Ansible role for basic GNU/Linux server hardening.
- Sets up
iptables
.- Will disable all incoming traffic by default except for established connectios, ICMP type 8 pings, the ssh_port and the loopback network traffic.
- Sets up
fail2ban
with alerts through XMPP.- With the SSHd jail.
- Hardens SSH.
- Disables root login, password login…
It requires iptables
to be flushed if already installed. This can be
achieved with:
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
iptables -t nat -F
iptables -t mangle -F
iptables -F
iptables -X
It is part of anarres, a playbook that uses a collection of roles to deploy a full-featured server. But it can be used and tested independently.
These are the tested GNU/Linux distributions. Maybe it works on some other distributions too or just requieres a few changes.
- A configured
sendxmpp_config
file sofail2ban
is able to send the alerts. pip install -r requirements.txt
ssh_port
: Port forsshd
to bind to.
admin_xmpp
: Jabber account of an administrator. Will receivefail2ban
notifications.sendxmpp_config
:sendxmpp
configuration file path.
fail2ban_trusted
:fail2ban
trusted IPs, hosts or ranges.fail2ban_xmpp_notify
: address used byfail2ban
to send notifications to. By default is the same asadmin_xmpp
.
sudo
and python
in the target host(s).
- hosts: all
become: true
vars:
admin_xmpp: admin@host.com
roles:
- anarres_sec
To test the role you need molecule,
vagrant, virtualbox and some python requirements that can be installed wwith
pip install -r requirements-dev.txt
.
molecule test
or
make test
There is more documentation about the installation and configuration of the required tools at Testing - Anarres documentation.
GPLv3
- m0wer (at) autistici (dot) org