Ansible playbook that automates security hardening and package updates on Ubuntu Linux servers.
- Updates all system packages (apt update && apt upgrade)
- Disables direct root login over SSH
- Disables SSH password authentication (key-only login enforced)
- Installs and enables UFW firewall (default-deny, SSH allowed)
- Enables automatic security updates via unattended-upgrades
- Automatically restarts the SSH service only when its config actually changes
- Applies consistently across multiple managed servers in a single run
Each task addresses a specific, well-known attack vector:
- Root SSH login is a common target for brute-force attacks - disabling it forces use of a standard user and sudo, which is safer and auditable.
- Password authentication over SSH is vulnerable to brute-forcing even for non-root users - enforcing key-only login removes that risk entirely.
- A default-deny firewall ensures only explicitly needed services (SSH) are reachable, reducing the attack surface.
- Automatic security updates close the gap between a vulnerability being disclosed and the server actually being patched.
This playbook was tested against two managed nodes simultaneously: one already hardened, one freshly installed. The same playbook correctly applied only the missing changes to each server, demonstrating Ansible's idempotency and ability to manage multiple servers consistently from a single run.
- Control node: Ubuntu Server 24.04 LTS
- Managed nodes: 2x Ubuntu Server 24.04 LTS
- Ansible core 2.20+
- Tested in a local VMware Workstation lab (3-node setup)
- Update inventory.ini with your managed nodes' IPs and SSH user
- Run a connectivity check: ansible -i inventory.ini managed_nodes -m ping
- Run the playbook: ansible-playbook -i inventory.ini hardening.yml --ask-become-pass
Note: After the first run, SSH password authentication will be disabled - make sure your SSH key is set up on each managed node before running this playbook.
- hardening.yml - the Ansible playbook
- inventory.ini - example inventory (replace with your own hosts)
flowchart TD
A[control-node<br/>Ansible + SSH key] -->|SSH key auth| B[managed-node1<br/>Ubuntu 24.04]
A -->|SSH key auth| C[managed-node2<br/>Ubuntu 24.04]
B --> D[Same hardening playbook applied to both nodes]
C --> D
D --> E[Update packages]
E --> F[Disable root SSH login]
F --> G[Disable SSH password auth]
G --> H[Install and enable UFW firewall]
H --> I[Enable automatic security updates]
I --> J[Handler: restart ssh if config changed]
Built as part of a hands-on cybersecurity/IT portfolio project, complementing CEH, CCNA, RHCE, and MCSA certifications.