Server Security Configuration with Ansible

This repository contains Ansible playbooks to configure comprehensive security for your Linux server.

What's Included

1. fail2ban Configuration (fail2ban.yml)

• Installs and configures fail2ban for intrusion detection and prevention
• Protects SSH service from brute force attacks
• Automatically bans IPs after failed login attempts
• Customizable ban times and retry limits

2. Antivirus Setup (antivirus.yml)

• Installs ClamAV antivirus engine
• Configures automatic virus definition updates
• Sets up daily and weekly scheduled scans
• Creates quarantine directory for infected files
• Includes scan logging and monitoring

3. UFW Firewall (firewall.yml)

• Configures UFW (Uncomplicated Firewall)
• Default deny incoming, allow outgoing
• Allows SSH access
• Supports custom port configurations
• Enables firewall logging

4. Automatic Security Updates (auto-updates.yml)

• Installs unattended-upgrades package
• Automatically installs security patches
• Configurable reboot policies
• Email notifications for updates
• Minimal system maintenance required

5. Rootkit Detection (rootkit-detection.yml)

• Installs rkhunter for rootkit detection
• Daily automated scans at 3:30 AM
• Monitors for suspicious files and changes
• Database auto-updates
• Detailed scan reports

6. SSH Security Hardening (ssh-security.yml)

• WARNING: Disables password authentication
• Enforces SSH key-only authentication
• Configures strong ciphers and algorithms
• Sets connection timeouts and limits
• Creates SSH key generation helper script

7. Main Orchestration Playbook (main.yml)

• Runs all security configurations
• Provides system updates
• Creates security monitoring scripts
• Configurable module execution

Prerequisites

1. SSH Keys: If you plan to use SSH security hardening, ensure you have SSH keys configured before running the playbook
2. Sudo Access: The playbooks require sudo privileges
3. Ubuntu/Debian: Designed for Ubuntu/Debian-based systems

Quick Start

Install Dependencies

# Ansible is already installed in this environment

Generate SSH Keys (Required for SSH hardening)

# Generate SSH key pair
ssh-keygen -t ed25519 -C "[email protected]"

# Copy public key to server (if running remotely)
ssh-copy-id user@your-server

# Or use the provided script
sudo /usr/local/bin/generate-ssh-key.sh

Run Security Configuration

Option 1: Run All Security Modules (Except SSH Hardening)

cd /home/ubuntu/config_server
ansible-playbook -i inventory.ini main.yml

Option 2: Run Individual Modules

# Install fail2ban only
ansible-playbook -i inventory.ini fail2ban.yml

# Install antivirus only
ansible-playbook -i inventory.ini antivirus.yml

# Configure SSH security only (DANGEROUS - ensure SSH keys are configured)
ansible-playbook -i inventory.ini ssh-security.yml

Option 3: Run All Including SSH Hardening

⚠️ WARNING: Only do this if you have SSH keys configured!

Edit main.yml and change:

setup_ssh_security: true

Then run:

ansible-playbook -i inventory.ini main.yml

Configuration Details

fail2ban

• Default ban time: 1 hour (3600 seconds)
• SSH protection: 3 failures in 5 minutes = 30-minute ban
• Monitoring: /var/log/auth.log for SSH attempts
• Configuration: /etc/fail2ban/jail.local

ClamAV Antivirus

• Daily scans: 2:00 AM (quick scan, excludes system directories)
• Weekly scans: Sunday 3:00 AM (comprehensive scan)
• Quarantine: /var/quarantine
• Logs: /var/log/clamav/
• Auto-updates: Virus definitions updated automatically

UFW Firewall

• Default policy: Deny incoming, allow outgoing
• SSH: Port 22 allowed by default
• Custom ports: Configurable in firewall.yml
• Logging: Enabled for all blocked connections
• Configuration: /etc/ufw/

Automatic Updates

• Target: Security updates only
• Schedule: Daily checks, automatic installation
• Reboot: Disabled by default (configurable)
• Email: Notifications on changes (optional)
• Logs: /var/log/unattended-upgrades/

rkhunter

• Daily scans: 3:30 AM
• Database updates: Automatic
• Reports: /var/log/rkhunter/
• Warnings: Logged for review
• Configuration: /etc/rkhunter.conf

