Ajouter secure_ubuntu.yml

2024-11-01 21:26:18 +00:00 · 2024-11-01 21:26:18 +00:00 · 7218631742
commit 7218631742
parent 191d63b506
1 changed files with 104 additions and 0 deletions
--- a/secure_ubuntu.yml
+++ b/secure_ubuntu.yml
@ -0,0 +1,104 @@
+---
+- name: Sécurisation d'Ubuntu 22.04
+  hosts: all
+  become: true
+  vars:
+    ufw_allowed_ports:
+      - 22   # SSH
+      - 80   # HTTP
+      - 443  # HTTPS
+    ssh_port: 22
+    ssh_permit_root_login: "no"
+    ssh_password_auth: "no"
+    fail2ban_enabled: true
+
+  tasks:
+    - name: Mise à jour de tous les paquets
+      apt:
+        update_cache: yes
+        upgrade: dist
+        autoremove: yes
+
+    - name: Installation des outils de sécurité de base
+      apt:
+        name:
+          - ufw            # Pare-feu UFW
+          - fail2ban       # Protection contre les tentatives de bruteforce
+          - unattended-upgrades  # Mises à jour automatiques
+        state: present
+
+    - name: Configurer les mises à jour automatiques
+      copy:
+        dest: /etc/apt/apt.conf.d/20auto-upgrades
+        content: |
+          APT::Periodic::Update-Package-Lists "1";
+          APT::Periodic::Unattended-Upgrade "1";
+
+    - name: Activer et configurer UFW (Uncomplicated Firewall)
+      ufw:
+        rule: allow
+        port: "{{ item }}"
+      loop: "{{ ufw_allowed_ports }}"
+      
+    - name: Activer UFW
+      ufw:
+        state: enabled
+
+    - name: Configurer Fail2Ban si activé
+      block:
+        - name: Activer le service Fail2Ban
+          service:
+            name: fail2ban
+            state: started
+            enabled: true
+      when: fail2ban_enabled
+
+    - name: Configurer SSH pour renforcer la sécurité
+      lineinfile:
+        path: /etc/ssh/sshd_config
+        state: present
+        regexp: "{{ item.regexp }}"
+        line: "{{ item.line }}"
+      loop:
+        - { regexp: '^#?Port ', line: "Port {{ ssh_port }}" }
+        - { regexp: '^#?PermitRootLogin ', line: "PermitRootLogin {{ ssh_permit_root_login }}" }
+        - { regexp: '^#?PasswordAuthentication ', line: "PasswordAuthentication {{ ssh_password_auth }}" }
+
+    - name: Redémarrer le service SSH
+      service:
+        name: ssh
+        state: restarted
+
+    - name: Désactiver les services inutiles
+      service:
+        name: "{{ item }}"
+        state: stopped
+        enabled: false
+      loop:
+        - cups        # Désactiver le service d'imprimante
+        - avahi-daemon  # Désactiver le service de découverte réseau
+
+    - name: Désactiver le ping ICMP (optionnel)
+      sysctl:
+        name: net.ipv4.icmp_echo_ignore_all
+        value: 1
+        sysctl_set: yes
+        state: present
+        reload: yes
+
+    - name: Désactiver le transfert IPv4 et IPv6
+      sysctl:
+        name: "{{ item }}"
+        value: 0
+        sysctl_set: yes
+        state: present
+      loop:
+        - net.ipv4.ip_forward
+        - net.ipv6.conf.all.forwarding
+
+    - name: Vérifier si les configurations de sécurité sont bien appliquées
+      shell: ufw status && systemctl status fail2ban && sshd -T | grep -Ei 'permitrootlogin|passwordauthentication|port'
+      register: security_check
+
+    - debug:
+        var: security_check.stdout