Use this playbook if you want to improve the security of your server and want to :
- change root password
- add admin user of your choice
- add authorized keys for admin user
- add admin user in sudoers
- install default packages (ufw, fail2ban, ...)
- install user extra packages
- setup firewall
- disallow password authentication
- disallow root SSH access
edit personal information in secrets.yml ansible vault (default password: password)
mv secrets.default secrets.yml
ansible-vault rekey secrets.yml
ansible-vault edit secrets.yml
run (replace <SUDOER>, <SSH_PRIVATE_KEY>, <IP>)
ansible-playbook -u <SUDOER> --private-key=<SSH_PRIVATE_KEY> --ask-become-pass --ask-vault-pass -i '<IP>,' bootstrap.yml
- ansible 2+
- git
git clone https://github.com/guillaumevincent/Ansible-My-First-5-Minutes-On-A-Server
cd Ansible-My-First-5-Minutes-On-A-Server
verify that you can ping your server via ssh
ansible all --user=<SUDOER> --private-key=<SSH_PRIVATE_KEY> --inventory-file='<IP>,' -m ping
example on a raspberry pi :
ansible all --user=pi --private-key=~/.ssh/id_rsa --inventory-file='192.168.1.100,' -m ping
192.168.1.100 | SUCCESS => {
"changed": false,
"ping": "pong"
}
explanations :
ansible all: run ansible command on all hosts--user=pi: ssh with user pi--private-key=~/.ssh/id_rsa: path of the ssh key use to connect to the server--inventory-file='192.168.1.100,': specify inventory file. do not forget the comma,-m ping: run module ping
if the previous command failed, <SUDOER> don't have access
All your personal information is stored in an encrypted file with ansible-vault.
move secrets.default to secrets.yml
mv secrets.default secrets.yml
change your vault password (existing password: password)
ansible-vault rekey secrets.yml
follow the instructions to change ansible vault password
Vault password: password
New Vault password: <YOUR_VAULT_PASSWORD>
Confirm New Vault password: <YOUR_VAULT_PASSWORD>
Rekey successful
edit secrets information
ansible-vault edit secrets.yml
the encrypted information that you need to change :
---
ROOT_PASSWORD: 'xxxxxx'
ADMIN_PASSWORD: 'xxxxxx'
ADMIN_USERNAME: admin
PUBLIC_KEYS:
- ~/.ssh/id_rsa.pub
#EXTRA_PACKAGES:
# - vim
# - htop
now run bootstrap.yml file
ansible-playbook --user=<SUDOER> --private-key=<SSH_PRIVATE_KEY> --ask-become-pass --ask-vault-pass --inventory-file='<IP>,' bootstrap.yml
example
ansible-playbook --user=pi --private-key=~/.ssh/id_rsa --ask-become-pass --ask-vault-pass --inventory-file='192.168.1.100,' bootstrap.yml
change the --inventory-file parameter
ansible-playbook .... --inventory-file='<IP>,<IP2>,<IP3>,' bootstrap.yml
You need ssh access to use ansible. If you have the password of a sudoer, then copy your ssh public key on your server.
ssh-copy-id -i ~/.ssh/id_rsa.pub <SUDOER>@<IP>
I thought it was a good idea. But running SSH on a port over 1024 (i.e. a non-privileged port) is actually potentially a security vulnerability. Imagine you run SSH on port 2222 and your ssh daemon crashes. Now any local user can start their own (fake) ssh daemon on port 2222 which could be bad.
See why it's probably better to stay on port 22 Should I change the default SSH port on linux servers?
Thanks Cryonine