Hardening_Sever is an Ansible codebase that applies a baseline security posture to Debian/Ubuntu hosts. It exposes a reusable roles:
hardening— OS-level lockdown covering sysctl, PAM, auditd, cron, authentication defaults, filesystem blacklisting, and legacy service removal.
Use the provided playbooks to roll out the baseline to fresh hosts or incorporate the roles into your own automation.
| Path | Description |
|---|---|
ansible.cfg |
Opinionated Ansible defaults (local inventory path, pipelining, host key checking disabled) for faster ad-hoc runs. |
inventory/inventory.yml |
Example inventory targeting the servers group. Replace host definitions with your infrastructure. |
playbooks/hardening.yml |
Entry point that applies the full operating-system hardening role to the servers group. |
roles/hardening/ |
Reusable OS hardening role (tasks, templates, defaults, handlers). |
-
Control node
- Create virtual env
- Ansible 2.12+ (tested with modern releases).
- Python 3.x with
ansible-galaxyavailable. - Create roles with ansible galaxy
-
Managed hosts
- Debian/Ubuntu family (the defaults assume APT,
/etc/login.defs, PAM profiles, etc.). - SSH connectivity with an account that can
become: true(role touches system files). - Package repositories reachable to install baseline packages (e.g.,
auditd,libpam-passwdqc).
- Debian/Ubuntu family (the defaults assume APT,
- Update the example inventory:
all:
children:
servers:
hosts:
server_group1:
ansible_host: ""
ansible_user: ""
ansible_port: ""-
(Optional) Test connectivity:
ansible -i inventory/inventory.yml servers -m ping
-
Run the baseline OS hardening:
ansible-playbook -i inventory/inventory.yml playbooks/hardening.yml
Key actions include:
- Refresh package cache, install baseline security packages (
openssh-server,auditd,libpam-modules,libpam-passwdqc), and purge legacy daemons such astelnetd/rsh/xinetd. - Apply kernel/network sysctl defaults sourced from
defaults/main.ymlviatemplates/sysctl-hardening.j2, then triggersysctl --systemreloads. - Lock down scheduled task infrastructure: secure
/etc/cron.*directories, set restrictive permissions on/etc/crontab, removecron.deny/at.deny, and maintaincron.allow/at.allowlists. - Normalize permissions on
/etc/passwd,/etc/group,/etc/shadow,/etc/gshadow. - Configure auditd with opinionated defaults (
templates/auditd.conf.j2) and restart the service when needed. - Enforce PAM password complexity (
templates/pam_passwdqc.j2) and faillock policies (faillockdefaults andcommunity.general.pamdedits). - Manage
/etc/login.defsguardrails (password rotation, retries, UMASK) and disable core dumps through/etc/security/limits.d/hardening.conf. - Set a global
umask 027profile, blacklist uncommon filesystems (templates/filesystems.conf.j2), and ensure handlers reload/restart services as appropriate.
All tunables are exposed in defaults/main.yml; override them in inventory/group vars to adapt to your policy.
- Restricts supported ciphers, MACs, and key exchange algorithms.
- Configures banner text, login grace period, and max authentication attempts.
- Validates changes with
sshd -tbefore applying the configuration.
The SSH-specific role:
- Ensures
/run/sshdexists and stops systemd socket activation (ssh.socket) so sshd runs as a traditional service. - Deploys
templates/sshd_config.j2, populated by defaults such as strong cipher/MAC/KEX suites, root login policy, session limits, and logging verbosity. - Creates an empty revoked-keys list and guarantees the classic
sshservice is enabled/restarted via the role handler.
Customize behavior through defaults/main.yml (e.g., sshd_port, crypto suites, login controls) or override per-host.
-
Creates /run/sshd with secure permissions so that the SSH daemon can start reliably.
-
Deploys a hardened sshd_config to /etc/ssh/sshd_config from the sshd_config.j2 template:
-
Validates the configuration with sshd -t -f before applying it.
