check new version

roles/01-server_hardening/defaults/main.yml

@@ -1,22 +1,36 @@
 ---
-# SSH Configuration
+# Configuration SSH par défaut
 ssh_port: 22
-ssh_permit_root_login: false
-ssh_password_authentication: false
+ssh_permit_root_login: "no"
+ssh_password_authentication: "no"
+ssh_pubkey_authentication: "yes"
 ssh_max_auth_tries: 3
+ssh_max_sessions: 10
 ssh_client_alive_interval: 300
 ssh_client_alive_count_max: 2
 
-# Firewall Configuration
-firewall_allowed_ports:
-  - "{{ ssh_port }}/tcp"
-  - "25565/tcp"  # Minecraft default port
+# Configuration Firewall
+firewall_allowed_tcp_ports:
+  - 22
+  - 25565
+  - 25575
+firewall_allowed_udp_ports: []
 
-# Fail2ban Configuration
-fail2ban_jail_ssh_enabled: true
-fail2ban_jail_ssh_port: "{{ ssh_port }}"
-fail2ban_jail_ssh_maxretry: 3
-fail2ban_jail_ssh_bantime: 600
+# Configuration Fail2ban
+fail2ban_enabled: true
+fail2ban_bantime: 3600
+fail2ban_findtime: 600
+fail2ban_maxretry: 5
 
-# System users
+# Paquets de sécurité à installer
+security_packages:
+  - ufw
+  - fail2ban
+  - unattended-upgrades
+  - apt-listchanges
+  - logwatch
+  - rkhunter
+  - chkrootkit
+
+# Administrateurs SSH
 admin_users: []

roles/01-server_hardening/handlers/main.yml

@@ -1,17 +1,23 @@
 ---
 - name: restart ssh
   ansible.builtin.systemd:
-    name: ssh
+    name: sshd
     state: restarted
-  listen: "restart ssh service"
+    daemon_reload: true
+  listen: restart ssh service
 
 - name: restart fail2ban
   ansible.builtin.systemd:
     name: fail2ban
     state: restarted
-  listen: "restart fail2ban service"
+    daemon_reload: true
+  listen: restart fail2ban service
 
 - name: reload ufw
   community.general.ufw:
     state: reloaded
-  listen: "reload firewall"
+  listen: reload firewall
+
+- name: reload sysctl
+  ansible.builtin.command: sysctl -p
+  listen: reload sysctl settings

roles/01-server_hardening/tasks/01-update-system.yml

@@ -1,9 +1,6 @@
 ---
-- name: Update apt cache and upgrade system packages (Debian/Ubuntu)
+- name: Update apt cache for Debian/Ubuntu
   ansible.builtin.apt:
-    update_cache: true
-    upgrade: dist
-    autoremove: true
-    autoclean: true
-  when: ansible_os_family == "Debian"
-  register: system_update_result
+    update_cache: yes
+    cache_valid_time: 3600
+  when: ansible_os_family == "Debian"

roles/01-server_hardening/tasks/02-install-packages.yml

@@ -0,0 +1,14 @@
+---
+- name: Upgrade all packages
+  ansible.builtin.apt:
+    upgrade: dist
+    autoremove: yes
+    autoclean: yes
+  when: ansible_os_family == "Debian"
+  register: system_upgraded
+
+- name: Install security packages
+  ansible.builtin.apt:
+    name: "{{ security_packages }}"
+    state: present
+  when: ansible_os_family == "Debian"

roles/01-server_hardening/tasks/02-ssh-hardening.yml

@@ -1,10 +0,0 @@
----
-- name: Configure SSH daemon
-  ansible.builtin.template:
-    src: sshd_config.j2
-    dest: /etc/ssh/sshd_config
-    owner: root
-    group: root
-    mode: '0644'
-    backup: true
-  notify: "restart ssh service"

roles/01-server_hardening/tasks/03-configure-ssh.yml

@@ -0,0 +1,11 @@
+---
+- name: Configure SSH daemon
+  ansible.builtin.template:
+    src: sshd_config.j2
+    dest: "{{ ssh_config_file }}"
+    owner: root
+    group: root
+    mode: '0600'
+    backup: yes
+    validate: '/usr/sbin/sshd -t -f %s'
+  notify: restart ssh service

