new version

roles/01-server_hardening/defaults/main.yml

@@ -1,36 +1,22 @@
 ---
-# Configuration SSH par défaut
+# Configuration par défaut du durcissement serveur
+hardening_packages:
+  - fail2ban
+  - ufw
+  - unattended-upgrades
+  - logrotate
+  - rsync
+
 ssh_port: 22
 ssh_permit_root_login: "no"
 ssh_password_authentication: "no"
-ssh_pubkey_authentication: "yes"
 ssh_max_auth_tries: 3
-ssh_max_sessions: 10
 ssh_client_alive_interval: 300
 ssh_client_alive_count_max: 2
 
-# Configuration Firewall
-firewall_allowed_tcp_ports:
-  - 22
-  - 25565
-  - 25575
-firewall_allowed_udp_ports: []
+fail2ban_jail_ssh_enabled: true
+fail2ban_jail_ssh_maxretry: 3
+fail2ban_jail_ssh_bantime: 3600
 
-# Configuration Fail2ban
-fail2ban_enabled: true
-fail2ban_bantime: 3600
-fail2ban_findtime: 600
-fail2ban_maxretry: 5
-
-# Paquets de sécurité à installer
-security_packages:
-  - ufw
-  - fail2ban
-  - unattended-upgrades
-  - apt-listchanges
-  - logwatch
-  - rkhunter
-  - chkrootkit
-
-# Administrateurs SSH
-admin_users: []
+ufw_default_incoming: deny
+ufw_default_outgoing: allow

roles/01-server_hardening/handlers/main.yml

@@ -1,23 +1,14 @@
 ---
 - name: restart ssh
-  ansible.builtin.systemd:
-    name: sshd
+  ansible.builtin.service:
+    name: ssh
     state: restarted
-    daemon_reload: true
-  listen: restart ssh service
 
 - name: restart fail2ban
-  ansible.builtin.systemd:
+  ansible.builtin.service:
     name: fail2ban
     state: restarted
-    daemon_reload: true
-  listen: restart fail2ban service
 
-- name: reload ufw
+- name: enable ufw
   community.general.ufw:
-    state: reloaded
-  listen: reload firewall
-
-- name: reload sysctl
-  ansible.builtin.command: sysctl -p
-  listen: reload sysctl settings
+    state: enabled

roles/01-server_hardening/tasks/01-update-system.yml

@@ -1,6 +1,7 @@
 ---
-- name: Update apt cache for Debian/Ubuntu
+- name: Mise à jour du cache des paquets (Debian/Ubuntu)
   ansible.builtin.apt:
     update_cache: yes
     cache_valid_time: 3600
-  when: ansible_os_family == "Debian"
+  when: ansible_os_family == "Debian"
+  tags: [system-update]

roles/01-server_hardening/tasks/02-install-packages.yml

@@ -1,14 +0,0 @@
----
-- name: Upgrade all packages
-  ansible.builtin.apt:
-    upgrade: dist
-    autoremove: yes
-    autoclean: yes
-  when: ansible_os_family == "Debian"
-  register: system_upgraded
-
-- name: Install security packages
-  ansible.builtin.apt:
-    name: "{{ security_packages }}"
-    state: present
-  when: ansible_os_family == "Debian"

roles/01-server_hardening/tasks/02-install-security-packages.yml

@@ -0,0 +1,7 @@
+---
+- name: Installation des paquets de sécurité
+  ansible.builtin.apt:
+    name: "{{ hardening_packages }}"
+    state: present
+  when: ansible_os_family == "Debian"
+  notify: restart fail2ban

roles/01-server_hardening/tasks/03-configure-ssh.yml

@@ -1,11 +1,10 @@
 ---
-- name: Configure SSH daemon
+- name: Configuration SSH sécurisée
   ansible.builtin.template:
     src: sshd_config.j2
-    dest: "{{ ssh_config_file }}"
+    dest: "{{ ssh_config_path }}"
     owner: root
     group: root
-    mode: '0600'
+    mode: '0644'
     backup: yes
-    validate: '/usr/sbin/sshd -t -f %s'
-  notify: restart ssh service
+  notify: restart ssh

roles/01-server_hardening/tasks/04-configure-firewall.yml

@@ -1,27 +1,9 @@
 ---
-- name: Install UFW firewall
-  ansible.builtin.apt:
-    name: ufw
-    state: present
-  when: ansible_os_family == "Debian"
-
-- name: Configure UFW defaults
+- name: Configuration UFW - politique par défaut
   community.general.ufw:
     direction: "{{ item.direction }}"
     policy: "{{ item.policy }}"
-  loop:
-    - { direction: 'incoming', policy: 'deny' }
-    - { direction: 'outgoing', policy: 'allow' }
-  notify: reload firewall
-
-- name: Allow TCP ports
-  community.general.ufw:
-    rule: allow
-    port: "{{ item }}"
-    proto: tcp
-  loop: "{{ firewall_allowed_tcp_ports }}"
-  notify: reload firewall
-
-- name: Enable UFW
-  community.general.ufw:
-    state: enabled
+  with_items:
+    - { direction: 'incoming', policy: "{{ ufw_default_incoming }}" }
+    - { direction: 'outgoing', policy: "{{ ufw_default_outgoing }}" }
+  notify: enable ufw

