aboutsummaryrefslogtreecommitdiffstats
path: root/roles/security/tasks
diff options
context:
space:
mode:
Diffstat (limited to 'roles/security/tasks')
-rw-r--r--roles/security/tasks/main.yml41
1 files changed, 41 insertions, 0 deletions
diff --git a/roles/security/tasks/main.yml b/roles/security/tasks/main.yml
new file mode 100644
index 0000000..0a7ef0f
--- /dev/null
+++ b/roles/security/tasks/main.yml
@@ -0,0 +1,41 @@
+---
+- name: firewall - setup PF rules
+ template:
+ src: pf.conf.j2
+ dest: /etc/pf.conf
+ validate: "pfctl -nf %s"
+
+- name: firewall - enable PF
+ command: rcenable pf
+
+- name: firewall - enable PF log
+ command: rcenable pflog
+
+- name: sshlockout - setup with PF
+ blockinfile:
+ path: /etc/syslog.conf
+ marker: '# {mark} ANSIBLE MANAGED - sshlockout'
+ block: |
+ # Block SSH auth failures using "sshlockout" and "pf"
+ auth.info;authpriv.info |exec /usr/sbin/sshlockout -pf bruteforce
+
+- name: periodic - copy clean-pf script
+ copy:
+ src: 600.clean-pf
+ dest: /etc/periodic/daily/600.clean-pf
+ mode: 0755
+
+- name: periodic - touch config file
+ file:
+ path: /etc/periodic.conf
+ state: touch
+ mode: 0644
+
+- name: periodic - enable clean-pf
+ blockinfile:
+ path: /etc/periodic.conf
+ marker: '# {mark} ANSIBLE MANAGED - clean-pf'
+ block: |
+ # Clean up PF tables
+ daily_clean_pf_enable="YES"
+ daily_clean_pf_tables="bruteforce"
Copyright © 2017-2018 Aaron LI. All Rights Reserved.