roles/01-server_hardening/tasks/03-firewall-setup.yml

@@ -1,32 +0,0 @@
----
-- name: Install UFW
-  ansible.builtin.apt:
-    name: ufw
-    state: present
-  when: firewall_enabled | bool
-
-- name: Reset UFW rules
-  community.general.ufw:
-    state: reset
-  when: firewall_enabled | bool
-
-- name: Allow SSH port
-  community.general.ufw:
-    rule: allow
-    port: "{{ ssh_port }}"
-    proto: tcp
-  when: firewall_enabled | bool
-
-- name: Allow Minecraft port
-  community.general.ufw:
-    rule: allow
-    port: "25565"
-    proto: tcp
-  when: firewall_enabled | bool
-
-- name: Enable UFW
-  community.general.ufw:
-    state: enabled
-    policy: deny
-  when: firewall_enabled | bool
-  notify: "reload firewall"

roles/01-server_hardening/tasks/04-configure-firewall.yml

@@ -0,0 +1,27 @@
+---
+- name: Install UFW firewall
+  ansible.builtin.apt:
+    name: ufw
+    state: present
+  when: ansible_os_family == "Debian"
+
+- name: Configure UFW defaults
+  community.general.ufw:
+    direction: "{{ item.direction }}"
+    policy: "{{ item.policy }}"
+  loop:
+    - { direction: 'incoming', policy: 'deny' }
+    - { direction: 'outgoing', policy: 'allow' }
+  notify: reload firewall
+
+- name: Allow TCP ports
+  community.general.ufw:
+    rule: allow
+    port: "{{ item }}"
+    proto: tcp
+  loop: "{{ firewall_allowed_tcp_ports }}"
+  notify: reload firewall
+
+- name: Enable UFW
+  community.general.ufw:
+    state: enabled

roles/01-server_hardening/tasks/05-additional-security.yml

@@ -1,20 +0,0 @@
----
-- name: Install security packages
-  ansible.builtin.apt:
-    name:
-      - unattended-upgrades
-      - logwatch
-      - rkhunter
-      - chkrootkit
-    state: present
-
-- name: Configure automatic security updates
-  ansible.builtin.copy:
-    content: |
-      APT::Periodic::Update-Package-Lists "1";
-      APT::Periodic::Unattended-Upgrade "1";
-      APT::Periodic::AutocleanInterval "7";
-    dest: /etc/apt/apt.conf.d/20auto-upgrades
-    owner: root
-    group: root
-    mode: '0644'

roles/01-server_hardening/tasks/05-configure-fail2ban.yml

@@ -3,21 +3,21 @@
   ansible.builtin.apt:
     name: fail2ban
     state: present
-  when: fail2ban_enabled | bool
+  when: ansible_os_family == "Debian"
 
 - name: Configure fail2ban jail
   ansible.builtin.template:
-    src: fail2ban-jail.local.j2
-    dest: /etc/fail2ban/jail.local
+    src: fail2ban.jail.local.j2
+    dest: "{{ fail2ban_config_dir }}/jail.local"
     owner: root
     group: root
     mode: '0644'
-  when: fail2ban_enabled | bool
-  notify: "restart fail2ban service"
+    backup: yes
+  notify: restart fail2ban service
 
-- name: Start and enable fail2ban
+- name: Ensure fail2ban is started and enabled
   ansible.builtin.systemd:
     name: fail2ban
     state: started
-    enabled: true
-  when: fail2ban_enabled | bool
+    enabled: yes
+    daemon_reload: yes

roles/01-server_hardening/tasks/06-manage-ssh-keys.yml

@@ -0,0 +1,17 @@
+---
+- name: Create .ssh directory for ansible user
+  ansible.builtin.file:
+    path: /home/ansible/.ssh
+    state: directory
+    owner: ansible
+    group: ansible
+    mode: '0700'
+
+- name: Add SSH keys for administrators
+  ansible.posix.authorized_key:
+    user: ansible
+    state: present
+    key: "{{ item.key }}"
+    comment: "{{ item.name }}"
+  loop: "{{ admin_ssh_keys | default([]) }}"
+  when: admin_ssh_keys is defined

