triplepoint.secure_device
Intro
The goal of this role is to bring a machine up as generically as possible, secure enough to face the public Internet and not immediately melt.
At a high level:
- Install Fail2ban, to make malicious authentication attempts harder
- Disable rootuser SSH
- Disable password SSH authentication for everyone (keys only)
- Disable SSH and sudoaccess for everyone, and create and configure a set of whitelisted users
- Limit SSH access to a specific IP address range
- Install ufwand disable all traffic, with configurable port exceptions (optional)
- Install unattended-upgradesand configure for automatic apt package security updates
- Install an ntpserver to ensure reliable system time
- Install logwatchand configure to email daily log reports to an admin email address
Obviously this is a role best inspected for details before using, as no possible guarantees can be made about security.
Requirements
None.
Role Variables
See the comment in the default variables file for information on configuration.
Dependencies
None.
Example Playbook
- hosts: whatever
  roles:
    - triplepoint.secure_device
Role Testing
This role is tested with molecule, using pipenv to handle dependencies and the Python testing environment.
Setting Up Your Execution Environment
pip install pipenv
Once you have pipenv installed, you can build the execution virtualenv with:
pipenv install --dev
Running Tests
Once you have your environment configured, you can execute molecule with:
pipenv run molecule test
Regenerating the Lock File
You shouldn't have to do this very often, but if you change the Python package requirements using pipenv install {some_package} commands or by editing the Pipfile directly, or if you find the build dependencies have fallen out of date, you might need to regenerate the Pipfile.lock.
pipenv update --dev
Be sure and check in the regenerated Pipfile.lock when this process is complete.
License
MIT
A role responsible for some basic security tweaks for internet-facing machines
ansible-galaxy install triplepoint.secure_device