roles/common/tasks/security.yml


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26

---
- name: Install security-related packages
  apt: pkg={{ item }} state=installed
  with_items:
    - fail2ban
    - whois
    - lynis
    - rkhunter
    - debsums
  tags:
    - dependencies

- name: Copy fail2ban configuration into place
  template: src=etc_fail2ban_jail.local.j2 dest=/etc/fail2ban/jail.local
  notify: restart fail2ban

- name: Ensure fail2ban is started
  service: name=fail2ban state=started enabled=yes

- name: Update sshd (server) config for PFS and more secure defaults
  template: src=etc_ssh_sshd_config.j2 dest=/etc/ssh/sshd_config
  notify: restart ssh

- name: Update ssh (client) config for more secure defaults
  template: src=etc_ssh_ssh_config.j2 dest=/etc/ssh/ssh_config