update

roles/01-server_hardening/defaults/main.yml

@@ -0,0 +1,25 @@
+---
+# Configuration par défaut pour le hardening
+ssh_port: 22
+ssh_protocol: 2
+ssh_permit_root_login: "no"
+ssh_password_authentication: "no"
+ssh_pub_key_authentication: "yes"
+ssh_allow_users: ["ansible"]
+ssh_max_auth_tries: 3
+ssh_client_alive_interval: 300
+ssh_client_alive_count_max: 2
+
+# Firewall
+ufw_default_incoming: deny
+ufw_default_outgoing: allow
+ufw_allowed_ports:
+  - 22/tcp
+  - 25565/tcp
+  - 25575/tcp
+
+# Fail2ban
+fail2ban_enabled: true
+fail2ban_bantime: 3600
+fail2ban_findtime: 600
+fail2ban_maxretry: 3

roles/01-server_hardening/tasks/01-update-system.yml

@@ -0,0 +1,7 @@
+---
+- name: Update apt cache for Debian/Ubuntu
+  apt:
+    update_cache: yes
+    cache_valid_time: 3600
+  when: ansible_os_family == "Debian"
+  tags: ['system-update']

roles/01-server_hardening/tasks/02-configure-ssh.yml

@@ -0,0 +1,11 @@
+---
+- name: Configure SSH daemon
+  template:
+    src: sshd_config.j2
+    dest: /etc/ssh/sshd_config
+    backup: yes
+    mode: '0600'
+    owner: root
+    group: root
+  notify: restart sshd
+  tags: ['ssh-config']

roles/01-server_hardening/tasks/03-configure-firewall.yml

@@ -0,0 +1,6 @@
+---
+- name: Install UFW firewall
+  package:
+    name: ufw
+    state: present
+  tags: ['firewall-install']

roles/01-server_hardening/tasks/04-install-fail2ban.yml

@@ -0,0 +1,7 @@
+--
+- name: Install fail2ban
+  package:
+    name: fail2ban
+    state: present
+  when: fail2ban_enabled
+  tags: ['fail2ban-install']

roles/01-server_hardening/tasks/05-additional-hardening.yml

@@ -0,0 +1,11 @@
+---
+- name: Disable unused services
+  systemd:
+    name: "{{ item }}"
+    state: stopped
+    enabled: no
+  loop:
+    - bluetooth
+    - cups
+  ignore_errors: yes
+  tags: ['disable-services']

roles/01-server_hardening/tasks/main.yml

@@ -0,0 +1,20 @@
+---
+- name: Include system update tasks
+  include_tasks: 01-update-system.yml
+  tags: ['hardening', 'system-update']
+
+- name: Include SSH configuration tasks
+  include_tasks: 02-configure-ssh.yml
+  tags: ['hardening', 'ssh']
+
+- name: Include firewall configuration tasks
+  include_tasks: 03-configure-firewall.yml
+  tags: ['hardening', 'firewall']
+
+- name: Include fail2ban installation tasks
+  include_tasks: 04-install-fail2ban.yml
+  tags: ['hardening', 'fail2ban']
+
+- name: Include additional hardening tasks
+  include_tasks: 05-additional-hardening.yml
+  tags: ['hardening', 'additional']

roles/01-server_hardening/templates/fail2ban.local.j2

@@ -0,0 +1,26 @@
+[DEFAULT]
+# Fail2ban configuration for Minecraft server
+bantime = {{ fail2ban_bantime }}
+findtime = {{ fail2ban_findtime }}
+maxretry = {{ fail2ban_maxretry }}
+
+# Email notifications (optional)
+# destemail = admin@example.com
+# sendername = Fail2Ban
+# sender = fail2ban@example.com
+# action = %(action_mwl)s
+
+[sshd]
+enabled = true
+port = {{ ssh_port }}
+filter = sshd
+logpath = /var/log/auth.log
+maxretry = {{ fail2ban_maxretry }}
+
+[minecraft]
+enabled = true
+port = {{ minecraft_port }}
+filter = minecraft
+logpath = {{ minecraft_server_dir }}/logs/latest.log
+maxretry = 5
+bantime = 7200

roles/01-server_hardening/templates/sshd_config.j2

@@ -0,0 +1,47 @@
+# SSH configuration for Minecraft server
+Port {{ ssh_port }}
+Protocol {{ ssh_protocol }}
+HostKey /etc/ssh/ssh_host_rsa_key
+HostKey /etc/ssh/ssh_host_ecdsa_key
+HostKey /etc/ssh/ssh_host_ed25519_key
+
+# Logging
+SyslogFacility AUTH
+LogLevel INFO
+
+# Authentication
+LoginGraceTime 60
+PermitRootLogin {{ ssh_permit_root_login }}
+StrictModes yes
+MaxAuthTries {{ ssh_max_auth_tries }}
+MaxSessions 10
+
+PubkeyAuthentication {{ ssh_pub_key_authentication }}
+AuthorizedKeysFile .ssh/authorized_keys
+
+PasswordAuthentication {{ ssh_password_authentication }}
+PermitEmptyPasswords no
+ChallengeResponseAuthentication no
+KerberosAuthentication no
+GSSAPIAuthentication no
+
+UsePAM yes
+
+AllowUsers {{ ssh_allow_users | join(' ') }}
+
+X11Forwarding no
+PrintMotd no
+AcceptEnv LANG LC_*
+
+# Connection settings
+ClientAliveInterval {{ ssh_client_alive_interval }}
+ClientAliveCountMax {{ ssh_client_alive_count_max }}
+TCPKeepAlive yes
+
+# Restrict to specific users
+Match User {{ ssh_allow_users | join(',') }}
+    AllowTcpForwarding no
+    X11Forwarding no
+    PermitTunnel no
+    GatewayPorts no
+    AllowAgentForwarding no

roles/01-server_hardening/templates/ufw_rules.j2

@@ -0,0 +1,14 @@
+# UFW rules for Minecraft server
+
+# Default policies
+ufw --force reset
+ufw default {{ ufw_default_incoming }}
+ufw default {{ ufw_default_outgoing }}
+
+# Allow specific ports
+{% for port in ufw_allowed_ports %}
+ufw allow {{ port }}
+{% endfor %}
+
+# Enable UFW
+ufw --force enable