Ansible playbooks of "How To Secure A Linux Server".
CC-BY-SA-4.0 License
Ansible playbooks of "How To Secure A Linux Server".
These Ansible playbooks are made to help install secure Linux servers faster.
git clone https://github.com/moltenbit/How-To-Secure-A-Linux-Server-With-Ansible
cd How-To-Secure-A-Linux-Server-With-Ansible
ssh-keygen -t ed25519
nano /etc/ssh/sshd_config
[...]
PermitRootLogin yes
[...]
Run the requirements playbook using the root password you specified while installing the server:
ansible-playbook --inventory hosts.yml --ask-pass requirements-playbook.yml
Run the main playbook with the new users password you specified in the variables.yml file:
ansible-playbook --inventory hosts.yml --ask-pass main-playbook.yml
If you need to run the playbooks multiple times remember to use the SSH key and the new SSH port:
ansible-playbook --inventory hosts.yml -e ansible_ssh_port=SSH_PORT --key-file /PATH/TO/SSH/KEY main-playbook.yml
Tested on Debian 12 Bookworm.
The playbook uses most of the settings from "How To Secure A Linux Server" / my choices if the guide has more than one option to do something.
Uses best practice rules from Neo23x0
ClamAV is set to run everyday at 3 AM to scan the full system, exluding sys folders.
UFW is set to default deny in and out. The SSH-Port is set to limit in, allowed outgoing ports by default are 53 (DNS), 123 (NTP), 80 (http), 443 (https) and the mail port specified in variables.yml.
PSAD and Fail2Ban is configured according to "How To Secure A Linux Server" guide.
Lynis is configured according to "How To Secure A Linux Server" guide and will run an audit + send the report as an attachment to your mail address configured in variables.yml. Current Lynis rating is 77.
For mailing I chose msmtp with the help from Decatec's guide. This will send a testmail.
Installed packages are:
Password quality is done via pam_pwquality according to "How To Secure A Linux Server" guide.
Rkhunter is configured according to "How To Secure A Linux Server" guide.
SSH is configured according to "How To Secure A Linux Server" guide.
Unattended upgrades is configured to only upgrade security upgrades automatically. Automatic restarts are enabled.
Read all tasks carefully and make sure they do not break your system before using these playbooks! Do not rely solely on the Ansible playbooks for security! It is your responsibility to make sure all settings you need have been set and are working. This is just a starting point! Depending on your needs and goals make sure to further secure your system.