test other version

roles/01-server_hardening/defaults/main.yml

@@ -1,25 +1,22 @@
 ---
-# Configuration par défaut pour le hardening
+# SSH Configuration
 ssh_port: 22
-ssh_protocol: 2
-ssh_permit_root_login: "no"
-ssh_password_authentication: "no"
-ssh_pub_key_authentication: "yes"
-ssh_allow_users: ["ansible"]
+ssh_permit_root_login: false
+ssh_password_authentication: false
 ssh_max_auth_tries: 3
 ssh_client_alive_interval: 300
 ssh_client_alive_count_max: 2
 
-# Firewall
-ufw_default_incoming: deny
-ufw_default_outgoing: allow
-ufw_allowed_ports:
-  - 22/tcp
-  - 25565/tcp
-  - 25575/tcp
+# Firewall Configuration
+firewall_allowed_ports:
+  - "{{ ssh_port }}/tcp"
+  - "25565/tcp"  # Minecraft default port
 
-# Fail2ban
-fail2ban_enabled: true
-fail2ban_bantime: 3600
-fail2ban_findtime: 600
-fail2ban_maxretry: 3
+# Fail2ban Configuration
+fail2ban_jail_ssh_enabled: true
+fail2ban_jail_ssh_port: "{{ ssh_port }}"
+fail2ban_jail_ssh_maxretry: 3
+fail2ban_jail_ssh_bantime: 600
+
+# System users
+admin_users: []

roles/01-server_hardening/handlers/main.yml

@@ -0,0 +1,17 @@
+---
+- name: restart ssh
+  ansible.builtin.systemd:
+    name: ssh
+    state: restarted
+  listen: "restart ssh service"
+
+- name: restart fail2ban
+  ansible.builtin.systemd:
+    name: fail2ban
+    state: restarted
+  listen: "restart fail2ban service"
+
+- name: reload ufw
+  community.general.ufw:
+    state: reloaded
+  listen: "reload firewall"

roles/01-server_hardening/tasks/01-update-system.yml

@@ -1,8 +1,9 @@
 ---
-- name: Update apt cache for Debian/Ubuntu
-  apt:
-    update_cache: yes
-    cache_valid_time: 3600
+- name: Update apt cache and upgrade system packages (Debian/Ubuntu)
+  ansible.builtin.apt:
+    update_cache: true
+    upgrade: dist
+    autoremove: true
+    autoclean: true
   when: ansible_os_family == "Debian"
-  tags:
-    - system-update
+  register: system_update_result

roles/01-server_hardening/tasks/02-ssh-hardening.yml

@@ -1,12 +1,10 @@
 ---
 - name: Configure SSH daemon
-  template:
+  ansible.builtin.template:
     src: sshd_config.j2
     dest: /etc/ssh/sshd_config
-    backup: yes
-    mode: "0600"
     owner: root
     group: root
-  notify: restart sshd
-  tags:
-    - ssh-config
+    mode: '0644'
+    backup: true
+  notify: "restart ssh service"

roles/01-server_hardening/tasks/03-configure-firewall.yml

@@ -1,7 +0,0 @@
----
-- name: Install UFW firewall
-  package:
-    name: ufw
-    state: present
-  tags:
-    - firewall-install

roles/01-server_hardening/tasks/03-firewall-setup.yml

@@ -0,0 +1,32 @@
+---
+- name: Install UFW
+  ansible.builtin.apt:
+    name: ufw
+    state: present
+  when: firewall_enabled | bool
+
+- name: Reset UFW rules
+  community.general.ufw:
+    state: reset
+  when: firewall_enabled | bool
+
+- name: Allow SSH port
+  community.general.ufw:
+    rule: allow
+    port: "{{ ssh_port }}"
+    proto: tcp
+  when: firewall_enabled | bool
+
+- name: Allow Minecraft port
+  community.general.ufw:
+    rule: allow
+    port: "25565"
+    proto: tcp
+  when: firewall_enabled | bool
+
+- name: Enable UFW
+  community.general.ufw:
+    state: enabled
+    policy: deny
+  when: firewall_enabled | bool
+  notify: "reload firewall"