roles/01-server_hardening/tasks/06-ssh-keys-management.yml

@@ -1,17 +0,0 @@
----
-- name: Create ansible user if not exists
-  ansible.builtin.user:
-    name: ansible
-    groups: sudo
-    shell: /bin/bash
-    create_home: true
-    state: present
-
-- name: Add authorized keys for admin users
-  ansible.posix.authorized_key:
-    user: ansible
-    key: "{{ item.key }}"
-    comment: "{{ item.comment | default('') }}"
-    state: present
-  loop: "{{ admin_users }}"
-  when: admin_users is defined and admin_users | length > 0

roles/01-server_hardening/tasks/07-additional-security.yml

@@ -0,0 +1,9 @@
+---
+- name: Configure kernel parameters for security
+  ansible.posix.sysctl:
+    name: "{{ item.name }}"
+    value: "{{ item.value }}"
+    state: present
+    reload: yes
+  loop: "{{ hardening_sysctl_settings }}"
+  notify: reload sysctl settings

roles/01-server_hardening/tasks/main.yml

@@ -1,18 +1,23 @@
 ---
-- name: Include system update tasks
-  ansible.builtin.include_tasks: 01-system-update.yml
+- name: restart ssh
+  ansible.builtin.systemd:
+    name: sshd
+    state: restarted
+    daemon_reload: true
+  listen: restart ssh service
 
-- name: Include SSH hardening tasks
-  ansible.builtin.include_tasks: 02-ssh-hardening.yml
+- name: restart fail2ban
+  ansible.builtin.systemd:
+    name: fail2ban
+    state: restarted
+    daemon_reload: true
+  listen: restart fail2ban service
 
-- name: Include firewall setup tasks
-  ansible.builtin.include_tasks: 03-firewall-setup.yml
+- name: reload ufw
+  community.general.ufw:
+    state: reloaded
+  listen: reload firewall
 
-- name: Include fail2ban setup tasks
-  ansible.builtin.include_tasks: 04-fail2ban-setup.yml
-
-- name: Include additional security tasks
-  ansible.builtin.include_tasks: 05-additional-security.yml
-
-- name: Include SSH keys management tasks
-  ansible.builtin.include_tasks: 06-ssh-keys-management.yml
+- name: reload sysctl
+  ansible.builtin.command: sysctl -p
+  listen: reload sysctl settings

roles/01-server_hardening/templates/fail2ban-jail.local.j2

@@ -1,11 +1,30 @@
+# {{ ansible_managed }}
 [DEFAULT]
-bantime = {{ fail2ban_jail_ssh_bantime }}
-findtime = 600
-maxretry = {{ fail2ban_jail_ssh_maxretry }}
+ignoreip = 127.0.0.1/8 ::1
+bantime = {{ fail2ban_bantime }}
+findtime = {{ fail2ban_findtime }}
+maxretry = {{ fail2ban_maxretry }}
+backend = systemd
 
 [sshd]
-enabled = {{ fail2ban_jail_ssh_enabled | ternary('true', 'false') }}
-port = {{ fail2ban_jail_ssh_port }}
+enabled = true
+port = {{ ssh_port }}
 filter = sshd
 logpath = /var/log/auth.log
-maxretry = {{ fail2ban_jail_ssh_maxretry }}
+maxretry = {{ fail2ban_maxretry }}
+
+[sshd-ddos]
+enabled = true
+port = {{ ssh_port }}
+filter = sshd-ddos
+logpath = /var/log/auth.log
+maxretry = 10
+
+[minecraft]
+enabled = true
+port = {{ minecraft_port | default(25565) }}
+filter = minecraft
+logpath = {{ minecraft_server_dir | default('/opt/minecraft/server') }}/logs/latest.log
+maxretry = 10
+findtime = 600
+bantime = 3600

roles/01-server_hardening/templates/sshd_config.j2

@@ -1,25 +1,47 @@
-# SSH Configuration - Managed by Ansible
+# {{ ansible_managed }}
+# SSH Server Configuration
+
 Port {{ ssh_port }}
 Protocol 2
+HostKey /etc/ssh/ssh_host_rsa_key
+HostKey /etc/ssh/ssh_host_ed25519_key
+
+# Logging
+SyslogFacility AUTH
+LogLevel INFO
 
 # Authentication
-PermitRootLogin {{ ssh_permit_root_login | ternary('yes', 'no') }}
-PasswordAuthentication {{ ssh_password_authentication | ternary('yes', 'no') }}
-PubkeyAuthentication yes
-AuthorizedKeysFile .ssh/authorized_keys
+LoginGraceTime 120
+PermitRootLogin {{ ssh_permit_root_login }}
+StrictModes yes
 MaxAuthTries {{ ssh_max_auth_tries }}
+MaxSessions {{ ssh_max_sessions }}
 
-# Connection settings
-ClientAliveInterval {{ ssh_client_alive_interval }}
-ClientAliveCountMax {{ ssh_client_alive_count_max }}
-MaxSessions 10
-MaxStartups 10:30:60
+PubkeyAuthentication {{ ssh_pubkey_authentication }}
+AuthorizedKeysFile .ssh/authorized_keys
 
-# Security settings
+PasswordAuthentication {{ ssh_password_authentication }}
 PermitEmptyPasswords no
 ChallengeResponseAuthentication no
-UsePAM yes
+
+# Security
+IgnoreRhosts yes
+HostbasedAuthentication no
 X11Forwarding no
 PrintMotd no
+PrintLastLog yes
+TCPKeepAlive yes
+Compression delayed
+
+# Client alive
+ClientAliveInterval {{ ssh_client_alive_interval }}
+ClientAliveCountMax {{ ssh_client_alive_count_max }}
+
+# Allow only ansible user
+AllowUsers ansible
+
+# Disable unused features
+UsePAM yes
+Banner none
 AcceptEnv LANG LC_*
 Subsystem sftp /usr/lib/openssh/sftp-server

roles/01-server_hardening/templates/ufw-rules.j2

@@ -0,0 +1,16 @@
+# {{ ansible_managed }}
+# UFW Rules Configuration
+
+# Allow SSH
+-A ufw-user-input -p tcp --dport {{ ssh_port }} -j ACCEPT
+
+# Allow Minecraft
+-A ufw-user-input -p tcp --dport {{ minecraft_port | default(25565) }} -j ACCEPT
+
+# Allow RCON if enabled
+{% if enable_rcon | default(false) %}
+-A ufw-user-input -p tcp --dport {{ rcon_port | default(25575) }} -j ACCEPT
+{% endif %}
+
+# Drop everything else
+-A ufw-user-input -j DROP

roles/01-server_hardening/vars/main.yml

@@ -1,13 +1,24 @@
 ---
-# Internal variables for server hardening
-security_packages:
-  - ufw
-  - fail2ban
-  - unattended-upgrades
-  - logwatch
-  - rkhunter
-  - chkrootkit
+# Variables spécifiques au rôle server_hardening
+hardening_sysctl_settings:
+  - name: net.ipv4.tcp_syncookies
+    value: 1
+  - name: net.ipv4.conf.all.rp_filter
+    value: 1
+  - name: net.ipv4.conf.default.rp_filter
+    value: 1
+  - name: net.ipv4.conf.all.accept_source_route
+    value: 0
+  - name: net.ipv4.conf.default.accept_source_route
+    value: 0
+  - name: net.ipv4.icmp_echo_ignore_broadcasts
+    value: 1
+  - name: net.ipv4.icmp_ignore_bogus_error_responses
+    value: 1
+  - name: net.ipv4.conf.all.log_martians
+    value: 1
+  - name: net.ipv4.conf.default.log_martians
+    value: 1
 
-required_directories:
-  - /var/log/security
-  - /etc/security/limits.d
+ssh_config_file: /etc/ssh/sshd_config
+fail2ban_config_dir: /etc/fail2ban