You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: README.md
+66-1Lines changed: 66 additions & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -47,7 +47,71 @@ If you need to run the playbooks multiple times remember to use the SSH key and
47
47
Tested on Debian 12 Bookworm.
48
48
49
49
## Configurations
50
-
WIP
50
+
The playbook uses most of the settings from ["How To Secure A Linux Server"](https://github.com/imthenachoman/How-To-Secure-A-Linux-Server) / my choices if the guide has more than one option to do something.
51
+
52
+
### Requirements
53
+
- sudo installed
54
+
- groups created for *sshusers*, *sudousers* and *suusers*
55
+
- new user created with the name specified in *variables.yml* and added to groups
56
+
- use of sudo limited to sudousers group
57
+
- use of su limited to suusers group
58
+
- passwordless sudo enabled for the new user
59
+
- SSH public key added to authorized_keys file
60
+
61
+
### auditd
62
+
Uses best practice rules from [Neo23x0](https://github.com/Neo23x0)
63
+
64
+
### ClamAV
65
+
ClamAV is set to run everyday at 3 AM to scan the full system, exluding sys folders.
66
+
67
+
### Firewall: UFW
68
+
UFW is set to defaulty deny in and out.
69
+
The SSH-Port is set to *limit in*, allowed outgoing ports by default are 53 (DNS), 123 (NTP), 80 (http), 443 (https) and the mail port specified in *variables.yml*.
70
+
71
+
### Firewall: PSAD and Fail2Ban
72
+
PSAD is configured according to "How To Secure A Linux Server" guide.
73
+
74
+
### Lynis
75
+
Lynis is configured according to "How To Secure A Linux Server" guide and will run an audit + send the report as an attachment to your mail address configured in *variables.yml*.
76
+
77
+
### Mail
78
+
For mailing I chose msmtp with the help from [Decatec's guide](https://decatec.de/linux/linux-einfach-e-mails-versenden-mit-msmtp/). This will send a testmail.
79
+
80
+
### Packages
81
+
Installed packages are:
82
+
- apt-transport-https
83
+
- ca-certificates
84
+
- host
85
+
- kbtin
86
+
- ntp
87
+
- libpam-pwquality
88
+
- unattended-upgrades
89
+
- apt-listchanges
90
+
- apticron
91
+
- ufw
92
+
- psad
93
+
- fail2ban
94
+
- msmtp
95
+
- msmtp-mta
96
+
- mailutils
97
+
- clamav
98
+
- clamav-freshclam
99
+
- clamav-daemon
100
+
- rkhunter
101
+
- auditd
102
+
- audispd-plugins
103
+
104
+
### Password quality
105
+
Password quality is done via pam_pwquality according to "How To Secure A Linux Server" guide.
106
+
107
+
### Rkhunter
108
+
Rkhunter is configured according to "How To Secure A Linux Server" guide.
109
+
110
+
### SSH
111
+
SSH is configured according to "How To Secure A Linux Server" guide.
112
+
113
+
### Unattended upgrades
114
+
Unattended upgrades is configured to only upgrade security upgrades automatically. Automatic restarts are enabled.
51
115
52
116
## Plans / ToDos
53
117
-[ ] use Ansible vault to securely store secrets
@@ -58,3 +122,4 @@ Read all tasks carefully and make sure they do not break your system before usin
58
122
## Credits
59
123
-[imthenachoman](https://github.com/imthenachoman) for creating the great [How To Secure A Linux Server](https://github.com/imthenachoman/How-To-Secure-A-Linux-Server) guide
60
124
-[Neo23x0](https://github.com/Neo23x0) for the auditd best practice rules
125
+
-[Decatec](https://decatec.de/linux/linux-einfach-e-mails-versenden-mit-msmtp/) for the easy mail configuration
0 commit comments