Ansible role for basic GNU/Linux server hardening.
- Sets up
iptables.- Will disable all incoming traffic by default except for established connectios, ICMP type 8 pings, the ssh_port and the loopback network traffic.
- Sets up
fail2banwith alerts through XMPP.- With the SSHd jail.
- Hardens SSH.
- Disables root login, password login…
It requires iptables to be flushed if already installed. This can be
achieved with:
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
iptables -t nat -F
iptables -t mangle -F
iptables -F
iptables -XIt is part of anarres, a playbook that uses a collection of roles to deploy a full-featured server. But it can be used and tested independently.
These are the tested GNU/Linux distributions. Maybe it works on some other distributions too or just requieres a few changes.
- A configured
sendxmpp_configfile sofail2banis able to send the alerts. pip install -r requirements.txt
ssh_port: Port forsshdto bind to.
admin_xmpp: Jabber account of an administrator. Will receivefail2bannotifications.sendxmpp_config:sendxmppconfiguration file path.
fail2ban_trusted:fail2bantrusted IPs, hosts or ranges.fail2ban_xmpp_notify: address used byfail2banto send notifications to. By default is the same asadmin_xmpp.
sudo and python in the target host(s).
- hosts: all
become: true
vars:
admin_xmpp: [email protected]
roles:
- anarres_secTo test the role you need molecule,
vagrant, virtualbox and some python requirements that can be installed wwith
pip install -r requirements-dev.txt.
molecule testor
make testThere is more documentation about the installation and configuration of the required tools at Testing - Anarres documentation.
GPLv3
- m0wer (at) autistici (dot) org