roles/security/tasks/main.yml


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30

---
- name: firewall - setup PF rules
  template:
    src: pf.conf.j2
    dest: /etc/pf.conf
    validate: "pfctl -nf %s"
  notify: reload-pf
  tags: pf-rules

- name: firewall - enable PF
  command: rcenable pf

- name: firewall - enable PF log
  command: rcenable pflog

- name: sshlockout - setup with PF
  lineinfile:
    path: /etc/syslog.conf
    line: "auth.info;authpriv.info	|exec /usr/sbin/sshlockout -pf bruteforce"
    insertafter: 'auth\.info'
  notify: restart-syslogd
  tags: sshlockout

- name: cron - expire PF table (bruteforce)
  cron:
    name: "pf-expire-table-bruteforce"
    user: root
    minute: "0"
    hour: "*/2"  # every 2 hours
    job: "pfctl -t bruteforce -T expire 86400 >/dev/null 2>&1"