68 lines
1.5 KiB
YAML
68 lines
1.5 KiB
YAML
---
|
|
- hosts: all
|
|
become: true
|
|
tasks:
|
|
- name: Update apt cache
|
|
apt:
|
|
update_cache: yes
|
|
changed_when: false
|
|
|
|
- name: Install required packages
|
|
apt:
|
|
name:
|
|
- fail2ban
|
|
- iptables
|
|
state: present
|
|
|
|
- name: Ensure SSH port is set to 7511 in /etc/ssh/sshd_config
|
|
lineinfile:
|
|
path: /etc/ssh/sshd_config
|
|
regexp: '^#?Port '
|
|
line: 'Port 7511'
|
|
state: present
|
|
backup: yes
|
|
notify: Restart SSH
|
|
|
|
- name: Check if ssh.socket unit exists
|
|
stat:
|
|
path: /usr/lib/systemd/system/ssh.socket
|
|
register: ssh_socket_unit
|
|
|
|
- name: Set ListenStream to 7511 in ssh.socket
|
|
lineinfile:
|
|
path: /usr/lib/systemd/system/ssh.socket
|
|
regexp: '^ListenStream='
|
|
line: 'ListenStream=7511'
|
|
backup: yes
|
|
when: ssh_socket_unit.stat.exists
|
|
notify: Reload systemd and restart ssh.socket
|
|
|
|
- name: Test sshd configuration
|
|
command: sshd -t
|
|
changed_when: false
|
|
|
|
- name: Open firewall ports
|
|
iptables:
|
|
chain: INPUT
|
|
protocol: tcp
|
|
destination_port: "{{ item }}"
|
|
jump: ACCEPT
|
|
state: present
|
|
loop: "{{ firewall_ports }}"
|
|
|
|
- name: Ensure fail2ban is started and enabled
|
|
service:
|
|
name: fail2ban
|
|
state: started
|
|
enabled: yes
|
|
|
|
handlers:
|
|
- name: Reload systemd and restart ssh.socket
|
|
shell: |
|
|
systemctl daemon-reload
|
|
systemctl restart ssh.socket
|
|
- name: Restart SSH
|
|
service:
|
|
name: ssh
|
|
state: restarted
|