{"id":15874341,"url":"https://github.com/garutilorenzo/ansible-role-linux-security","last_synced_at":"2026-05-10T19:22:46.414Z","repository":{"id":154321517,"uuid":"467996447","full_name":"garutilorenzo/ansible-role-linux-security","owner":"garutilorenzo","description":"Basic Ansible role for Linux security","archived":false,"fork":false,"pushed_at":"2023-07-26T13:35:48.000Z","size":43,"stargazers_count":2,"open_issues_count":0,"forks_count":1,"subscribers_count":2,"default_branch":"master","last_synced_at":"2025-02-07T15:11:14.491Z","etag":null,"topics":["ansible","ansible-role","automation","linux-security","security"],"latest_commit_sha":null,"homepage":"","language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/garutilorenzo.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2022-03-09T16:00:48.000Z","updated_at":"2023-08-17T07:51:23.000Z","dependencies_parsed_at":null,"dependency_job_id":"f3359c09-cb7f-488d-9845-7edb906ee501","html_url":"https://github.com/garutilorenzo/ansible-role-linux-security","commit_stats":null,"previous_names":[],"tags_count":1,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/garutilorenzo%2Fansible-role-linux-security","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/garutilorenzo%2Fansible-role-linux-security/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/garutilorenzo%2Fansible-role-linux-security/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/garutilorenzo%2Fansible-role-linux-security/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/garutilorenzo","download_url":"https://codeload.github.com/garutilorenzo/ansible-role-linux-security/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":246724802,"owners_count":20823543,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["ansible","ansible-role","automation","linux-security","security"],"created_at":"2024-10-06T01:21:53.166Z","updated_at":"2026-05-10T19:22:41.377Z","avatar_url":"https://github.com/garutilorenzo.png","language":"Shell","funding_links":[],"categories":[],"sub_categories":[],"readme":"[![GitHub issues](https://img.shields.io/github/issues/garutilorenzo/ansible-role-linux-security)](https://github.com/garutilorenzo/ansible-role-linux-security/issues)\n![GitHub](https://img.shields.io/github/license/garutilorenzo/ansible-role-linux-security)\n[![GitHub forks](https://img.shields.io/github/forks/garutilorenzo/ansible-role-linux-security)](https://github.com/garutilorenzo/ansible-role-linux-security/network)\n[![GitHub stars](https://img.shields.io/github/stars/garutilorenzo/ansible-role-linux-security)](https://github.com/garutilorenzo/ansible-role-linux-security/stargazers)\n\n# Basic ansible role for Linux security\n\nAnsible role used to configure basic security (iptables, sshd, fail2ban) for Linux servers\n\n## Requirements\n\nDownload the role form GitHub:\n\n```\nansible-galaxy install git+https://github.com/garutilorenzo/ansible-role-linux-security.git\n```\n\n## Role Variables\n\nThis role accept this variables:\n\n| Var   | Required |  Default | Desc |\n| ------- | ------- | ----------- |  ----------- |\n| `system_user`       | `no`       | `ubuntu`       | Main system user used to connect to the server. Must exist on remote machine  |\n| `sshd_permit_root_login`       | `no`       | `false`       | Set the value of PermitRootLogin in sshd_config, root login not allowed by default  |\n| `sshd_pubkey_auth`       | `no`       | `true`       | Set the value of PubkeyAuthentication, allow auth via public ssh keys  |\n| `sshd_password_auth`       | `no`       | `false`       | Set the value of PasswordAuthentication, password autentication disabled by default  |\n| `sshd_challange_response_auth`       | `no`       | `false`       | Set the value of ChallengeResponseAuthentication, disable  'keyboard-interactive' authentication by default |\n| `sshd_use_pam`       | `no`       | `false`       | Set the value of UsePAM, disable authentication via PAM by default  |\n| `sshd_x11_forwarding`       | `no`       | `false`       | Set the value of X11Forwarding, disable X11 forwardning by dafault  |\n| `sshd_print_motd`       | `no`       | `false`       |  Set the value of PrintMotd, Motd disabled by default  |\n| `ssh_keys`       | `no`       | `[]`       |  List of public ssh keys to be enabled for the `system user`.  |\n| `install_fail2ban`       | `no`       | `false`       |  Install and configure fail2ban (ssh jail) |\n| `enable_firewall`       | `no`       | `true`       |  Enable and configure firewall |\n| `iptables_mode`       | `no`       | `legacy`       |  Define the iptables mode: legacy or nfables |\n| `firewall_ingress_rules`       | `no`       | `[]`       |  List of firewall rules in YAML dict format. See [below](#iptables-ingress-rules-yaml-format) for more details |\n| `ssh_allow_cidr`       | `no`       | `0.0.0.0/0`       |  CIDR allowed by the firewall for the SSH service |\n\nFor all th sshd config please refer to `man sshd_config` or refer to the [online](https://man7.org/linux/man-pages/man5/sshd_config.5.html) doc.\n\n### Docker specific configuration variables\n\nIf the server has a docker daemon configured, you might want to preserve the iptables docker rules. In this role I've included the scrips from the [iptables-docker](https://github.com/garutilorenzo/iptables-docker) repo.\n\nHere the allowed variables in details:\n\n| Var   | Required |  Default | Desc |\n| ------- | ------- | ----------- |  ----------- |\n| `docker_preserve`       | `no`       | `false`       | If set to `true` use the custom iptables script instad of ufw or firewalld  |\n| `swarm_enabled`       | `no`       | `false`       | Set to `true` if docker is configured in swarm mode  |\n| `swarm_cidr`       | `no`       | `192.168.1.0/24`       | If docker is configured in swarm mode, define the swarm CIDR  |\n| `ebable_icmp_messages`       | `no`       | `true`       | Set to `false` if you want to disable ping via firewall  |\n\n### IPTables ingress rules YAML format\n\nHere an example of a firewall rule compatible with this Ansible role:\n\n```yaml\nfirewall_ingress_rules:\n  - rule: 'allow'\n    proto: 'tcp'\n    src: '1.2.3.4/32'\n    port: '8080' # \u003c- optional. If you omit the port, all ports are opened\n    family: 'ipv4' # \u003c- optional (only needed for firewalld). Default 'ipv4', allowed values 'ipv4' and 'ipv6'\n```\n\n## Using this role\n\nTo use this role you follow the example in the  [examples/](examples/) dir.","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgarutilorenzo%2Fansible-role-linux-security","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fgarutilorenzo%2Fansible-role-linux-security","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgarutilorenzo%2Fansible-role-linux-security/lists"}