48 lines
1.8 KiB
YAML
48 lines
1.8 KiB
YAML
---
|
|
# tasks file for hardening
|
|
|
|
- name: Improve kernel security (hardening)
|
|
ansible.posix.sysctl:
|
|
name: "{{ item.key }}"
|
|
value: "{{ item.value }}"
|
|
state: present
|
|
reload: yes
|
|
loop:
|
|
- { key: 'net.ipv4.conf.all.accept_redirects', value: '0' }
|
|
- { key: 'net.ipv4.conf.all.send_redirects', value: '0' }
|
|
- { key: 'net.ipv4.conf.all.accept_source_route', value: '0' }
|
|
- { key: 'net.ipv4.conf.all.rp_filter', value: '1' } # Prevent IP Spoofing
|
|
- { key: 'net.ipv4.icmp_echo_ignore_broadcasts', value: '1' } # Prevent smurf attacks
|
|
|
|
|
|
- name: Hardening SSH configuration
|
|
lineinfile:
|
|
path: /etc/ssh/sshd_config
|
|
regexp: "{{ item.regexp }}"
|
|
line: "{{ item.line }}"
|
|
state: present
|
|
loop:
|
|
- { regexp: '^PermitRootLogin', line: 'PermitRootLogin no' } # Prevent login as root
|
|
- { regexp: '^PasswordAuthentication', line: 'PasswordAuthentication yes' }
|
|
- { regexp: '^MaxAuthTries', line: 'MaxAuthTries 3' } # Auto kick out after three times failed login
|
|
- { regexp: '^ClientAliveInterval', line: 'ClientAliveInterval 300' } # Auto logout after 5 minutes
|
|
notify: Restart SSH
|
|
|
|
- name: Add issue banner
|
|
copy:
|
|
content: |
|
|
*******************************************************
|
|
* WARNING: AUTHORIZED ACCESS ONLY. *
|
|
* All activities are monitored and logged. *
|
|
* If you are not authorized, disconnect NOW! *
|
|
*******************************************************
|
|
dest: /etc/issue.net
|
|
|
|
- name: Enable banner in SSH
|
|
lineinfile:
|
|
path: /etc/ssh/sshd_config
|
|
regexp: '^#?Banner'
|
|
line: 'Banner /etc/issue.net'
|
|
state: present
|
|
notify: Restart SSH
|