Awesome Open Source
Awesome Open Source
Ansible Role Security
Ansible Role - Security
Stars
375
License
mit
Homepage
https://galaxy.ansible.com/geerlingguy/security/
Repository
https://github.com/geerlingguy/ansible-role-security
Open Issues
9
Most Recent Commit
2 months ago
Related Projects
html (10,611)
linux (2,277)
security (1,768)
ansible (400)
ubuntu (323)
ssh (312)
debian (213)
centos (91)
fedora (65)
setup (53)
role (48)
redhat (28)
rhel (26)
sudo (18)

Ansible Role: Security (Basics)

CI

First, a major, MAJOR caveat: the security of your servers is YOUR responsibility. If you think simply including this role and adding a firewall makes a server secure, then you're mistaken. Read up on Linux, network, and application security, and know that no matter how much you know, you can always make every part of your stack more secure.

That being said, this role performs some basic security configuration on RedHat and Debian-based linux systems. It attempts to:

  • Install software to monitor bad SSH access (fail2ban)
  • Configure SSH to be more secure (disabling root login, requiring key-based authentication, and allowing a custom SSH port to be set)
  • Set up automatic updates (if configured to do so)

There are a few other things you may or may not want to do (which are not included in this role) to make sure your servers are more secure, like:

  • Use logwatch or a centralized logging server to analyze and monitor log files
  • Securely configure user accounts and SSH keys (this role assumes you're not using password authentication or logging in as root)
  • Have a well-configured firewall (check out the geerlingguy.firewall role on Ansible Galaxy for a flexible example)

Again: Your servers' security is your responsibility.

Requirements

For obvious reasons, sudo must be installed if you want to manage the sudoers file with this role.

On RedHat/CentOS systems, make sure you have the EPEL repository installed (you can include the geerlingguy.repo-epel role to get it installed).

No special requirements for Debian/Ubuntu systems.

Role Variables

Available variables are listed below, along with default values (see defaults/main.yml):

security_ssh_port: 22

The port through which you'd like SSH to be accessible. The default is port 22, but if you're operating a server on the open internet, and have no firewall blocking access to port 22, you'll quickly find that thousands of login attempts per day are not uncommon. You can change the port to a nonstandard port (e.g. 2849) if you want to avoid these thousands of automated penetration attempts.

security_ssh_password_authentication: "no"
security_ssh_permit_root_login: "no"
security_ssh_usedns: "no"
security_ssh_permit_empty_password: "no"
security_ssh_challenge_response_auth: "no"
security_ssh_gss_api_authentication: "no"
security_ssh_x11_forwarding: "no"

Security settings for SSH authentication. It's best to leave these set to "no", but there are times (especially during initial server configuration or when you don't have key-based authentication in place) when one or all may be safely set to 'yes'. NOTE: It is very important that you quote the 'yes' or 'no' values. Failure to do so may lock you out of your server.

security_sshd_state: started

The state of the SSH daemon. Typically this should remain started.

security_ssh_restart_handler_state: restarted

The state of the restart ssh handler. Typically this should remain restarted.

security_sudoers_passwordless: []
security_sudoers_passworded: []

A list of users who should be added to the sudoers file so they can run any command as root (via sudo) either without a password or requiring a password for each command, respectively.

security_autoupdate_enabled: true

Whether to install/enable yum-cron (RedHat-based systems) or unattended-upgrades (Debian-based systems). System restarts will not happen automatically in any case, and automatic upgrades are no excuse for sloppy patch and package management, but automatic updates can be helpful as yet another security measure.

security_autoupdate_blacklist: []

(Debian/Ubuntu only) A listing of packages that should not be automatically updated.

security_autoupdate_reboot: false

(Debian/Ubuntu only) Whether to reboot when needed during unattended upgrades.

security_autoupdate_reboot_time: "03:00"

(Debian/Ubuntu only) The time to trigger a reboot, when needed, if security_autoupdate_reboot is set to true. In 24h "hh:mm" clock format.

security_autoupdate_mail_to: ""
security_autoupdate_mail_on_error: true

(Debian/Ubuntu only) If security_autoupdate_mail_to is set to an non empty value, unattended upgrades will send an e-mail to that address when some error occurs. You may either set this to a full email: [email protected] or to something like root, which will use /etc/aliases to route the message. If you set security_autoupdate_mail_on_error to false you'll get an email after every package install.

security_fail2ban_enabled: true

Whether to install/enable fail2ban. You might not want to use fail2ban if you're already using some other service for login and intrusion detection (e.g. ConfigServer).

security_fail2ban_custom_configuration_template: "jail.local.j2"

The name of the template file used to generate fail2ban's configuration.

Dependencies

None.

Example Playbook

- hosts: servers
  vars_files:
    - vars/main.yml
  roles:
    - geerlingguy.security

Inside vars/main.yml:

security_sudoers_passworded:
  - johndoe
  - deployacct

License

MIT (Expat) / BSD

Author Information

This role was created in 2014 by Jeff Geerling, author of Ansible for DevOps.


Get A Weekly Email With Trending Projects For These Topics
No Spam. Unsubscribe easily at any time.
html (10,611
linux (2,277
security (1,768
ansible (400
ubuntu (323
ssh (312
debian (213
centos (91
fedora (65
setup (53
role (48
redhat (28
rhel (26
sudo (18

Find Open Source By Browsing 7,000 Topics Across 59 Categories

Advertising 📦 10
All Projects
Application Programming Interfaces 📦 124
Applications 📦 192
Artificial Intelligence 📦 78
Blockchain 📦 73
Build Tools 📦 113
Cloud Computing 📦 80
Code Quality 📦 28
Collaboration 📦 32
Command Line Interface 📦 49
Community 📦 83
Companies 📦 60
Compilers 📦 63
Computer Science 📦 80
Configuration Management 📦 42
Content Management 📦 175
Control Flow 📦 213
Data Formats 📦 78
Data Processing 📦 276
Data Storage 📦 135
Economics 📦 64
Frameworks 📦 215
Games 📦 129
Graphics 📦 110
Hardware 📦 152
Integrated Development Environments 📦 49
Learning Resources 📦 166
Legal 📦 29
Libraries 📦 129
Lists Of Projects 📦 22
Machine Learning 📦 347
Mapping 📦 64
Marketing 📦 15
Mathematics 📦 55
Media 📦 239
Messaging 📦 98
Networking 📦 315
Operating Systems 📦 89
Operations 📦 121
Package Managers 📦 55
Programming Languages 📦 245
Runtime Environments 📦 100
Science 📦 42
Security 📦 396
Social Media 📦 27
Software Architecture 📦 72
Software Development 📦 72
Software Performance 📦 58
Software Quality 📦 133
Text Editors 📦 49
Text Processing 📦 136
User Interface 📦 330
User Interface Components 📦 514
Version Control 📦 30
Virtualization 📦 71
Web Browsers 📦 42
Web Servers 📦 26
Web User Interface 📦 210
"Ansible Role Security" and other potentially trademarked words, copyrighted images and copyrighted readme contents likely belong to the legal entity who owns the "Geerlingguy" organization. Awesome Open Source is not affiliated with the legal entity who owns the "Geerlingguy" organization.