Secure your Linux server with single command!
A while back, I read this article about what you should do first when you get new server. Doing so manually is quite boring though, and error prone. So, I tried to automate with Ansible, and added few extra security features like completely disabling root and password login etc.
So you have new servers with root access, please follow these steps.
- Install Ansible on your local computer. It's really easy if you have updated
Python
sudo pip install ansible
- Clone this repo and change
hosts
file with IP address of your servers.
git clone [email protected]:chhantyal/5minutes.git && cd 5minutes && open -t hosts
- Change var
server_user_password
invars.yml
file with crypted password. This will be password forserver_user_name
. To generate, run:
sudo pip install passlib
python -c "from passlib.hash import sha512_crypt; import getpass; print sha512_crypt.encrypt(getpass.getpass())"
Using it is very easy. From within in 5minutes
directory, run this Ansible command.
ansible-playbook 5minutes.yml -u <user_name> -K
Enter password for your server and that't it. Single command!
You can try on Vagrant box before running this on real servers.
There is Vagrantfile
included.
vagrant up
Change hosts
to 127.1.1.0:2200
(see vagrant up
output for exact port) and run command:
ansible-playbook 5minutes.yml -u vagrant --private-key .vagrant/machines/default/virtualbox/private_key
If you are wondering what it does, here it is:
- Connects to server using SSH
- Updates APT cache
- Performs APT upgrade
- Adds user specified in variable
server_user_name
which has sudo permission - Adds specified public key in variable
user_public_keys
in ssh authorized_keys. - Disables root SSH access. Yes, from next time you need to use new user to access server.
- Disables password authentication. Again you will need to use new user with SSH public key auth method.
- Installs
ufw
as firewall,fail2ban
to ban IPs that show malicious signs,logwatch
to analyze and report logs. - It also installs
unattended-upgrades
to enable automatic security updates.
There are few other variables that you need/might want to change. See vars:
defined in vars.yml
file.
server_user_name
: defaulttrinity
server_user_password
: Please change this. See Ansible docslogwatch_email
: default[email protected]
, you won't get report email fromlogwatch
if you don't change.user_public_keys
: default~/.ssh/id_rsa.pub
, if you use different key pair name, you need to change this path to public key file.
Ansible is perfect for this automation because it's dead simple to install and use without having to learn it.
It uses SSH as agent, so you don't need to setup anything else.
PS: This is tested on Ubuntu, as that's what I use. You are welcome to add support for other distributions :)