Skip to main content
Ansible playbooks of this guide are available at How To Secure A Linux Server With Ansible.
Make sure to edit the variables according to your needs and read all tasks beforehand to confirm it does not break your system. After running the playbooks ensure that all settings are configured to your needs!

Prerequisites

1

Install Ansible

Install Ansible on your control machine (the computer you’ll run the playbooks from).
# On Debian/Ubuntu
sudo apt update
sudo apt install ansible

# On macOS
brew install ansible

# Using pip
pip install ansible
See the official Ansible installation guide for more options.
2

Clone the Repository

Clone the Ansible playbooks repository:
git clone https://github.com/moltenbit/How-To-Secure-A-Linux-Server-With-Ansible.git
cd How-To-Secure-A-Linux-Server-With-Ansible
3

Create SSH Keys

Create SSH public/private key pairs for secure authentication:
ssh-keygen -t ed25519
Press Enter to accept the default location, and optionally set a passphrase for additional security.
4

Configure Variables

Edit the variables file to match your environment:
nano group_vars/variables.yml
Change all variables according to your needs, including:
  • Username and password
  • SSH port
  • Firewall rules
  • Any other customizations
5

Enable SSH Root Access (Temporarily)

Before running the playbooks, temporarily enable SSH root access on your target server:
nano /etc/ssh/sshd_config
Find and modify:
PermitRootLogin yes
Then restart SSH:
sudo systemctl restart sshd
This is temporary! The playbooks will disable root login as part of the hardening process.
6

Configure Static IP (Recommended)

It’s recommended to configure a static IP address on your system before running the playbooks.
7

Add Server to Inventory

Add your server’s IP address to the hosts.yml file:
all:
  hosts:
    your-server:
      ansible_host: 192.168.1.100

Running the Playbooks

Requirements Playbook

Run the requirements playbook first, using the root password you specified during server installation: 
ansible-playbook --inventory hosts.yml --ask-pass requirements-playbook.yml
This playbook sets up the initial requirements before the main hardening process.

Main Playbook

Run the main playbook with the new user’s password you specified in the variables.yml file: 
ansible-playbook --inventory hosts.yml --ask-pass main-playbook.yml

Subsequent Runs

If you need to run the playbooks multiple times, use the SSH key and the new SSH port: 
ansible-playbook --inventory hosts.yml \
  -e ansible_ssh_port=SSH_PORT \
  --key-file /PATH/TO/SSH/KEY \
  main-playbook.yml
Replace SSH_PORT with your configured SSH port and /PATH/TO/SSH/KEY with the path to your SSH private key.

What Gets Configured

The Ansible playbooks automate the following security configurations:

SSH Hardening

  • Disable root login
  • Configure SSH keys
  • Set secure SSH options
  • Change default SSH port

Firewall Configuration

  • Install and configure UFW
  • Set up default deny policies
  • Allow specified services

User Management

  • Create limited user accounts
  • Configure sudo access
  • Set up proper groups

System Hardening

  • Install security updates
  • Configure fail2ban
  • Set up automatic updates
  • Additional hardening measures

Post-Playbook Verification

1

Verify SSH Access

Test SSH access with your new configuration:
ssh -p YOUR_SSH_PORT user@server-ip
2

Check Firewall Status

Verify firewall is active and configured correctly:
sudo ufw status
3

Review Logs

Check system logs for any issues:
sudo journalctl -xe
4

Test Services

Ensure all required services are running and accessible.
Important: After running the playbooks, thoroughly test all functionality before deploying to production. Make sure you can still access your server and all required services are working.

Troubleshooting

If you encounter issues:
  1. Check Ansible output - The playbook provides detailed output about each task
  2. Verify variables - Ensure all variables in variables.yml are correct
  3. Test connectivity - Make sure you can reach the target server
  4. Review logs - Check both Ansible logs and system logs on the target server
For detailed manual configuration steps, refer to the other sections of this guide. The Ansible playbooks are a convenient automation layer on top of the manual processes.

Build docs developers (and LLMs) love

Get started for freeTalk to us