-
Sets root ownership and 0600 permissions.
-
Keeps a backup of the previous configuration.
-
Notifies a handler to restart SSH when the configuration changes.
-
Ensures a revoked keys file exists at the path defined by sshd_revoked_keys_file (default: /etc/ssh/revoked_keys) with appropriate permissions.
-
Configuration is driven by variables, allowing you to tune SSH hardening:
-
Basic settings
-
sshd_port: SSH listening port (default: 22).
-
sshd_host_keys: List of host key files (ed25519 & RSA).
-
Authentication
-
sshd_permit_root_login: Controls if root login is allowed.
-
sshd_password_authentication: Disables password-based auth.
-
sshd_kbd_interactive_authentication, sshd_challenge_response_authentication: Disable legacy interactive methods.
-
sshd_pubkey_authentication: Enables public key authentication.
-
Session & forwarding restrictions
-
sshd_x11_forwarding, sshd_allow_agent_forwarding,
-
sshd_allow_tcp_forwarding, sshd_permit_tunnel,
-
sshd_allow_stream_local_forwarding, sshd_permit_user_environment:
-
All disabled to reduce attack surface.
-
Connection limits & timeouts
-
sshd_client_alive_interval, sshd_client_alive_count_max: Idle session timeouts.
-
sshd_login_grace_time: Time allowed for authentication.
-
sshd_max_auth_tries: Limits failed auth attempts.
-
sshd_max_sessions: Limits concurrent sessions per connection.
-
PAM and login banners
-
sshd_use_pam: Enables PAM integration.
-
sshd_print_motd, sshd_print_last_log: Control MOTD and last login message.
-
Networking & DNS
-
sshd_use_dns: Disables reverse DNS lookups to speed up logins.
-
Cryptography (aligned with DevSec recommendations)
-
sshd_ciphers: Restricts SSH to modern, strong ciphers (chacha20, AES-GCM, AES-CTR).
-
sshd_macs: Restricts MACs to SHA-2 based algorithms.
-
sshd_kex: Restricts key exchange algorithms to strong, modern groups (curve25519, ECDH, strong DH groups).
-
Logging and SFTP
-
sshd_syslog_facility: Uses AUTHPRIV for sensitive auth logs.
-
sshd_log_level: Uses VERBOSE to capture more detailed SSH activity.
-
sshd_revoked_keys_file: Path to the file containing revoked public keys.
-
sshd_subsystem_sftp: Uses the built-in internal-sftp subsystem.
ansible-playbook -i inventory/inventory.yml playbooks/SSH.ymlThis Ansible role automates the installation and configuration of Docker and Docker Compose on Ubuntu-based systems. It ensures that all required dependencies, repositories, and binaries are properly installed and up to date.
- Updates and upgrades APT packages
- Installs required Docker dependencies
- Adds Docker’s official GPG key and repository
- Installs Docker Engine, CLI, and containerd
- Downloads and installs the latest Docker Compose release directly from GitHub
- Includes a handler to restart Docker when needed
Updates the APT cache and upgrades existing system packages to ensure the system is prepared for Docker installation.
Installs essential packages needed for Docker installation such as:
apt-transport-httpscurlca-certificatesgnupg-agentsoftware-properties-common
These packages allow the system to handle HTTPS repositories and manage GPG keys.
Downloads and adds Docker’s official GPG key to the system so that package authenticity can be verified.
Adds Docker’s stable repository for Ubuntu (bionic in this example) to APT sources so that the latest official Docker packages can be installed.
Installs:
docker-cedocker-ce-clicontainerd.io
This ensures a complete Docker installation including the CLI and container runtime.
Refreshes the APT cache after adding the Docker repository. Triggers a handler to restart Docker if changes occur.
Queries the Docker Compose GitHub API to retrieve the tag name of the latest release.
Downloads the corresponding Docker Compose binary and places it in /usr/local/bin/compose with executable permissions.