Sin descripción
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

security.yml 1.4KB

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152
  1. - name: Install security-related packages
  2. apt:
  3. name: "{{ packages }}"
  4. state: present
  5. vars:
  6. packages:
  7. - whois
  8. - lynis
  9. - rkhunter
  10. tags:
  11. - dependencies
  12. - name: add stretch-backport for fail2ban with IPv6 support
  13. apt_repository: repo='deb http://deb.debian.org/debian stretch-backports main' state=present update_cache=yes
  14. tags:
  15. - dependencies
  16. when: ansible_distribution_version == '9'
  17. - name: Install newer fail2ban with IPv6 support
  18. apt:
  19. name: "fail2ban"
  20. state: present
  21. default_release: stretch-backports
  22. tags:
  23. - dependencies
  24. when: ansible_distribution_version == '9'
  25. - name: Install fail2ban
  26. apt:
  27. name: "fail2ban"
  28. state: present
  29. tags:
  30. - dependencies
  31. when: ansible_distribution_version == '10'
  32. - name: Copy fail2ban configuration into place
  33. template: src=etc_fail2ban_jail.local.j2 dest=/etc/fail2ban/jail.local
  34. notify: restart fail2ban
  35. - name: Copy fail2ban dovecot configuration into place
  36. copy: src=etc_fail2ban_filter.d_dovecot-pop3imap.conf dest=/etc/fail2ban/filter.d/dovecot-pop3imap.conf
  37. notify: restart fail2ban
  38. - name: Ensure fail2ban is started
  39. service: name=fail2ban state=started
  40. - name: Update sshd config for PFS and more secure defaults
  41. template: src=etc_ssh_sshd_config.j2 dest=/etc/ssh/sshd_config
  42. notify: restart ssh
  43. - name: Update ssh config for more secure defaults
  44. template: src=etc_ssh_ssh_config.j2 dest=/etc/ssh/ssh_config