Intro

The purpose of this role is to set up a machine in a basic way that keeps it secure enough to be connected to the public Internet without quickly failing.

Here are the main tasks:

• Install Fail2ban to block bad login attempts.
• Turn off login access for the root user via SSH.
• Disable password logins for everyone (only allow SSH keys).
• Restrict SSH and sudo access for everyone, setting up specific allowed users.
• Limit SSH access to certain IP address ranges.
• Install ufw to block all traffic, allowing specific ports if needed (optional).
• Install unattended-upgrades to automatically update security on apt packages.
• Set up an ntp server to keep the system time accurate.
• Install logwatch to send daily log reports to an admin email.

It's important to review this role carefully for details and understand that no security guarantees can be made.

Requirements

None.

Role Variables

For configuration information, check the comment in the default variables file.

Dependencies

None.

Example Playbook

- hosts: whatever
  roles:
    - triplepoint.secure_device

Role Testing

This role is tested using molecule, with pipenv managing dependencies and the Python testing setup.

Setting Up Your Execution Environment

pip install pipenv

After installing pipenv, set up the execution virtual environment with:

pipenv install --dev

Running Tests

To run molecule tests after setting up your environment, use:

pipenv run molecule test

Regenerating the Lock File

You won’t need to do this often, but if you update Python packages using pipenv install {some_package} or change the Pipfile directly, or if dependencies are outdated, you may need to refresh the Pipfile.lock.

pipenv update --dev

Make sure to check in the new Pipfile.lock after this step.

License

MIT