Typically, a cloud server provides a machine with root access and insecure setup. This ansible playbook is designed to fix that. It is based on Ubuntu 20.04 (LTS) or 21.04 image, but it should be applicable to other Ubuntu images.
Copy inventory file
cp inventory.sample inventory
Update information in the inventory file. Mostly like you will need to update the server IP and hostname fields. Then run main ansible playbook.
ansible-playbook main.yml
The main ansible playbook will both set up the machine and also secure the machine.
- Create Users: Create "ansible" and "ubuntu" users and allow them sudo access. The idea is to have "ansible" to run ansible playbooks automatically and "ubuntu" for ad hoc manual server management. ("ubuntu" is my chosen user. You can configure it in inventory file)
- Configure Machine: Set the hostname (based on inventory file) and timezone (Los Angeles Time)
- Create aliases for easy server management
- Update machine: Simply update and upgrade all applications shipped with the OS.
- Install some essential software
- Optionally install node exporter (configurable in inventory)
- Optionally install promtail (configurable in inventory)
- Install firewall
- Install fail2ban
- Disable the default ssh port of 22, and set up the alternative port.
- Enable firewall to allow the alternative port and deny 22.
- Disable root account access
- Disable password authentication.
After running the main playbook, you can no longer re-run these two playbooks because you no longer have the root account access. Instead, you need to use "ubuntu" or "ansible" users to access server using ssh key through the alternative port.
You may want to experiment the machine setup without the security lock-down, or vice versa. The repo provides separate playbooks for setup and security
Setup:
ansible-playbook main_setup.yml
Security:
ansible-playbook main_security.yml
That's it!