SSH Security

• Authentication: SSH keys only, passwords disabled
• Root login: Prohibit password (keys allowed)
• Ciphers: ChaCha20-Poly1305, AES-256-GCM, AES-128-GCM
• Connection timeouts: 5-minute idle timeout
• Max attempts: 3 authentication attempts

Monitoring and Maintenance

Check Security Status

sudo /usr/local/bin/security-status.sh

fail2ban Commands

# Check status
sudo fail2ban-client status

# Check SSH jail specifically
sudo fail2ban-client status sshd

# Unban an IP
sudo fail2ban-client set sshd unbanip <IP_ADDRESS>

ClamAV Commands

# Manual scan
sudo clamscan -r /path/to/scan

# Scan with quarantine
sudo clamscan -r -i --move=/var/quarantine /path/to/scan

# Update virus definitions
sudo freshclam

# Check daemon status
sudo systemctl status clamav-daemon

UFW Firewall Commands

# Check status
sudo ufw status verbose

# Allow a port
sudo ufw allow 8080/tcp

# Delete a rule
sudo ufw delete allow 8080/tcp

# Reload firewall
sudo ufw reload

# Check detailed status script
sudo /usr/local/bin/ufw-status.sh

Automatic Updates Commands

# Check update status
sudo /usr/local/bin/updates-status.sh

# View pending updates
sudo apt list --upgradable

# Check if reboot required
cat /var/run/reboot-required

# View update logs
sudo tail -f /var/log/unattended-upgrades/unattended-upgrades.log

rkhunter Commands

# Check status and last scan
sudo /usr/local/bin/rkhunter-status.sh

# Manual scan
sudo rkhunter --check

# Update database
sudo rkhunter --update

# Update file properties
sudo rkhunter --propupd

Log Locations

• fail2ban: /var/log/fail2ban.log
• ClamAV: /var/log/clamav/
• SSH: /var/log/auth.log
• Daily AV scans: /var/log/clamav/daily-scan.log
• Weekly AV scans: /var/log/clamav/weekly-scan.log
• UFW: /var/log/ufw.log
• Automatic updates: /var/log/unattended-upgrades/
• rkhunter: /var/log/rkhunter/

Customization

Modify fail2ban Settings

Edit /etc/fail2ban/jail.local and restart:

sudo systemctl restart fail2ban

Modify ClamAV Scan Schedule

Edit cron jobs:

sudo crontab -e

Modify SSH Settings

Edit /etc/ssh/sshd_config and restart:

sudo systemctl restart ssh

Security Best Practices

1. Regular Updates: Keep system packages updated
2. Monitor Logs: Regularly check security logs
3. Backup Configurations: Keep backups of important config files
4. Test SSH Access: Always test SSH key access before disconnecting
5. Review Quarantine: Periodically check /var/quarantine for false positives

Troubleshooting

SSH Lockout Recovery

If you get locked out due to SSH misconfiguration:

1. Use console/KVM access if available
2. Restore SSH config from backup: /etc/ssh/backup/
3. Restart SSH service: sudo systemctl restart ssh

fail2ban Issues

# Check fail2ban logs
sudo tail -f /var/log/fail2ban.log

# Restart fail2ban
sudo systemctl restart fail2ban

ClamAV Issues

# Check ClamAV logs
sudo tail -f /var/log/clamav/clamav.log

# Restart ClamAV services
sudo systemctl restart clamav-daemon clamav-freshclam

File Structure

config_server/
├── inventory.ini              # Ansible inventory
├── main.yml                  # Main orchestration playbook
├── fail2ban.yml              # fail2ban configuration
├── antivirus.yml             # ClamAV antivirus setup
├── firewall.yml              # UFW firewall configuration
├── auto-updates.yml          # Automatic security updates
├── rootkit-detection.yml     # rkhunter rootkit detection
├── ssh-security.yml          # SSH hardening (USE WITH CAUTION)
└── README.md                 # This file

Security Note

This configuration significantly hardens your server security. Make sure you understand the implications:

• Password authentication will be disabled (if SSH hardening is enabled)
• Failed login attempts will result in IP bans
• Regular antivirus scans may impact performance
• Always have a recovery method (console access, etc.)

Support

For issues or customizations, review the Ansible task outputs and system logs. Each playbook includes validation steps and error handling.