roles/01-server_hardening/tasks/05-configure-fail2ban.yml

@@ -1,23 +1,9 @@
 ---
-- name: Install fail2ban
-  ansible.builtin.apt:
-    name: fail2ban
-    state: present
-  when: ansible_os_family == "Debian"
-
-- name: Configure fail2ban jail
+- name: Configuration Fail2Ban
   ansible.builtin.template:
-    src: fail2ban.jail.local.j2
-    dest: "{{ fail2ban_config_dir }}/jail.local"
+    src: fail2ban-jail.local.j2
+    dest: "{{ fail2ban_config_path }}"
     owner: root
     group: root
     mode: '0644'
-    backup: yes
-  notify: restart fail2ban service
-
-- name: Ensure fail2ban is started and enabled
-  ansible.builtin.systemd:
-    name: fail2ban
-    state: started
-    enabled: yes
-    daemon_reload: yes
+  notify: restart fail2ban

roles/01-server_hardening/tasks/06-manage-ssh-keys.yml

@@ -1,17 +1,8 @@
 ---
-- name: Create .ssh directory for ansible user
-  ansible.builtin.file:
-    path: /home/ansible/.ssh
-    state: directory
-    owner: ansible
-    group: ansible
-    mode: '0700'
-
-- name: Add SSH keys for administrators
+- name: Ajout des clés SSH pour les administrateurs
   ansible.posix.authorized_key:
-    user: ansible
+    user: "{{ item.user }}"
     state: present
     key: "{{ item.key }}"
-    comment: "{{ item.name }}"
-  loop: "{{ admin_ssh_keys | default([]) }}"
-  when: admin_ssh_keys is defined
+    comment: "{{ item.comment | default('Admin key') }}"
+  with_items: "{{ admin_ssh_keys | default([]) }}"

roles/01-server_hardening/tasks/07-additional-security.yml

@@ -1,9 +0,0 @@
----
-- name: Configure kernel parameters for security
-  ansible.posix.sysctl:
-    name: "{{ item.name }}"
-    value: "{{ item.value }}"
-    state: present
-    reload: yes
-  loop: "{{ hardening_sysctl_settings }}"
-  notify: reload sysctl settings

roles/01-server_hardening/tasks/main.yml

@@ -1,23 +1,21 @@
 ---
-- name: restart ssh
-  ansible.builtin.systemd:
-    name: sshd
-    state: restarted
-    daemon_reload: true
-  listen: restart ssh service
+# Tâches principales du durcissement serveur
+- import_tasks: 01-update-system.yml
+  tags: [hardening, system-update]
 
-- name: restart fail2ban
-  ansible.builtin.systemd:
-    name: fail2ban
-    state: restarted
-    daemon_reload: true
-  listen: restart fail2ban service
+- import_tasks: 02-install-security-packages.yml
+  tags: [hardening, packages]
 
-- name: reload ufw
-  community.general.ufw:
-    state: reloaded
-  listen: reload firewall
+- import_tasks: 03-configure-ssh.yml
+  tags: [hardening, ssh]
 
-- name: reload sysctl
-  ansible.builtin.command: sysctl -p
-  listen: reload sysctl settings
+- import_tasks: 04-configure-firewall.yml
+  tags: [hardening, firewall]
+  when: firewall_enabled | default(true)
+
+- import_tasks: 05-configure-fail2ban.yml
+  tags: [hardening, fail2ban]
+  when: fail2ban_enabled | default(true)
+
+- import_tasks: 06-manage-ssh-keys.yml
+  tags: [hardening, ssh-keys]

roles/01-server_hardening/templates/fail2ban-jail.local.j2

@@ -1,30 +1,12 @@
-# {{ ansible_managed }}
+# Configuration Fail2Ban générée par Ansible
+
 [DEFAULT]
-ignoreip = 127.0.0.1/8 ::1
-bantime = {{ fail2ban_bantime }}
-findtime = {{ fail2ban_findtime }}
-maxretry = {{ fail2ban_maxretry }}
-backend = systemd
+bantime = {{ fail2ban_jail_ssh_bantime }}
+findtime = 600
+maxretry = {{ fail2ban_jail_ssh_maxretry }}
 
