DevOPS/secure_ubuntu.yml

105 lines
2.9 KiB
YAML
Raw Normal View History

2024-11-01 21:26:18 +00:00
---
- name: Sécurisation d'Ubuntu 22.04
hosts: all
become: true
vars:
ufw_allowed_ports:
- 22 # SSH
- 80 # HTTP
- 443 # HTTPS
ssh_port: 22
ssh_permit_root_login: "no"
ssh_password_auth: "no"
fail2ban_enabled: true
tasks:
- name: Mise à jour de tous les paquets
apt:
update_cache: yes
upgrade: dist
autoremove: yes
- name: Installation des outils de sécurité de base
apt:
name:
- ufw # Pare-feu UFW
- fail2ban # Protection contre les tentatives de bruteforce
- unattended-upgrades # Mises à jour automatiques
state: present
- name: Configurer les mises à jour automatiques
copy:
dest: /etc/apt/apt.conf.d/20auto-upgrades
content: |
APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Unattended-Upgrade "1";
- name: Activer et configurer UFW (Uncomplicated Firewall)
ufw:
rule: allow
port: "{{ item }}"
loop: "{{ ufw_allowed_ports }}"
- name: Activer UFW
ufw:
state: enabled
- name: Configurer Fail2Ban si activé
block:
- name: Activer le service Fail2Ban
service:
name: fail2ban
state: started
enabled: true
when: fail2ban_enabled
- name: Configurer SSH pour renforcer la sécurité
lineinfile:
path: /etc/ssh/sshd_config
state: present
regexp: "{{ item.regexp }}"
line: "{{ item.line }}"
loop:
- { regexp: '^#?Port ', line: "Port {{ ssh_port }}" }
- { regexp: '^#?PermitRootLogin ', line: "PermitRootLogin {{ ssh_permit_root_login }}" }
- { regexp: '^#?PasswordAuthentication ', line: "PasswordAuthentication {{ ssh_password_auth }}" }
- name: Redémarrer le service SSH
service:
name: ssh
state: restarted
- name: Désactiver les services inutiles
service:
name: "{{ item }}"
state: stopped
enabled: false
loop:
- cups # Désactiver le service d'imprimante
- avahi-daemon # Désactiver le service de découverte réseau
- name: Désactiver le ping ICMP (optionnel)
sysctl:
name: net.ipv4.icmp_echo_ignore_all
value: 1
sysctl_set: yes
state: present
reload: yes
- name: Désactiver le transfert IPv4 et IPv6
sysctl:
name: "{{ item }}"
value: 0
sysctl_set: yes
state: present
loop:
- net.ipv4.ip_forward
- net.ipv6.conf.all.forwarding
- name: Vérifier si les configurations de sécurité sont bien appliquées
shell: ufw status && systemctl status fail2ban && sshd -T | grep -Ei 'permitrootlogin|passwordauthentication|port'
register: security_check
- debug:
var: security_check.stdout