From 0cafb4968b3ac5169f67a0937641d41b581c2b7b Mon Sep 17 00:00:00 2001 From: Alex Tavarez Date: Fri, 5 Sep 2025 00:43:14 -0400 Subject: [PATCH] Created a role for initial lockdown of recent VPS, and started role for basic server configuration --- .ansible/roles/bootstrap/defaults/main.yml | 3 + .../files/sshd_config.d/sftp.conf.example | 8 + .ansible/roles/lockdown/README.md | 38 +++++ .ansible/roles/lockdown/defaults/main.yml | 15 ++ .../files/sshd_config.d/auth.conf.example | 2 + .../files/sshd_config.d/denyroot.conf.example | 1 + .ansible/roles/lockdown/handlers/main.yml | 13 ++ .ansible/roles/lockdown/meta/main.yml | 35 ++++ .ansible/roles/lockdown/tasks/deshell.yml | 12 ++ .ansible/roles/lockdown/tasks/main.yml | 160 ++++++++++++++++++ .ansible/roles/lockdown/tests/inventory | 3 + .ansible/roles/lockdown/tests/test.yml | 6 + 12 files changed, 296 insertions(+) create mode 100644 .ansible/roles/bootstrap/defaults/main.yml create mode 100644 .ansible/roles/bootstrap/files/sshd_config.d/sftp.conf.example create mode 100644 .ansible/roles/lockdown/README.md create mode 100644 .ansible/roles/lockdown/defaults/main.yml create mode 100644 .ansible/roles/lockdown/files/sshd_config.d/auth.conf.example create mode 100644 .ansible/roles/lockdown/files/sshd_config.d/denyroot.conf.example create mode 100644 .ansible/roles/lockdown/handlers/main.yml create mode 100644 .ansible/roles/lockdown/meta/main.yml create mode 100644 .ansible/roles/lockdown/tasks/deshell.yml create mode 100644 .ansible/roles/lockdown/tasks/main.yml create mode 100644 .ansible/roles/lockdown/tests/inventory create mode 100644 .ansible/roles/lockdown/tests/test.yml diff --git a/.ansible/roles/bootstrap/defaults/main.yml b/.ansible/roles/bootstrap/defaults/main.yml new file mode 100644 index 0000000..d7fb0f6 --- /dev/null +++ b/.ansible/roles/bootstrap/defaults/main.yml @@ -0,0 +1,3 @@ +#SPDX-License-Identifier: MIT-0 +--- +# defaults file for bootstrap diff --git a/.ansible/roles/bootstrap/files/sshd_config.d/sftp.conf.example b/.ansible/roles/bootstrap/files/sshd_config.d/sftp.conf.example new file mode 100644 index 0000000..6c623b1 --- /dev/null +++ b/.ansible/roles/bootstrap/files/sshd_config.d/sftp.conf.example @@ -0,0 +1,8 @@ +Match Group ftp + ForceCommand internal-sftp -u 003 -d /%u + AuthorizedKeysFile /srv/.ftp/authorized_keys + ChrootDirectory /srv/ftp + PasswordAuthentication no + AllowAgentForwarding no + AllowTcpForwarding no + X11Forwarding no \ No newline at end of file diff --git a/.ansible/roles/lockdown/README.md b/.ansible/roles/lockdown/README.md new file mode 100644 index 0000000..225dd44 --- /dev/null +++ b/.ansible/roles/lockdown/README.md @@ -0,0 +1,38 @@ +Role Name +========= + +A brief description of the role goes here. + +Requirements +------------ + +Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required. + +Role Variables +-------------- + +A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well. + +Dependencies +------------ + +A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles. + +Example Playbook +---------------- + +Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too: + + - hosts: servers + roles: + - { role: username.rolename, x: 42 } + +License +------- + +BSD + +Author Information +------------------ + +An optional section for the role authors to include contact information, or a website (HTML is not allowed). diff --git a/.ansible/roles/lockdown/defaults/main.yml b/.ansible/roles/lockdown/defaults/main.yml new file mode 100644 index 0000000..fc8a729 --- /dev/null +++ b/.ansible/roles/lockdown/defaults/main.yml @@ -0,0 +1,15 @@ +#SPDX-License-Identifier: MIT-0 +--- +# defaults file for lockdown +files_mode: no +# create_groups: +# - group_name: "ftp" +create_users: + - username: "{{ hostvars['server'][0].username }}" + password: "{{ hostvars['server'][0].password }}" + # ssh_authorize: yes +# web_users: +# - caddy +# - www-data +ssh_pubkey_filename_pattern: '.