roles/01-server_hardening/tasks/04-fail2ban-setup.yml

@@ -0,0 +1,23 @@
+---
+- name: Install fail2ban
+  ansible.builtin.apt:
+    name: fail2ban
+    state: present
+  when: fail2ban_enabled | bool
+
+- name: Configure fail2ban jail
+  ansible.builtin.template:
+    src: fail2ban-jail.local.j2
+    dest: /etc/fail2ban/jail.local
+    owner: root
+    group: root
+    mode: '0644'
+  when: fail2ban_enabled | bool
+  notify: "restart fail2ban service"
+
+- name: Start and enable fail2ban
+  ansible.builtin.systemd:
+    name: fail2ban
+    state: started
+    enabled: true
+  when: fail2ban_enabled | bool

roles/01-server_hardening/tasks/04-install-fail2ban.yml

@@ -1,8 +0,0 @@
----
-- name: Install fail2ban
-  package:
-    name: fail2ban
-    state: present
-  when: fail2ban_enabled
-  tags:
-    - fail2ban-install

roles/01-server_hardening/tasks/05-additional-hardening.yml

@@ -1,12 +0,0 @@
----
-- name: Disable unused services
-  systemd:
-    name: "{{ item }}"
-    state: stopped
-    enabled: no
-  loop:
-    - bluetooth
-    - cups
-  ignore_errors: yes
-  tags:
-    - disable-services

roles/01-server_hardening/tasks/05-additional-security.yml

@@ -0,0 +1,20 @@
+---
+- name: Install security packages
+  ansible.builtin.apt:
+    name:
+      - unattended-upgrades
+      - logwatch
+      - rkhunter
+      - chkrootkit
+    state: present
+
+- name: Configure automatic security updates
+  ansible.builtin.copy:
+    content: |
+      APT::Periodic::Update-Package-Lists "1";
+      APT::Periodic::Unattended-Upgrade "1";
+      APT::Periodic::AutocleanInterval "7";
+    dest: /etc/apt/apt.conf.d/20auto-upgrades
+    owner: root
+    group: root
+    mode: '0644'

roles/01-server_hardening/tasks/06-ssh-keys-management.yml

@@ -0,0 +1,17 @@
+---
+- name: Create ansible user if not exists
+  ansible.builtin.user:
+    name: ansible
+    groups: sudo
+    shell: /bin/bash
+    create_home: true
+    state: present
+
+- name: Add authorized keys for admin users
+  ansible.posix.authorized_key:
+    user: ansible
+    key: "{{ item.key }}"
+    comment: "{{ item.comment | default('') }}"
+    state: present
+  loop: "{{ admin_users }}"
+  when: admin_users is defined and admin_users | length > 0

roles/01-server_hardening/tasks/main.yml

@@ -1,30 +1,18 @@
 ---
 - name: Include system update tasks
-  include_tasks: 01-update-system.yml
-  tags: 
-    - hardening
-    - system-update
+  ansible.builtin.include_tasks: 01-system-update.yml
 
-- name: Include SSH configuration tasks
-  include_tasks: 02-configure-ssh.yml
-  tags: 
-    - hardening
-    - ssh
+- name: Include SSH hardening tasks
+  ansible.builtin.include_tasks: 02-ssh-hardening.yml
 
-- name: Include firewall configuration tasks
-  include_tasks: 03-configure-firewall.yml
-  tags: 
-    - hardening
-    - firewall
+- name: Include firewall setup tasks
+  ansible.builtin.include_tasks: 03-firewall-setup.yml
 
-- name: Include fail2ban installation tasks
-  include_tasks: 04-install-fail2ban.yml
-  tags: 
-    - hardening
-    - fail2ban
+- name: Include fail2ban setup tasks
+  ansible.builtin.include_tasks: 04-fail2ban-setup.yml
 
-- name: Include additional hardening tasks
-  include_tasks: 05-additional-hardening.yml
-  tags: 
-    - hardening
-    - additional
+- name: Include additional security tasks
+  ansible.builtin.include_tasks: 05-additional-security.yml
+
+- name: Include SSH keys management tasks
+  ansible.builtin.include_tasks: 06-ssh-keys-management.yml

roles/01-server_hardening/templates/fail2ban-jail.local.j2

@@ -0,0 +1,11 @@
+[DEFAULT]
+bantime = {{ fail2ban_jail_ssh_bantime }}
+findtime = 600
+maxretry = {{ fail2ban_jail_ssh_maxretry }}
+
+[sshd]
+enabled = {{ fail2ban_jail_ssh_enabled | ternary('true', 'false') }}
+port = {{ fail2ban_jail_ssh_port }}
+filter = sshd
+logpath = /var/log/auth.log
+maxretry = {{ fail2ban_jail_ssh_maxretry }}

