security

Overview Versions Insights

Setup a secure Ubuntu VPS using Ansible

This playbook defines a single role called security which sets up

ufw
fail2ban
unattended-upgrades
SSH logging using monit

Securing SSH Access

Installs ufw and sets the firewall to deny all, with an exception for SSH traffic on port 22.

Updates /etc/ssh/sshd_conf to disable password authentication and root login.

Installs fail2ban with default settings.

Automatic Security Updates

Installs unattended-upgrades with minimal settings and adds Ubuntu {{ ansible_distribution_release }}-security to allowed origins.

Logging SSH Access

Installs monit and sets the update interval to 5 seconds.

Adds a rule which checks for Accepted publickey in the log file /var/log/auth.log. If the rule fires, it runs a script (ssh-alert.py) which posts server name, user name, and source IP to Slack.

Role Variables

slack_webhook: Needed to post SSH logins to Slack. Defined in defaults/main.yml and defaults to the empty string. (If the default is not overridden SSH logging is disabled.)
ssh_port: Set to 22 by default.

Example Playbook

- hosts: all
  roles:
    - role: fegge.security
      slack_webhook: URL

License

Unlicense (http://unlicense.org).

Build status

About

Provides Ubuntu server hardening

role hardening security

Install

ansible-galaxy install fegge/ansible-security

GitHub repository

2 stars

1 forks

1 open issues

License

unlicense

Downloads

Owner

Fredrik Dahlgren