Skip to content

Alpha1ne/ansible-linux-hardening

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

5 Commits
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Ansible Linux Hardening

Ansible playbook that automates security hardening and package updates on Ubuntu Linux servers.

What it does

  • Updates all system packages (apt update && apt upgrade)
  • Disables direct root login over SSH
  • Disables SSH password authentication (key-only login enforced)
  • Installs and enables UFW firewall (default-deny, SSH allowed)
  • Enables automatic security updates via unattended-upgrades
  • Automatically restarts the SSH service only when its config actually changes
  • Applies consistently across multiple managed servers in a single run

Why

Each task addresses a specific, well-known attack vector:

  • Root SSH login is a common target for brute-force attacks - disabling it forces use of a standard user and sudo, which is safer and auditable.
  • Password authentication over SSH is vulnerable to brute-forcing even for non-root users - enforcing key-only login removes that risk entirely.
  • A default-deny firewall ensures only explicitly needed services (SSH) are reachable, reducing the attack surface.
  • Automatic security updates close the gap between a vulnerability being disclosed and the server actually being patched.

This playbook was tested against two managed nodes simultaneously: one already hardened, one freshly installed. The same playbook correctly applied only the missing changes to each server, demonstrating Ansible's idempotency and ability to manage multiple servers consistently from a single run.

Environment

  • Control node: Ubuntu Server 24.04 LTS
  • Managed nodes: 2x Ubuntu Server 24.04 LTS
  • Ansible core 2.20+
  • Tested in a local VMware Workstation lab (3-node setup)

Usage

  1. Update inventory.ini with your managed nodes' IPs and SSH user
  2. Run a connectivity check: ansible -i inventory.ini managed_nodes -m ping
  3. Run the playbook: ansible-playbook -i inventory.ini hardening.yml --ask-become-pass

Note: After the first run, SSH password authentication will be disabled - make sure your SSH key is set up on each managed node before running this playbook.

Files

  • hardening.yml - the Ansible playbook
  • inventory.ini - example inventory (replace with your own hosts)

Architecture

flowchart TD
    A[control-node<br/>Ansible + SSH key] -->|SSH key auth| B[managed-node1<br/>Ubuntu 24.04]
    A -->|SSH key auth| C[managed-node2<br/>Ubuntu 24.04]
    B --> D[Same hardening playbook applied to both nodes]
    C --> D
    D --> E[Update packages]
    E --> F[Disable root SSH login]
    F --> G[Disable SSH password auth]
    G --> H[Install and enable UFW firewall]
    H --> I[Enable automatic security updates]
    I --> J[Handler: restart ssh if config changed]
Loading

Author

Built as part of a hands-on cybersecurity/IT portfolio project, complementing CEH, CCNA, RHCE, and MCSA certifications.

About

Ansible playbook for automated Linux server updates and SSH hardening

Topics

Resources

License

Stars

0 stars

Watchers

0 watching

Forks

Releases

No releases published

Packages