Phase 3 — Hardening
Sécurisation de base de toutes les VMs via Ansible, avant l'installation des services.
Objectif
Appliquer un socle de sécurité commun à chaque VM : SSH, pare-feu, anti-bruteforce, swap, résolution DNS locale.
Commande
ansible-playbook -i inventory.ini playbooks/00-hardening.yml
Inventaire Ansible
[homelab]
traefik ansible_host=192.168.1.20
gitlab ansible_host=192.168.1.21
vault ansible_host=192.168.1.22
harbor ansible_host=192.168.1.30
monitoring ansible_host=192.168.1.31
keycloak ansible_host=192.168.1.32
defectdojo ansible_host=192.168.1.33
k3s-master ansible_host=192.168.1.40
k3s-worker01 ansible_host=192.168.1.41
k3s-worker02 ansible_host=192.168.1.42
[all:vars]
ansible_user=mounik
ansible_port=2222
Exécution
# Premier passage (port 22 par défaut de cloud-init) :
ansible-playbook -i inventory.ini playbooks/00-hardening.yml -e 'ansible_port=22'
# Passages suivants (le playbook bascule SSH sur le port 2222) :
ansible-playbook -i inventory.ini playbooks/00-hardening.yml
Playbook de durcissement
# playbooks/00-hardening.yml
- hosts: all
tasks:
- name: Installer ufw, fail2ban
ansible.builtin.apt:
name:
- ufw
- fail2ban
state: present
- name: Configurer SSH (port 2222, clé uniquement)
ansible.builtin.lineinfile:
path: /etc/ssh/sshd_config.d/hardening.conf
create: true
line: "{{ item }}"
loop:
- "Port 2222"
- "PermitRootLogin no"
- "PasswordAuthentication no"
- "PubkeyAuthentication yes"
- "MaxAuthTries 3"
- "AllowUsers mounik"
notify: restart ssh
- name: UFW — default deny incoming
community.general.ufw:
direction: incoming
policy: deny
- name: UFW — default allow outgoing
community.general.ufw:
direction: outgoing
policy: allow
- name: UFW — limit SSH sur le port 2222
community.general.ufw:
rule: limit
port: "2222"
proto: tcp
- name: UFW — enable
community.general.ufw:
state: enabled
- name: Configurer Fail2Ban (jail SSH)
ansible.builtin.copy:
dest: /etc/fail2ban/jail.d/ssh.conf
content: |
[sshd]
enabled = true
port = 2222
maxretry = 3
bantime = 3600
notify: restart fail2ban
- name: Désactiver le swap
ansible.builtin.command:
cmd: swapoff -a
changed_when: false
- name: Installer les paquets communs
ansible.builtin.apt:
name:
- htop
- git
- jq
state: present
- name: Configurer /etc/hosts
ansible.builtin.lineinfile:
path: /etc/hosts
line: "{{ item }}"
loop:
- "192.168.1.20 traefik"
- "192.168.1.21 gitlab"
- "192.168.1.22 vault"
- "192.168.1.30 harbor"
- "192.168.1.31 monitoring"
- "192.168.1.32 keycloak"
- "192.168.1.33 defectdojo"
- "192.168.1.40 k3s-master"
- "192.168.1.41 k3s-worker01"
- "192.168.1.42 k3s-worker02"
handlers:
- name: restart ssh
ansible.builtin.service:
name: ssh
state: restarted
- name: restart fail2ban
ansible.builtin.service:
name: fail2ban
state: restarted
Livrable : toutes les VMs durcies (SSH, UFW, Fail2Ban), prêtes à recevoir les services.
Pour aller plus loin
- Phase 4.1 — Vault — premier service à installer
- Matrice de flux — règles UFW détaillées par VM