DevOPS/Ansible/secure_ubuntu.yml

---
- name: Sécurisation d'Ubuntu 22.04
  hosts: all
  become: true
  vars:
    ufw_allowed_ports:
      - 22   # SSH
      - 80   # HTTP
      - 443  # HTTPS
    ssh_port: 22
    ssh_permit_root_login: "no"
    ssh_password_auth: "no"
    fail2ban_enabled: true

  tasks:
    - name: Mise à jour de tous les paquets
      apt:
        update_cache: yes
        upgrade: dist
        autoremove: yes

    - name: Installation des outils de sécurité de base
      apt:
        name:
          - ufw            # Pare-feu UFW
          - fail2ban       # Protection contre les tentatives de bruteforce
          - unattended-upgrades  # Mises à jour automatiques
        state: present

    - name: Configurer les mises à jour automatiques
      copy:
        dest: /etc/apt/apt.conf.d/20auto-upgrades
        content: |
          APT::Periodic::Update-Package-Lists "1";
          APT::Periodic::Unattended-Upgrade "1";

    - name: Activer et configurer UFW (Uncomplicated Firewall)
      ufw:
        rule: allow
        port: "{{ item }}"
      loop: "{{ ufw_allowed_ports }}"
      
    - name: Activer UFW
      ufw:
        state: enabled

    - name: Configurer Fail2Ban si activé
      block:
        - name: Activer le service Fail2Ban
          service:
            name: fail2ban
            state: started
            enabled: true
      when: fail2ban_enabled

    - name: Configurer SSH pour renforcer la sécurité
      lineinfile:
        path: /etc/ssh/sshd_config
        state: present
        regexp: "{{ item.regexp }}"
        line: "{{ item.line }}"
      loop:
        - { regexp: '^#?Port ', line: "Port {{ ssh_port }}" }
        - { regexp: '^#?PermitRootLogin ', line: "PermitRootLogin {{ ssh_permit_root_login }}" }
        - { regexp: '^#?PasswordAuthentication ', line: "PasswordAuthentication {{ ssh_password_auth }}" }

    - name: Redémarrer le service SSH
      service:
        name: ssh
        state: restarted

    - name: Désactiver les services inutiles
      service:
        name: "{{ item }}"
        state: stopped
        enabled: false
      loop:
        - cups        # Désactiver le service d'imprimante
        - avahi-daemon  # Désactiver le service de découverte réseau

    - name: Désactiver le ping ICMP (optionnel)
      sysctl:
        name: net.ipv4.icmp_echo_ignore_all
        value: 1
        sysctl_set: yes
        state: present
        reload: yes

    - name: Désactiver le transfert IPv4 et IPv6
      sysctl:
        name: "{{ item }}"
        value: 0
        sysctl_set: yes
        state: present
      loop:
        - net.ipv4.ip_forward
        - net.ipv6.conf.all.forwarding

    - name: Vérifier si les configurations de sécurité sont bien appliquées
      shell: ufw status && systemctl status fail2ban && sshd -T | grep -Ei 'permitrootlogin|passwordauthentication|port'
      register: security_check

    - debug:
        var: security_check.stdout
Ajouter secure_ubuntu.yml 2024-11-01 21:26:18 +00:00			`---`
			`- name: Sécurisation d'Ubuntu 22.04`
			`hosts: all`
			`become: true`
			`vars:`
			`ufw_allowed_ports:`
			`- 22 # SSH`
			`- 80 # HTTP`
			`- 443 # HTTPS`
			`ssh_port: 22`
			`ssh_permit_root_login: "no"`
			`ssh_password_auth: "no"`
			`fail2ban_enabled: true`

			`tasks:`
			`- name: Mise à jour de tous les paquets`
			`apt:`
			`update_cache: yes`
			`upgrade: dist`
			`autoremove: yes`

			`- name: Installation des outils de sécurité de base`
			`apt:`
			`name:`
			`- ufw # Pare-feu UFW`
			`- fail2ban # Protection contre les tentatives de bruteforce`
			`- unattended-upgrades # Mises à jour automatiques`
			`state: present`

			`- name: Configurer les mises à jour automatiques`
			`copy:`
			`dest: /etc/apt/apt.conf.d/20auto-upgrades`
			`content: \|`
			`APT::Periodic::Update-Package-Lists "1";`
			`APT::Periodic::Unattended-Upgrade "1";`

			`- name: Activer et configurer UFW (Uncomplicated Firewall)`
			`ufw:`
			`rule: allow`
			`port: "{{ item }}"`
			`loop: "{{ ufw_allowed_ports }}"`

			`- name: Activer UFW`
			`ufw:`
			`state: enabled`

			`- name: Configurer Fail2Ban si activé`
			`block:`
			`- name: Activer le service Fail2Ban`
			`service:`
			`name: fail2ban`
			`state: started`
			`enabled: true`
			`when: fail2ban_enabled`

			`- name: Configurer SSH pour renforcer la sécurité`
			`lineinfile:`
			`path: /etc/ssh/sshd_config`
			`state: present`
			`regexp: "{{ item.regexp }}"`
			`line: "{{ item.line }}"`
			`loop:`
			`- { regexp: '^#?Port ', line: "Port {{ ssh_port }}" }`
			`- { regexp: '^#?PermitRootLogin ', line: "PermitRootLogin {{ ssh_permit_root_login }}" }`
			`- { regexp: '^#?PasswordAuthentication ', line: "PasswordAuthentication {{ ssh_password_auth }}" }`

			`- name: Redémarrer le service SSH`
			`service:`
			`name: ssh`
			`state: restarted`

			`- name: Désactiver les services inutiles`
			`service:`
			`name: "{{ item }}"`
			`state: stopped`
			`enabled: false`
			`loop:`
			`- cups # Désactiver le service d'imprimante`
			`- avahi-daemon # Désactiver le service de découverte réseau`

			`- name: Désactiver le ping ICMP (optionnel)`
			`sysctl:`
			`name: net.ipv4.icmp_echo_ignore_all`
			`value: 1`
			`sysctl_set: yes`
			`state: present`
			`reload: yes`

			`- name: Désactiver le transfert IPv4 et IPv6`
			`sysctl:`
			`name: "{{ item }}"`
			`value: 0`
			`sysctl_set: yes`
			`state: present`
			`loop:`
			`- net.ipv4.ip_forward`
			`- net.ipv6.conf.all.forwarding`

			`- name: Vérifier si les configurations de sécurité sont bien appliquées`
			`shell: ufw status && systemctl status fail2ban && sshd -T \| grep -Ei 'permitrootlogin\|passwordauthentication\|port'`
			`register: security_check`

			`- debug:`
			`var: security_check.stdout`