 [sshd]
-enabled = true
+enabled = {{ fail2ban_jail_ssh_enabled | lower }}
 port = {{ ssh_port }}
 filter = sshd
-logpath = /var/log/auth.log
-maxretry = {{ fail2ban_maxretry }}
-
-[sshd-ddos]
-enabled = true
-port = {{ ssh_port }}
-filter = sshd-ddos
-logpath = /var/log/auth.log
-maxretry = 10
-
-[minecraft]
-enabled = true
-port = {{ minecraft_port | default(25565) }}
-filter = minecraft
-logpath = {{ minecraft_server_dir | default('/opt/minecraft/server') }}/logs/latest.log
-maxretry = 10
-findtime = 600
-bantime = 3600
+logpath = /var/log/auth.log

roles/01-server_hardening/templates/sshd_config.j2

@@ -1,47 +1,21 @@
-# {{ ansible_managed }}
-# SSH Server Configuration
-
+# Configuration SSH sécurisée générée par Ansible
 Port {{ ssh_port }}
 Protocol 2
-HostKey /etc/ssh/ssh_host_rsa_key
-HostKey /etc/ssh/ssh_host_ed25519_key
 
-# Logging
-SyslogFacility AUTH
-LogLevel INFO
-
-# Authentication
-LoginGraceTime 120
+# Authentification
 PermitRootLogin {{ ssh_permit_root_login }}
-StrictModes yes
-MaxAuthTries {{ ssh_max_auth_tries }}
-MaxSessions {{ ssh_max_sessions }}
-
-PubkeyAuthentication {{ ssh_pubkey_authentication }}
-AuthorizedKeysFile .ssh/authorized_keys
-
 PasswordAuthentication {{ ssh_password_authentication }}
-PermitEmptyPasswords no
-ChallengeResponseAuthentication no
+MaxAuthTries {{ ssh_max_auth_tries }}
+PubkeyAuthentication yes
 
-# Security
-IgnoreRhosts yes
-HostbasedAuthentication no
-X11Forwarding no
-PrintMotd no
-PrintLastLog yes
-TCPKeepAlive yes
-Compression delayed
-
-# Client alive
+# Sessions
 ClientAliveInterval {{ ssh_client_alive_interval }}
 ClientAliveCountMax {{ ssh_client_alive_count_max }}
 
-# Allow only ansible user
-AllowUsers ansible
-
-# Disable unused features
+# Sécurité
+X11Forwarding no
 UsePAM yes
-Banner none
-AcceptEnv LANG LC_*
-Subsystem sftp /usr/lib/openssh/sftp-server
+UseDNS no
+
+# Utilisateurs autorisés
+AllowUsers {{ allowed_ssh_users | join(' ') }}

roles/01-server_hardening/templates/ufw-rules.j2

@@ -1,16 +0,0 @@
-# {{ ansible_managed }}
-# UFW Rules Configuration
-
-# Allow SSH
--A ufw-user-input -p tcp --dport {{ ssh_port }} -j ACCEPT
-
-# Allow Minecraft
--A ufw-user-input -p tcp --dport {{ minecraft_port | default(25565) }} -j ACCEPT
-
-# Allow RCON if enabled
-{% if enable_rcon | default(false) %}
--A ufw-user-input -p tcp --dport {{ rcon_port | default(25575) }} -j ACCEPT
-{% endif %}
-
-# Drop everything else
--A ufw-user-input -j DROP

roles/01-server_hardening/vars/main.yml

@@ -1,24 +1,14 @@
 ---
-# Variables spécifiques au rôle server_hardening
-hardening_sysctl_settings:
-  - name: net.ipv4.tcp_syncookies
-    value: 1
-  - name: net.ipv4.conf.all.rp_filter
-    value: 1
-  - name: net.ipv4.conf.default.rp_filter
-    value: 1
-  - name: net.ipv4.conf.all.accept_source_route
-    value: 0
-  - name: net.ipv4.conf.default.accept_source_route
-    value: 0
-  - name: net.ipv4.icmp_echo_ignore_broadcasts
-    value: 1
-  - name: net.ipv4.icmp_ignore_bogus_error_responses
-    value: 1
-  - name: net.ipv4.conf.all.log_martians
-    value: 1
-  - name: net.ipv4.conf.default.log_martians
-    value: 1
+# Variables spécifiques au hardening
+required_packages_debian:
+  - curl
+  - wget
+  - git
+  - unzip
+  - htop
+  - vim
+  - sudo
+  - systemd
 
-ssh_config_file: /etc/ssh/sshd_config
-fail2ban_config_dir: /etc/fail2ban
+ssh_config_path: /etc/ssh/sshd_config
+fail2ban_config_path: /etc/fail2ban/jail.local