phfroidmont/self-hosting
1
0
Fork 0
mirror of https://github.com/phfroidmont/self-hosting.git synced 2025-12-25 13:46:59 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions
self-hosting/roles/harden-linux/defaults/main.yml

111 lines
6.2 KiB
YAML
Raw Normal View History

Custom harden-linux role
2018-07-31 01:47:35 +02:00
---
# Some default settings for deploy user
harden_linux_deploy_user_uid: 9999
harden_linux_deploy_user_shell: "/bin/bash"
# Packages required by this role
harden_linux_required_packages:
- ufw
- sshguard
- unattended-upgrades
- sudo
# Most of this settings are recommendations from Google which they use for
# their Google Compute Cloud OS images and from UFW firewall. Add more settings
# on your own by adding a group or host variable called "sysctl_settings_user".
# "sysctl_settings" and "sysctl_settings_user" will get merged by a
# task. You can also override a setting defined in "sysctl_settings"
# by specifing a key with the same name and a different value in
# "sysctl_settings_user".
#
# For more information about this settings have a look at:
# https://cloud.google.com/compute/docs/images/building-custom-os
# https://cloud.google.com/compute/docs/images/configuring-imported-images
# With ufw package installed: /etc/ufw/sysctl.conf
#
# The following settings are not available in Scaleway's Linux image but maybe
# other use it (keep it for reference):
# "kernel.yama.ptrace_scope": 1 # Set ptrace protections
#
# This would be cool but doesn't work with UFW very well so leave it out:
# "kernel.modules_disabled": 1 # Disable CAP_SYS_MODULE which allows for loading and unloading of kernel modules.
# If you set kernel.modules_disabled=1 you're not able to load new netfilter/iptable
# modules anymore (at least on Ubuntu 16.04)! So "ufw" would fail to start if
# it is loaded afterwards.
# Add this to "sysctl_settings_user" to turn off ipv6 autoconfiguration:
# "net.ipv6.conf.default.autoconf": 0
# "net.ipv6.conf.all.autoconf": 0
# Add this to "sysctl_settings_user" to enable ipv6 privacy addressing
# "net.ipv6.conf.default.use_tempaddr": 2
# "net.ipv6.conf.all.use_tempaddr": 2
harden_linux_sysctl_settings:
"net.ipv4.tcp_syncookies": 1 # Enable syn flood protection
"net.ipv4.conf.all.accept_source_route": 0 # Ignore source-routed packets
"net.ipv6.conf.all.accept_source_route": 0 # IPv6 - Ignore ICMP redirects
"net.ipv4.conf.default.accept_source_route": 0 # Ignore source-routed packets
"net.ipv6.conf.default.accept_source_route": 0 # IPv6 - Ignore source-routed packets
"net.ipv4.conf.all.accept_redirects": 0 # Ignore ICMP redirects
"net.ipv6.conf.all.accept_redirects": 0 # IPv6 - Ignore ICMP redirects
"net.ipv4.conf.default.accept_redirects": 0 # Ignore ICMP redirects
"net.ipv6.conf.default.accept_redirects": 0 # IPv6 - Ignore ICMP redirects
"net.ipv4.conf.all.secure_redirects": 1 # Ignore ICMP redirects from non-GW hosts
"net.ipv4.conf.default.secure_redirects": 1 # Ignore ICMP redirects from non-GW hosts
"net.ipv4.ip_forward": 0 # Do not allow traffic between networks or act as a router
"net.ipv6.conf.all.forwarding": 0 # IPv6 - Do not allow traffic between networks or act as a router
"net.ipv4.conf.all.send_redirects": 0 # Don't allow traffic between networks or act as a router
"net.ipv4.conf.default.send_redirects": 0 # Don't allow traffic between networks or act as a router
"net.ipv4.conf.all.rp_filter": 1 # Reverse path filtering - IP spoofing protection
"net.ipv4.conf.default.rp_filter": 1 # Reverse path filtering - IP spoofing protection
"net.ipv4.icmp_echo_ignore_broadcasts": 1 # Ignore ICMP broadcasts to avoid participating in Smurf attacks
"net.ipv4.icmp_ignore_bogus_error_responses": 1 # Ignore bad ICMP errors
"net.ipv4.icmp_echo_ignore_all": 0 # Ignore bad ICMP errors
"net.ipv4.conf.all.log_martians": 1 # Log spoofed, source-routed, and redirect packets
"net.ipv4.conf.default.log_martians": 1 # Log spoofed, source-routed, and redirect packets
"net.ipv4.tcp_rfc1337": 1 # Implement RFC 1337 fix
"kernel.randomize_va_space": 2 # Randomize addresses of mmap base, heap, stack and VDSO page
"fs.protected_hardlinks": 1 # Provide protection from ToCToU races
"fs.protected_symlinks": 1 # Provide protection from ToCToU races
"kernel.kptr_restrict": 1 # Make locating kernel addresses more difficult
"kernel.perf_event_paranoid": 2 # Set perf only available to root
# The "key" here is a regex of a setting you want to replace and the value is
# the setting name + the setting value. E.g. we want to replace the line
# "Port 22" with "Port 22222". The regex (the key) would be "^Port 22 " which
# means "search for a line in /etc/ssh/sshd_config that begins with 'Port 22 '
# and replace the whole line with 'Port 22222'". This enables you to replace
# every setting in sshd_config.
harden_linux_sshd_settings:
"^PasswordAuthentication": "PasswordAuthentication no" # Disable password authentication
"^PermitRootLogin": "PermitRootLogin no" # Disable SSH root login
"^PermitTunnel": "PermitTunnel no" # Disable tun(4) device forwarding
"^Port ": "Port 22" # Set SSHd port
# By default we only allow SSH inbound traffic.
harden_linux_ufw_rules:
- rule: "allow"
to_port: "22"
protocol: "tcp"
# Defaults for UFW (/etc/default/ufw). Same rules as for
# harden_linux_sshd_settings applies.
harden_linux_ufw_defaults:
"^IPV6": 'IPV6=yes'
"^DEFAULT_INPUT_POLICY": 'DEFAULT_INPUT_POLICY="DROP"'
"^DEFAULT_OUTPUT_POLICY": 'DEFAULT_OUTPUT_POLICY="ACCEPT"'
"^DEFAULT_FORWARD_POLICY": 'DEFAULT_FORWARD_POLICY="DROP"'
"^DEFAULT_APPLICATION_POLICY": 'DEFAULT_APPLICATION_POLICY="SKIP"'
"^MANAGE_BUILTINS": 'MANAGE_BUILTINS=no'
"^IPT_SYSCTL": 'IPT_SYSCTL=/etc/ufw/sysctl.conf'
"^IPT_MODULES": 'IPT_MODULES="nf_conntrack_ftp nf_nat_ftp nf_conntrack_netbios_ns"'
# Disable/enable UFW logging
harden_linux_ufw_logging: 'off'
# SSHGuard whitelist. SSHGuard blocks IPs for some time if
# to many login attempts fail. Specify IP (ranges) that
# should not be blocked
harden_linux_sshguard_whitelist:
- "127.0.0.0/8"
- "::1/128"
Reference in a new issue Copy permalink