diff --git a/secure_ubuntu.yml b/secure_ubuntu.yml new file mode 100644 index 0000000..4b74a56 --- /dev/null +++ b/secure_ubuntu.yml @@ -0,0 +1,104 @@ +--- +- name: Sécurisation d'Ubuntu 22.04 + hosts: all + become: true + vars: + ufw_allowed_ports: + - 22 # SSH + - 80 # HTTP + - 443 # HTTPS + ssh_port: 22 + ssh_permit_root_login: "no" + ssh_password_auth: "no" + fail2ban_enabled: true + + tasks: + - name: Mise à jour de tous les paquets + apt: + update_cache: yes + upgrade: dist + autoremove: yes + + - name: Installation des outils de sécurité de base + apt: + name: + - ufw # Pare-feu UFW + - fail2ban # Protection contre les tentatives de bruteforce + - unattended-upgrades # Mises à jour automatiques + state: present + + - name: Configurer les mises à jour automatiques + copy: + dest: /etc/apt/apt.conf.d/20auto-upgrades + content: | + APT::Periodic::Update-Package-Lists "1"; + APT::Periodic::Unattended-Upgrade "1"; + + - name: Activer et configurer UFW (Uncomplicated Firewall) + ufw: + rule: allow + port: "{{ item }}" + loop: "{{ ufw_allowed_ports }}" + + - name: Activer UFW + ufw: + state: enabled + + - name: Configurer Fail2Ban si activé + block: + - name: Activer le service Fail2Ban + service: + name: fail2ban + state: started + enabled: true + when: fail2ban_enabled + + - name: Configurer SSH pour renforcer la sécurité + lineinfile: + path: /etc/ssh/sshd_config + state: present + regexp: "{{ item.regexp }}" + line: "{{ item.line }}" + loop: + - { regexp: '^#?Port ', line: "Port {{ ssh_port }}" } + - { regexp: '^#?PermitRootLogin ', line: "PermitRootLogin {{ ssh_permit_root_login }}" } + - { regexp: '^#?PasswordAuthentication ', line: "PasswordAuthentication {{ ssh_password_auth }}" } + + - name: Redémarrer le service SSH + service: + name: ssh + state: restarted + + - name: Désactiver les services inutiles + service: + name: "{{ item }}" + state: stopped + enabled: false + loop: + - cups # Désactiver le service d'imprimante + - avahi-daemon # Désactiver le service de découverte réseau + + - name: Désactiver le ping ICMP (optionnel) + sysctl: + name: net.ipv4.icmp_echo_ignore_all + value: 1 + sysctl_set: yes + state: present + reload: yes + + - name: Désactiver le transfert IPv4 et IPv6 + sysctl: + name: "{{ item }}" + value: 0 + sysctl_set: yes + state: present + loop: + - net.ipv4.ip_forward + - net.ipv6.conf.all.forwarding + + - name: Vérifier si les configurations de sécurité sont bien appliquées + shell: ufw status && systemctl status fail2ban && sshd -T | grep -Ei 'permitrootlogin|passwordauthentication|port' + register: security_check + + - debug: + var: security_check.stdout