Skip to content

Instantly share code, notes, and snippets.

@yumminhuang
Last active March 6, 2021 15:12
Show Gist options
  • Save yumminhuang/fa71c4474edb1b973a59d9889b590f01 to your computer and use it in GitHub Desktop.
Save yumminhuang/fa71c4474edb1b973a59d9889b590f01 to your computer and use it in GitHub Desktop.
Securing a Ubuntu Server with Ansible
---
- hosts: all
vars:
root_password: xxx
common_user_password: xxx
common_user_name: deploy
ssh_port: 22
remote_user: root
become: true
tasks:
- name: Change root password
user:
name: root
password: "{{ root_password }}"
- name: Update all packages to the latest version
apt:
update_cache: yes
upgrade: dist
- name: Install required packages
apt:
name: "{{ item }}"
with_items:
- ufw
- unattended-upgrades
- name: Setup automatic upgrade
lineinfile:
path: /etc/apt/apt.conf.d/10periodic
regexp: "{{ item.regexp }}"
line: "{{ item.line }}"
state: present
with_items:
- { regexp: '^APT::Periodic::Update-Package-Lists', line: 'APT::Periodic::Update-Package-Lists "1";' }
- { regexp: '^APT::Periodic::Download-Upgradeable-Packages', line: 'APT::Periodic::Download-Upgradeable-Packages "1";' }
- { regexp: '^APT::Periodic::AutocleanInterval', line: 'APT::Periodic::AutocleanInterval "7";' }
- { regexp: '^APT::Periodic::Unattended-Upgrade', line: 'APT::Periodic::Unattended-Upgrade "1";' }
- name: Create new group
group:
name: "{{ common_user_name }}"
state: present
- name: Create new user
user:
name: "{{ common_user_name }}"
group: "{{ common_user_name }}"
shell: /bin/bash
home: "/home/{{ common_user_name }}"
password: "{{ common_user_password }}"
generate_ssh_key: yes
state: present
- name: Add authorized keys
authorized_key:
user: "{{ common_user_name }}"
key: "{{ lookup('file', item) }}"
with_items:
- ~/.ssh/id_rsa.pub
# Firewall config via ufw
# See: http://docs.ansible.com/ansible/ufw_module.html
- name: Allow ssh traffic
ufw:
rule: allow
port: "{{ ssh_port }}"
proto: tcp
- name: Lock down SSH
lineinfile:
path: /etc/ssh/sshd_config
regexp: "{{ item.regexp }}"
line: "{{ item.line }}"
state: present
with_items:
- { regexp: '^PermitRootLogin', line: 'PermitRootLogin no' }
- { regexp: '^PasswordAuthentication', line: 'PasswordAuthentication no' }
- { regexp: '^AllowUsers', line: 'AllowUsers {{ common_user_name }}' }
- { regexp: '^Port\s', line: 'Port {{ ssh_port }}' }
notify: restart ssh
- name: Enable sudo for new user
lineinfile:
path: /etc/sudoers
state: present
regexp: "{{ common_user_name }} ALL="
line: "{{ common_user_name }} ALL=(ALL) ALL"
validate: 'visudo -cf %s'
handlers:
- name: restart ssh
service:
name: ssh
state: restarted
@yumminhuang
Copy link
Author

yumminhuang commented Apr 24, 2017

Follow the advices in My First 5 Minutes On A Server; Or, Essential Security for Linux Servers, configuring and securing a new Ubuntu server by Ansible.

I use this playbook to setup a new DigitalOcean droplet:

ansible-playbook -i '123.213.132.231,' secure_init.yml -v

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment