valleyforge/resist-vpn-infra
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
cb2172a7aa
resist-vpn-infra/roles/system_hardening/defaults/main.yml
Sparticus 28db1d2104 CIS + inital
2026-01-26 21:22:41 -05:00

129 lines
3.1 KiB
YAML
Raw Blame History

---
# System Hardening Role - Default Variables
# SSH Configuration
ssh_port: 22
ssh_permit_root_login: "no"
ssh_password_authentication: "no"
ssh_pubkey_authentication: "yes"
ssh_challenge_response_auth: "no"
ssh_x11_forwarding: "no"
ssh_max_auth_tries: 3
ssh_client_alive_interval: 300
ssh_client_alive_count_max: 2
ssh_allowed_users: [] # List of users allowed to SSH
ssh_listen_address: "0.0.0.0"
# Strong SSH ciphers and algorithms
ssh_ciphers:
- "chacha20-poly1305@openssh.com"
- "aes256-gcm@openssh.com"
- "aes128-gcm@openssh.com"
ssh_macs:
- "hmac-sha2-512-etm@openssh.com"
- "hmac-sha2-256-etm@openssh.com"
ssh_kex_algorithms:
- "curve25519-sha256"
- "curve25519-sha256@libssh.org"
- "diffie-hellman-group-exchange-sha256"
# System packages
hardening_install_packages:
- ufw
- fail2ban
- unattended-upgrades
- apt-listchanges
- auditd
- aide
- rkhunter
- lynis
hardening_remove_packages:
- telnet
- rsh-client
- rsh-redone-client
# Automatic security updates
unattended_upgrades_enabled: true
unattended_upgrades_auto_reboot: false
unattended_upgrades_auto_reboot_time: "03:00"
# Fail2ban configuration
fail2ban_enabled: true
fail2ban_bantime: 3600
fail2ban_findtime: 600
fail2ban_maxretry: 5
fail2ban_destemail: "root@localhost"
# Sysctl hardening
sysctl_config:
# IP Forwarding (required for VPN)
net.ipv4.ip_forward: 1
# Disable IPv6 (optional, set to 0 to enable)
net.ipv6.conf.all.disable_ipv6: 1
net.ipv6.conf.default.disable_ipv6: 1
# Protect against SYN flood attacks
net.ipv4.tcp_syncookies: 1
net.ipv4.tcp_syn_retries: 2
net.ipv4.tcp_synack_retries: 2
net.ipv4.tcp_max_syn_backlog: 4096
# Protect against IP spoofing
net.ipv4.conf.all.rp_filter: 1
net.ipv4.conf.default.rp_filter: 1
# Ignore ICMP redirects
net.ipv4.conf.all.accept_redirects: 0
net.ipv4.conf.default.accept_redirects: 0
net.ipv4.conf.all.secure_redirects: 0
net.ipv4.conf.default.secure_redirects: 0
# Do not send ICMP redirects
net.ipv4.conf.all.send_redirects: 0
net.ipv4.conf.default.send_redirects: 0
# Ignore ICMP ping requests
net.ipv4.icmp_echo_ignore_all: 0
net.ipv4.icmp_echo_ignore_broadcasts: 1
# Ignore bogus ICMP error responses
net.ipv4.icmp_ignore_bogus_error_responses: 1
# Log martian packets
net.ipv4.conf.all.log_martians: 1
net.ipv4.conf.default.log_martians: 1
# Disable source packet routing
net.ipv4.conf.all.accept_source_route: 0
net.ipv4.conf.default.accept_source_route: 0
# Increase system file descriptor limit
fs.file-max: 65535
# Protect against time-wait assassination
net.ipv4.tcp_rfc1337: 1
# Kernel hardening
kernel.dmesg_restrict: 1
kernel.kptr_restrict: 2
kernel.yama.ptrace_scope: 1
# Auditd configuration
auditd_enabled: true
auditd_rules:
- "-w /etc/passwd -p wa -k identity"
- "-w /etc/group -p wa -k identity"
- "-w /etc/shadow -p wa -k identity"
- "-w /etc/sudoers -p wa -k actions"
- "-w /var/log/auth.log -p wa -k auth"
- "-w /var/log/faillog -p wa -k logins"
- "-w /etc/ssh/sshd_config -p wa -k sshd"
# Timezone
system_timezone: "UTC"
# Hostname
system_hostname: "" # Leave empty to keep current hostname
Reference in New Issue View Git Blame Copy Permalink