123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960 |
- - name: Install security-related packages
- apt:
- name: "{{ packages }}"
- state: present
- vars:
- packages:
- - whois
- - lynis
- - rkhunter
- tags:
- - dependencies
- - name: add stretch-backport for fail2ban with IPv6 support
- apt_repository: repo='deb http://deb.debian.org/debian stretch-backports main' state=present update_cache=yes
- tags:
- - dependencies
- when: ansible_distribution_version == '9'
- - name: Install newer fail2ban with IPv6 support
- apt:
- name: "fail2ban"
- state: present
- default_release: stretch-backports
- tags:
- - dependencies
- when: ansible_distribution_version == '9'
- - name: Install fail2ban
- apt:
- name: "fail2ban"
- state: present
- tags:
- - dependencies
- when: ansible_distribution_version == '10'
- - name: Install fail2ban
- apt:
- name: "fail2ban"
- state: present
- tags:
- - dependencies
- when: ansible_distribution_version == '11'
- - name: Copy fail2ban configuration into place
- template: src=etc_fail2ban_jail.local.j2 dest=/etc/fail2ban/jail.local
- notify: restart fail2ban
- - name: Copy fail2ban dovecot configuration into place
- copy: src=etc_fail2ban_filter.d_dovecot-pop3imap.conf dest=/etc/fail2ban/filter.d/dovecot-pop3imap.conf
- notify: restart fail2ban
- - name: Ensure fail2ban is started
- service: name=fail2ban state=started
- - name: Update sshd config for PFS and more secure defaults
- template: src=etc_ssh_sshd_config.j2 dest=/etc/ssh/sshd_config
- notify: restart ssh
- - name: Update ssh config for more secure defaults
- template: src=etc_ssh_ssh_config.j2 dest=/etc/ssh/ssh_config