Automating Ubuntu server hardening with Ansible ensures consistency, scalability, and repeatability of security best practices, such as managing users, configuring firewalls, and securing SSH. This infrastructure-as-code approach helps in achieving compliance with standards like CIS benchmarks.
Key Hardening Measures and Ansible Implementation
Ansible uses an agentless architecture, connecting to managed nodes via SSH to push out modules and execute tasks defined in YAML playbooks.
| Hardening Area | Description | Key Ansible Modules & Practices |
|---|---|---|
| System Updates | Regularly apply security patches and updates to all packages. | apt module with upgrade: dist and update_cache: yes |
| User & Access Management | Limit root access and enforce strong authentication. | user module to create non-root users; authorized_key module for key-based authentication; lineinfile to disable PermitRootLogin in /etc/ssh/sshd_config. |
| Firewall Configuration | Restrict network access to only necessary services to reduce the attack surface. | ufw module to enable the firewall and define allow/deny rules for specific ports/services (e.g., allow OpenSSH). |
| SSH Security | Secure the primary method of remote access. | Use lineinfile to disable password authentication and change the default SSH port; enforce key-based access. |
| Disable Unused Services | Minimize attack vectors by ensuring only required services are running. | service module with state: stopped and enabled: no for unnecessary services (e.g., telnet, ftp). |
| Kernel Parameters | Modify kernel settings (sysctl) to improve security, such as disabling IP forwarding or ignoring ICMP requests. | ansible.posix.sysctl module to set parameters and save them to a configuration file like /etc/sysctl.d/90-net.conf. |
| Logging & Auditing | Enable system auditing to track security-related incidents. | apt and service modules to install and run auditd; copy module to deploy custom audit rules. |
Implementing Automation with Playbooks
You can use pre-built, community-maintained roles from Ansible Galaxy (such as those from the dev-sec/ansible-collection-hardening project) or create custom playbooks.
Example Playbook Snippet: Disabling Root Login via SSH
---
- hosts: all
become: true
tasks:
- name: Disable password authentication for root
ansible.builtin.lineinfile:
path: /etc/ssh/sshd_config
regexp: '^#?PermitRootLogin'
line: 'PermitRootLogin no'
state: present
notify:
- Restart sshd
handlers:
- name: Restart sshd
ansible.builtin.service:
name: sshd
state: restarted
The
handlers section ensures the SSH service is restarted only if a change to its configuration file is made. Best Practices
- Version Control: Store playbooks in a system like Git for tracking changes and collaboration.
- Secrets Management: Use Ansible Vault to encrypt sensitive data (passwords, keys, etc.).
- Testing: Always test playbooks in a non-production environment using the
--check(dry run) and--diffflags before deployment to prevent accidental lockouts or service disruption. - Compliance: Align hardening tasks with recognized security benchmarks like the CIS controls to ensure comprehensive security.