知り合いが、構築をIaCで行っているそうで、関連知識を深めようと思います。
前回からの続きで、セキュリティ設定(rootログイン禁止/パスワード禁止/許可ユーザー制限)は以下のようなファイルになります。
8) Role: ssh_hardening
– name: Harden sshd_config
ansible.builtin.lineinfile:
path: /etc/ssh/sshd_config
regexp: “^{{ item.key }}\\s+”
line: “{{ item.key }} {{ item.value }}”
create: false
backrefs: false
loop:
– { key: “PermitRootLogin”, value: “no” }
– { key: “PasswordAuthentication”, value: “no” }
– { key: “ChallengeResponseAuthentication”, value: “no” }
– { key: “UsePAM”, value: “yes” }
– { key: “PubkeyAuthentication”, value: “yes” }
– { key: “X11Forwarding”, value: “no” }
– { key: “PermitEmptyPasswords”, value: “no” }
notify: Restart sshd
– name: Restrict SSH allowed users
ansible.builtin.blockinfile:
path: /etc/ssh/sshd_config
marker: “# {mark} ANSIBLE MANAGED BLOCK: ALLOW USERS”
block: |
AllowUsers {{ ssh_allowed_users | join(‘ ‘) }}
notify: Restart sshd
ファイアウォールは以下のような形です。
9) Role: firewall
– name: Install and enable UFW (Debian/Ubuntu)
when: ansible_facts.os_family == “Debian”
block:
– name: Install ufw
ansible.builtin.apt:
name: ufw
state: present
– name: Default deny incoming
community.general.ufw:
direction: incoming
policy: deny
– name: Default allow outgoing
community.general.ufw:
direction: outgoing
policy: allow
– name: Allow tcp ports
community.general.ufw:
rule: allow
port: “{{ item }}”
proto: tcp
loop: “{{ allowed_tcp_ports }}”
– name: Enable UFW
community.general.ufw:
state: enabled
– name: Install and enable firewalld (RHEL/Amazon Linux)
when: ansible_facts.os_family == “RedHat”
block:
– name: Install firewalld
ansible.builtin.dnf:
name: firewalld
state: present
– name: Enable and start firewalld
ansible.builtin.service:
name: firewalld
state: started
enabled: true
– name: Allow tcp ports
ansible.posix.firewalld:
port: “{{ item }}/tcp”
permanent: true
state: enabled
immediate: true
loop: “{{ allowed_tcp_ports }}”
入会申込
ログイン
