You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
45 lines
940 B
45 lines
940 B
2 years ago
|
# https://www.raspberrypi.org/documentation/configuration/security.md
|
||
|
|
|
||
|
|
- hosts: on-fire-within
|
||
|
|
become: yes
|
||
|
|
tasks:
|
||
|
|
- name: disable ssh password logins
|
||
|
|
lineinfile:
|
||
|
|
path: /etc/ssh/sshd_config
|
||
|
|
regexp: '^(#\s*)?{{ item }} '
|
||
|
|
line: "{{ item }} no"
|
||
|
|
notify: reload ssh
|
||
|
|
with_items:
|
||
|
|
- ChallengeResponseAuthentication
|
||
|
|
- PasswordAuthentication
|
||
|
|
- UsePAM
|
||
|
|
|
||
|
|
- name: disable pi user
|
||
|
|
user:
|
||
|
|
name: pi
|
||
|
|
password: !
|
||
|
|
|
||
|
|
- name: install fail2ban
|
||
|
|
package:
|
||
|
|
name: fail2ban
|
||
|
|
state: present
|
||
|
|
|
||
|
|
- name: create jail.local
|
||
|
|
copy:
|
||
|
|
content: |
|
||
|
|
[sshd]
|
||
|
|
enabled = true
|
||
|
|
dest: /etc/fail2ban/jail.local
|
||
|
|
notify: reload fail2ban
|
||
|
|
|
||
|
|
handlers:
|
||
|
|
- name: reload ssh
|
||
|
|
service:
|
||
|
|
name: ssh
|
||
|
|
state: reloaded
|
||
|
|
|
||
|
|
- name: reload fail2ban
|
||
|
|
service:
|
||
|
|
name: fail2ban
|
||
|
|
state: reloaded
|