT_APPLICATION_POLICY="SKIP"'

To add or override any settings, specify the same key as above (using regex):

harden_linux_ufw_defaults_user:
  "^DEFAULT_FORWARD_POLICY": 'DEFAULT_FORWARD_POLICY="ACCEPT"'

The role allows you to set specific firewall rules as well:

harden_linux_ufw_rules:
  - rule: "allow"
    to_port: "22"
    protocol: "tcp"

Additional parameters can be specified for finer control over the firewall rules.

The role also modifies sysctl variables for better security and performance, and you can override these settings too.

For logging in UFW, enable it with:

harden_linux_ufw_logging: 'on'

The role includes configurations for sshguard, NTP settings, removing specific files, adjusting systemd-resolved behavior, and more.

Example Playbook

To use the role, include it in your playbook like this:

- hosts: webservers
  roles:
    - githubixx.harden_linux

Testing

This role comes with a small test setup using Molecule and virtualization tools. Follow my blog for setup instructions.

Run the following commands to test:

molecule converge  # to set up the VMs
molecule verify    # to check the configurations
molecule destroy   # to clean up

License

GNU GENERAL PUBLIC LICENSE Version 3

Author Information

www.tauceti.blog

Informazioni sul progetto

Ansible role for hardening Linux

role networking security linux firewall ssh harden ufw sshguard
Installa
ansible-galaxy install githubixx.harden_linux
GitHub repository
133 stelle
41 fork
1 problemi aperti
Licenza
gpl-3.0
Download
3.3k
Proprietario
Robert Wimmer
Senior System Engineer - Python, Go, Cloud, Kubernetes, Commodore, Retro, 80's ;-)