bastian/deploy_home
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Initial working commit

Browse Source
This commit is contained in:
Bastian de Byl
2020-09-24 21:06:56 -04:00
commit e0abdbe506
32 changed files with 430 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
ansible/roles/common/defaults/main.yml Normal file
View File

@@ -0,0 +1,10 @@
---
deps: [
docker,
fail2ban
]
fail2ban_jails: [
sshd.local,
nginx.local
]

20
ansible/roles/common/files/fail2ban/jails/nginx.local Normal file
View File

@@ -0,0 +1,20 @@
[nginx-limit-req]
enabled = true
port = http,https
findtime = 600
bantime = 1w
maxretry = 8
[nginx-http-auth]
enabled = true
port = http,https
logpath = %(nginx_error_log)s
bantime = 2w
maxretry = 5
[nginx-botsearch]
enabled = true
port = http,https
logpath = %(nginx_error_log)s
bantime = 1w
maxretry = 5

10
ansible/roles/common/files/fail2ban/jails/sshd.local Normal file
View File

@@ -0,0 +1,10 @@
[sshd]
enabled = true
filter = sshd
banaction = iptables
backend = systemd
maxretry = 5
findtime = 1d
bantime = 2w
ignoreip = 127.0.0.1/8 192.168.1.0/24
logpath = %(sshd_log)s

12
ansible/roles/common/handlers/main.yml Normal file
View File

@@ -0,0 +1,12 @@
---
- name: restart_sshd
become: true
service:
name: sshd
state: restarted
- name: restart_fail2ban
become: true
service:
name: fail2ban
state: restarted

7
ansible/roles/common/tasks/deps.yml Normal file
View File

@@ -0,0 +1,7 @@
---
- name: install common dependencies
become: true
pacman:
name: "{{ deps }}"
state: present
tags: deps

3
ansible/roles/common/tasks/main.yml Normal file
View File

@@ -0,0 +1,3 @@
---
- import_tasks: deps.yml
- import_tasks: security.yml

31
ansible/roles/common/tasks/security.yml Normal file
View File

@@ -0,0 +1,31 @@
---
- name: ensure sshd disallows passwords
become: true
lineinfile:
path: /etc/ssh/sshd_config
regexp: "{{ item.re }}"
line: "{{ item.li }}"
with_items:
- {re: '^[# ]*PasswordAuthentication ', li: 'PasswordAuthentication no'}
- {re: '^[# ]*PermitEmptyPasswords ', li: 'PermitEmptyPasswords no'}
- {re: '^[# ]*PermitRootLogin ', li: 'PermitRootLogin no'}
notify: restart_sshd
tags: security
- name: setup fail2ban jails
become: true
copy:
src: files/fail2ban/jails/{{ item }}
dest: /etc/fail2ban/jail.d/{{ item }}
with_items: "{{ fail2ban_jails }}"
notify: restart_fail2ban
tags: security
- name: adjust fail2ban sshd filter
become: true
lineinfile:
path: /etc/fail2ban/filter.d/sshd.conf
regexp: '^[#]*filter ='
line: 'filter = sshd[mode=extra]'
notify: restart_fail2ban
tags: security