roles/01-server_hardening/templates/fail2ban.local.j2

@@ -1,26 +0,0 @@
-[DEFAULT]
-# Fail2ban configuration for Minecraft server
-bantime = {{ fail2ban_bantime }}
-findtime = {{ fail2ban_findtime }}
-maxretry = {{ fail2ban_maxretry }}
-
-# Email notifications (optional)
-# destemail = admin@example.com
-# sendername = Fail2Ban
-# sender = fail2ban@example.com
-# action = %(action_mwl)s
-
-[sshd]
-enabled = true
-port = {{ ssh_port }}
-filter = sshd
-logpath = /var/log/auth.log
-maxretry = {{ fail2ban_maxretry }}
-
-[minecraft]
-enabled = true
-port = {{ minecraft_port }}
-filter = minecraft
-logpath = {{ minecraft_server_dir }}/logs/latest.log
-maxretry = 5
-bantime = 7200

roles/01-server_hardening/templates/sshd_config.j2

@@ -1,47 +1,25 @@
-# SSH configuration for Minecraft server
+# SSH Configuration - Managed by Ansible
 Port {{ ssh_port }}
-Protocol {{ ssh_protocol }}
-HostKey /etc/ssh/ssh_host_rsa_key
-HostKey /etc/ssh/ssh_host_ecdsa_key
-HostKey /etc/ssh/ssh_host_ed25519_key
-
-# Logging
-SyslogFacility AUTH
-LogLevel INFO
+Protocol 2
 
 # Authentication
-LoginGraceTime 60
-PermitRootLogin {{ ssh_permit_root_login }}
-StrictModes yes
-MaxAuthTries {{ ssh_max_auth_tries }}
-MaxSessions 10
-
-PubkeyAuthentication {{ ssh_pub_key_authentication }}
+PermitRootLogin {{ ssh_permit_root_login | ternary('yes', 'no') }}
+PasswordAuthentication {{ ssh_password_authentication | ternary('yes', 'no') }}
+PubkeyAuthentication yes
 AuthorizedKeysFile .ssh/authorized_keys
-
-PasswordAuthentication {{ ssh_password_authentication }}
-PermitEmptyPasswords no
-ChallengeResponseAuthentication no
-KerberosAuthentication no
-GSSAPIAuthentication no
-
-UsePAM yes
-
-AllowUsers {{ ssh_allow_users | join(' ') }}
-
-X11Forwarding no
-PrintMotd no
-AcceptEnv LANG LC_*
+MaxAuthTries {{ ssh_max_auth_tries }}
 
 # Connection settings
 ClientAliveInterval {{ ssh_client_alive_interval }}
 ClientAliveCountMax {{ ssh_client_alive_count_max }}
-TCPKeepAlive yes
+MaxSessions 10
+MaxStartups 10:30:60
 
-# Restrict to specific users
-Match User {{ ssh_allow_users | join(',') }}
-    AllowTcpForwarding no
-    X11Forwarding no
-    PermitTunnel no
-    GatewayPorts no
-    AllowAgentForwarding no
+# Security settings
+PermitEmptyPasswords no
+ChallengeResponseAuthentication no
+UsePAM yes
+X11Forwarding no
+PrintMotd no
+AcceptEnv LANG LC_*
+Subsystem sftp /usr/lib/openssh/sftp-server

roles/01-server_hardening/templates/ufw_rules.j2

@@ -1,14 +0,0 @@
-# UFW rules for Minecraft server
-
-# Default policies
-ufw --force reset
-ufw default {{ ufw_default_incoming }}
-ufw default {{ ufw_default_outgoing }}
-
-# Allow specific ports
-{% for port in ufw_allowed_ports %}
-ufw allow {{ port }}
-{% endfor %}
-
-# Enable UFW
-ufw --force enable

roles/01-server_hardening/vars/main.yml

@@ -0,0 +1,13 @@
+---
+# Internal variables for server hardening
+security_packages:
+  - ufw
+  - fail2ban
+  - unattended-upgrades
+  - logwatch
+  - rkhunter
+  - chkrootkit
+
+required_directories:
+  - /var/log/security
+  - /etc/security/limits.d