From 65dd8043de55159647e583a6828e2f5c5c90d8cd Mon Sep 17 00:00:00 2001
From: root <root@Adelyaa.localdomain>
Date: Tue, 8 Jul 2025 23:26:20 +0700
Subject: [PATCH] Add security hardening playbook

---
 playbooks/security-hardening.yml | 120 +++++++++++++++++++++++++++++++
 1 file changed, 120 insertions(+)
 create mode 100644 playbooks/security-hardening.yml

diff --git a/playbooks/security-hardening.yml b/playbooks/security-hardening.yml
new file mode 100644
index 0000000..073af8c
--- /dev/null
+++ b/playbooks/security-hardening.yml
@@ -0,0 +1,120 @@
+---
+
+- name: Security hardening
+  hosts: all
+  roles:
+    - fail2ban_role
+  become: true
+
+  vars:
+    fail2ban_services: sshd
+
+  tasks:
+    - name: Disable Password Authentication
+      lineinfile:
+         path: /etc/ssh/sshd_config
+         regexp: '^#?PasswordAuthentication'
+         line: 'PasswordAuthentication no'
+         state: present
+         backup: yes
+         validate: /usr/bin/sshd -t -f %s
+      notify: Restart ssh
+      when: false
+
+    - name: Disable root login
+      lineinfile:
+        path: /etc/ssh/sshd_config
+        regexp: '^#?PasswordAuthentication'
+        line: 'PasswordAuthentication no'
+        state: present
+        backup: yes
+        validate: /usr/bin/sshd -t -f %s
+      notify: Restart ssh
+      when: false
+
+    - name: Disable Empty Passwords
+      lineinfile:
+        path: /etc/ssh/sshd_config
+        regexp: '^#?PasswordAuthentication'
+        line: 'PasswordAuthentication no'
+        state: present
+        backup: yes
+        validate: /usr/bin/sshd -t -f %s
+      notify: Restart ssh
+
+#passwordless login
+    - name: Copy SSH public key
+      authorized_key:
+        user: your_remote_user
+        state: present
+        key: "{{ lookup('file', '~/.ssh/ansible_key.pub') }}"
+        manager_dir: yes
+
+#Set up fail2ban
+    - name: Install Fail2ban
+      package:
+        name: fail2ban
+        state: present
+      become: true
+
+    - name: configure Fail2ban
+      template:
+        src: jail.local.j2
+        dest: /etc/fail2ban/jail.local
+      become: true
+      notify: Restart Fail2ban
+
+    - name: Ensure Fail2ban service is started and enabled
+      service:
+        name: fail2ban
+        state: started
+        enabled: true
+      become: true
+
+#Configure Firewall UFW
+    - name: Ensure UFW is installed
+      package:
+        name: ufw
+        state: present
+
+    - name: Ensure UFW is enabled
+      community.general.ufw:
+        state: enabled
+        policy: deny
+        direction: incoming
+
+    - name: Allow SSH connections
+      community.general.ufw:
+        rule: allow
+        name: OpenSSH
+
+    - name: Allow HTTP connections
+      community.general.ufw:
+         rule: allow
+         port: '80'
+         proto: tcp
+
+    - name: Reload UFW
+      community.general.ufw:
+        state: reloaded
+
+# Set file permission
+    - name: Set file permission
+      ansible.builtin.file:
+        path: /home/adelya/tes.txt
+        mode: '0644'
+        owner: adel
+        group: pkl
+        state: file
+
+  handlers:
+   - name: Restart SSH
+     service:
+       name: sshd
+       state: restarted
+
+   - name: Restart Fail2ban
+     service:
+       name: fail2ban
+       state: restarted
+     become: true