Role: security¶
SSH hardening and intrusion detection. Applied to every host after common.
Hosts: proxfold, arrstack, nginx, plex
Tasks¶
| Task | Tag |
|---|---|
Deploy hardened sshd config to /etc/ssh/sshd_config.d/99-hardening.conf |
security, ssh |
Validate config with sshd -t before applying |
security, ssh |
| Install fail2ban | security, fail2ban |
Deploy fail2ban jail config to /etc/fail2ban/jail.local |
security, fail2ban |
| Enable and start fail2ban | security, fail2ban |
Key variables¶
| Variable | Source | Value |
|---|---|---|
ssh_port |
group_vars | 22 |
ssh_permit_root_login |
group_vars | prohibit-password (key-only) |
ssh_password_authentication |
group_vars | no |
Templates¶
sshd_config.j2— Drop-in config enforcing: key-only auth, no password login, no root passwordjail.local.j2— Fail2ban jail targeting the SSH service
Handlers¶
- Restarts
sshdwhen SSH config changes - Restarts
fail2banwhen jail config changes
Warning
The SSH config enforces key-only authentication. Ensure your public key is deployed via the common role before running security on a fresh host, or you will be locked out.
Related¶
- common — SSH key deployment happens here, before security hardens the daemon