Ansible Role: Base Host

Ubuntu 24.04 LTS base host hardening and security configuration role.

Features

• User Management: Creates admin user with SSH key access and passwordless sudo
• SSH Hardening: Custom port, key-only auth, disabled root login, connection limits
• Firewall: UFW with deny-by-default incoming policy
• Intrusion Prevention: fail2ban for SSH brute force protection
• Automatic Updates: Unattended security upgrades
• Kernel Hardening: Secure sysctl parameters, disabled unused filesystems
• Logging: Configured log rotation

Requirements

• Ansible 2.14+
• Target OS: Ubuntu 24.04 LTS (Noble Numbat)
• Collections:
  • community.general >= 8.0.0
  • ansible.posix >= 1.5.0

Role Variables

Required Variables

These must be provided (e.g., via Ansible Vault):

base_host_user_password: "secure-password"  # Password for admin user
base_host_ssh_keys:                          # SSH public keys for access
  - "ssh-ed25519 AAAA..."

Optional Variables

See defaults/main.yml for all available variables with defaults.

Key variables:

Variable	Default	Description
base_host_user	cyberismo	Admin username
base_host_ssh_port	21222	SSH port
base_host_fail2ban_bantime	3600	Ban duration in seconds
base_host_fail2ban_maxretry	3	Failed attempts before ban
base_host_auto_reboot	false	Auto-reboot after kernel updates

Dependencies

None.

Example Playbook

Basic Usage

---
- name: Harden Ubuntu hosts
  hosts: all
  become: true
  vars_files:
    - vault.yml  # Contains base_host_user_password and base_host_ssh_keys
  roles:
    - role: cyberismo.base_host

With Custom Variables

---
- name: Harden Ubuntu hosts with custom settings
  hosts: all
  become: true
  vars:
    base_host_user: admin
    base_host_ssh_port: 2222
    base_host_fail2ban_bantime: 7200
    base_host_fail2ban_maxretry: 5
  vars_files:
    - vault.yml
  roles:
    - role: cyberismo.base_host

Using with requirements.yml

Add to your requirements.yml:

roles:
  - name: cyberismo.base_host
    src: git+https://github.com/CyberismoCom/ansible-role-base-host.git
    version: main

Install with:

ansible-galaxy install -r requirements.yml

Tags

Run specific parts of the role:

# Only SSH hardening
ansible-playbook site.yml --tags "ssh"

# Only firewall configuration
ansible-playbook site.yml --tags "firewall"

# Multiple tags
ansible-playbook site.yml --tags "ssh,security"

Available tags:

• setup - Package updates and installation
• updates - Package and automatic updates
• users - User management
• ssh - SSH configuration
• sudo - Sudo configuration
• firewall - UFW firewall
• security - All security tasks
• fail2ban - Fail2ban configuration
• kernel - Kernel hardening
• logging - Log configuration

Initial Setup Notes

CRITICAL: For initial deployment on a fresh server:

1. Run as root user since the admin user doesn't exist yet:

   ansible-playbook site.yml -u root

2. Ensure SSH keys are configured before running - password auth will be disabled!

3. After initial run, SSH port changes to the configured port (default: 21222). Update your inventory:

   [webservers]
   server1.example.com ansible_port=21222

Security Notes

• SSH port is changed to reduce log noise from automated attacks
• fail2ban bans IPs for 1 hour (default) after 3 failed attempts in 10 minutes
• Automatic reboots are disabled by default - manually reboot after kernel updates
• Admin user gets passwordless sudo for automation purposes

License

MIT

Author Information

Cyberismo - https://cyberismo.com