*\.pub' +include_root_lock: yes diff --git a/.ansible/roles/lockdown/files/sshd_config.d/auth.conf.example b/.ansible/roles/lockdown/files/sshd_config.d/auth.conf.example new file mode 100644 index 0000000..02c2a5c --- /dev/null +++ b/.ansible/roles/lockdown/files/sshd_config.d/auth.conf.example @@ -0,0 +1,2 @@ +PasswordAuthentication no +PermitEmptyPasswords no \ No newline at end of file diff --git a/.ansible/roles/lockdown/files/sshd_config.d/denyroot.conf.example b/.ansible/roles/lockdown/files/sshd_config.d/denyroot.conf.example new file mode 100644 index 0000000..4888ff9 --- /dev/null +++ b/.ansible/roles/lockdown/files/sshd_config.d/denyroot.conf.example @@ -0,0 +1 @@ +PermitRootLogin no \ No newline at end of file diff --git a/.ansible/roles/lockdown/handlers/main.yml b/.ansible/roles/lockdown/handlers/main.yml new file mode 100644 index 0000000..f7b85cd --- /dev/null +++ b/.ansible/roles/lockdown/handlers/main.yml @@ -0,0 +1,13 @@ +# SPDX-License-Identifier: MIT-0 +--- +# handlers file for lockdown +- name: Restart SSH server + when: ansible_facts["user_id"] == "root" + ansible.builtin.service: + name: ssh + state: restarted + tags: + - default + - restart_ssh + register: restarted_ssh + listen: "restart ssh" diff --git a/.ansible/roles/lockdown/meta/main.yml b/.ansible/roles/lockdown/meta/main.yml new file mode 100644 index 0000000..36b9858 --- /dev/null +++ b/.ansible/roles/lockdown/meta/main.yml @@ -0,0 +1,35 @@ +#SPDX-License-Identifier: MIT-0 +galaxy_info: + author: your name + description: your role description + company: your company (optional) + + # If the issue tracker for your role is not on github, uncomment the + # next line and provide a value + # issue_tracker_url: http://example.com/issue/tracker + + # Choose a valid license ID from https://spdx.org - some suggested licenses: + # - BSD-3-Clause (default) + # - MIT + # - GPL-2.0-or-later + # - GPL-3.0-only + # - Apache-2.0 + # - CC-BY-4.0 + license: license (GPL-2.0-or-later, MIT, etc) + + min_ansible_version: 2.1 + + # If this a Container Enabled role, provide the minimum Ansible Container version. + # min_ansible_container_version: + + galaxy_tags: [] + # List tags for your role here, one per line. A tag is a keyword that describes + # and categorizes the role. Users find roles by searching for tags. Be sure to + # remove the '[]' above, if you add tags to this list. + # + # NOTE: A tag is limited to a single word comprised of alphanumeric characters. + # Maximum 20 tags per role. + +dependencies: [] + # List your role dependencies here, one per line. Be sure to remove the '[]' above, + # if you add dependencies to this list. diff --git a/.ansible/roles/lockdown/tasks/deshell.yml b/.ansible/roles/lockdown/tasks/deshell.yml new file mode 100644 index 0000000..e051da2 --- /dev/null +++ b/.ansible/roles/lockdown/tasks/deshell.yml @@ -0,0 +1,12 @@ +# SPDX-License-Identifier: MIT-0 +--- +# tasks file for lockdown +- name: Disable shell for root user + when: ansible_facts["user_id"] != "root" + become: true + ansible.builtin.user: + name: root + shell: /sbin/nologin + tags: + - deshell_root + register: root_shell_disabled \ No newline at end of file diff --git a/.ansible/roles/lockdown/tasks/main.yml b/.ansible/roles/lockdown/tasks/main.yml new file mode 100644 index 0000000..614d2d1 --- /dev/null +++ b/.ansible/roles/lockdown/tasks/main.yml @@ -0,0 +1,160 @@ +# SPDX-License-Identifier: MIT-0 +--- +# tasks file for lockdown +# @NOTE: assumes one logged in to SSH server as root to begin with, hence no need for privilege escalation +- name: Create users + when: ansible_facts["user_id"] == "root" + block: + - name: Create sys-admin user + ansible.builtin.user: + name: "{{ create_users[0].username }}" + uid: 1000 + password: "{{ create_users[0].password }}" + append: yes + groups: + - sudo + shell: /bin/bash + generate_ssh_key: yes + password_expire_min: 93 + password_expire_max: 186 + password_expire_warn: 45 + comment: sysadmin + # ssh_key_passphrase: "{{ item.password }}" + state: present + tags: + - default + - administrative_user + register: created_admin + - name: Create new user + ansible.builtin.user: + name: "{{ item.username }}" + uid: 1000 + password: "{{ item.password }}" + append: yes + groups: + - sudo + shell: /bin/bash + generate_ssh_key: yes + password_expire_min: 93 + password_expire_max: 186 + password_expire_warn: 45 + comment: administrator + # ssh_key_passphrase: "{{ item.password }}" + state: present + loop: "{{ create_users[1:] }}" + tags: + - other_users + register: created_user +- name: Specify authorized SSH keys for users based on local public keys + when: not files_mode and ansible_facts["user_id"] == "root" + block: + - name: Acquire list of SSH public keys for sys-admin user + ansible.builtin.find: + paths: "{{ lookup('env', 'HOME') }}/.ssh" + patterns: + - '{{ ssh_pubkey_filename_pattern }}' + use_regex: yes + recurse: no + tags: + - default + - administrative_user + - admin_ssh + register: ssh_public_keys + - name: Register SSH public keys as sys-admin user's authorized keys + ansible.builtin.lineinfile: + path: "{{ created_admin.home }}/.ssh/authorized_keys" + line: "{{ lookup('ansible.builtin.file', item) }}" + owner: "{{ created_admin.name }}" + group: "{{ created_admin.name }}" + mode: "0600" + create: yes + insertafter: ~ + state: present + tags: + - default + - administrative_user + - admin_ssh + loop: "{{ ssh_public_keys.files }}" + - name: Register SSH puplic keys as other users' authorized keys + ansible.builtin.copy: + src: "ssh/{{ item.name }}/authorized_keys" + dest: "{{ item.home }}/.ssh/authorized_keys" + force: yes + backup: yes + owner: "{{ item.name }}" + group: "{{ item.name }}" + mode: "0600" + tags: + - other_users + - others_ssh + loop: "{{ created_user }}" + register: authorized_ssh_pubkeys +- name: Specify authorized SSH keys for users + when: files_mode and ansible_facts["user_id"] == "root" + block: + - name: Specify authorized keys file for sys-admin user + ansible.builtin.copy: + src: ssh/authorized_keys + dest: "{{ created_admin.home }}/.ssh/authorized_keys" + force: yes + backup: yes + owner: "{{ created_admin.name }}" + group: "{{ created_admin.name }}" + mode: "0600" + tags: + - default + - administrative_user + - admin_ssh + register: authorized_admin_ssh_pubkeys + - name: Specify authorized keys file for other users + ansible.builtin.copy: + src: "ssh/{{ item.name }}/authorized_keys" + dest: "{{ item.home }}/.ssh/authorized_keys" + force: yes + backup: yes + owner: "{{ item.name }}" + group: "{{ item.name }}" + mode: "0600" + tags: + - other_users + - others_ssh + loop: "{{ created_user }}" + register: authorized_ssh_pubkeys +- name: Lock down root SSH access + when: ansible_facts["user_id"] == "root" + block: + - name: Constrain SSH authentication methods to using SSH key + ansible.builtin.copy: + src: sshd_config.d/auth.conf + dest: /etc/ssh/sshd_config.d/auth.conf + force: yes + backup: yes + mode: "0644" + tags: + - depass_root + register: constrained_auth + - name: Prohibit access to root via SSH + ansible.builtin.copy: + src: sshd_config.d/denyroot.conf + dest: /etc/ssh/sshd_config.d/denyroot.conf + force: yes + backup: yes + mode: "0644" + tags: + - prohib_root_ssh + register: prohibited_root_ssh_login + - name: Lock the root account + when: include_root_lock + ansible.builtin.user: + name: root + password_lock: yes + tags: + - delog_root + register: prohibited_root_login + tags: + - default + - deroot + notify: "restart ssh" +- name: Import disabling of shell root by sys-admin user + ansible.builtin.import_tasks: + file: ./deshell.yml \ No newline at end of file diff --git a/.ansible/roles/lockdown/tests/inventory b/.ansible/roles/lockdown/tests/inventory new file mode 100644 index 0000000..03ca42f --- /dev/null +++ b/.ansible/roles/lockdown/tests/inventory @@ -0,0 +1,3 @@ +#SPDX-License-Identifier: MIT-0 +localhost + diff --git a/.ansible/roles/lockdown/tests/test.yml b/.ansible/roles/lockdown/tests/test.yml new file mode 100644 index 0000000..c583120 --- /dev/null +++ b/.ansible/roles/lockdown/tests/test.yml @@ -0,0 +1,6 @@ +#SPDX-License-Identifier: MIT-0 +--- +- hosts: localhost + remote_user: root + roles: + - lockdown