---
# tasks file for hardening

- name: Improve kernel security (hardening)
  ansible.posix.sysctl:
          name: "{{  item.key }}"
          value: "{{ item.value }}"
          state: present
          reload: yes
  loop:
          - { key: 'net.ipv4.conf.all.accept_redirects', value: '0' }
          - { key: 'net.ipv4.conf.all.send_redirects', value: '0' }
          - { key: 'net.ipv4.conf.all.accept_source_route', value: '0' }
          - { key: 'net.ipv4.conf.all.rp_filter', value: '1' } # Prevent IP Spoofing
          - { key: 'net.ipv4.icmp_echo_ignore_broadcasts', value: '1' } # Prevent smurf attacks


- name: Hardening SSH configuration
  lineinfile:
          path: /etc/ssh/sshd_config
          regexp: "{{ item.regexp }}"
          line: "{{ item.line }}"
          state: present
  loop:
          - { regexp: '^PermitRootLogin', line: 'PermitRootLogin no' } # Prevent login as root
          - { regexp: '^PasswordAuthentication', line: 'PasswordAuthentication yes' }
          - { regexp: '^MaxAuthTries', line: 'MaxAuthTries 3' } # Auto kick out after three times failed login
          - { regexp: '^ClientAliveInterval', line: 'ClientAliveInterval 300' } # Auto logout after 5 minutes
  notify: Restart SSH

- name: Add issue banner
  copy:
          content: |
                  *******************************************************
                  * WARNING: AUTHORIZED ACCESS ONLY.                    *
                  * All activities are monitored and logged.            *
                  * If you are not authorized, disconnect NOW!          *
                  *******************************************************
          dest: /etc/issue.net

- name: Enable banner in SSH
  lineinfile:
          path: /etc/ssh/sshd_config
          regexp: '^#?Banner'
          line: 'Banner /etc/issue.net'
          state: present
  notify: Restart SSH