πŸ” Hardened Linux Infrastructure with Ansible β€” Meet oslock

Gautam JhaGautam Jha
3 min read

As DevOps engineers, securing infrastructure should never be an afterthought. Whether you're managing Ethereum nodes, production databases, or internal tooling, hardening your Linux servers is a must. That's why I built oslockβ€”an opinionated, production-ready Ansible role that automates crucial system hardening steps.

This project is hosted in the GitHub repo Hardened Linux Infrastructure and is designed to be a plug-and-play tool to lock down your servers with minimal effort and maximum security.

🚨 Why Harden Your Linux Systems?

By default, most Linux distributions are not secure enough to survive in the wild. Here are just a few common threats:

  • Brute force attacks on SSH.

  • Outdated packages vulnerable to known exploits.

  • Unrestricted sudo access or password authentication.

  • Lack of auditing for critical file or command changes.

  • Firewall misconfiguration, leaving services exposed.

Hardening your infrastructure helps prevent breaches and misconfigurations from becoming catastrophic failures.

πŸ›‘οΈ What oslock Does

The oslock role automates a wide range of critical hardening tasks using Ansible. Here's what it configures:

βœ… 1. Enforces SSH Key-based Authentication

Passwords are weak and often reused. SSH key authentication is significantly more secure. The role requires the variable SSH_PUBLIC_KEY so you can log in after disabling password access.

πŸ”’ 2. Creates a Secure, New Sudo User

A new user is created with:

  • Password defined in USER_PASSWORD

  • Sudo access without password prompt

  • A secured .ssh folder with your public key

Default username is NEW_USER, which you can override via variables.yaml.

πŸ” 3. Changes the SSH Port

By default, SSH listens on port 22, which is frequently targeted by bots and scanners. This role changes the SSH port to NEW_SSH_PORT (default is 6500) to reduce attack surface. It's security-through-obscurity done right, in combination with stronger controls.

βš™οΈ 4. Applies Kernel-Level Hardening

System parameters (via sysctl) are tuned to:

  • Prevent SYN flood attacks (tcp_syncookies)

  • Enable source address validation (rp_filter)

  • Block ICMP broadcast pings (used in smurf attacks)

  • Disable source routing (prevents IP spoofing)

πŸ›‘οΈ 5. Enables Unattended Upgrades

This ensures your system stays up-to-date with security patches without requiring manual intervention.

πŸ” 6. Sets Up a Local Firewall (UFW)

  • Denies all incoming traffic by default

  • Allows all outgoing traffic

  • Allows only the SSH port explicitly

This locks down unnecessary exposure.

πŸš“ 7. Installs & Configures Fail2ban

To prevent brute-force attempts on SSH and other services, Fail2ban monitors logs and bans offending IPs automatically.

πŸ“œ 8. Adds Custom Auditd Rules

Auditing is often overlooked. With this in place:

  • Changes to /etc/passwd and /etc/sudoers are logged

  • All executions using execve syscall are tracked

  • Helps trace malicious or unauthorized changes post-fact

πŸš€ How to Use the Role

  1. Clone the repo

     git clone https://github.com/devops-gautamjha/Hardened-Linux-Infrastructure.git
 cd Hardened-Linux-Infrastructure

  2. Edit variables.yaml
    Replace placeholders with real values:

     NEW_USER: "gautam"
 USER_PASSWORD: "mypassword"
 NEW_SSH_PORT: 6500
 SSH_PUBLIC_KEY: "ssh-rsa AAAA..."

  3. Edit host.ini

     mynode ansible_host=192.168.1.100 ansible_user=root

  4. Run the Playbook

     ansible-playbook my-playbook.yaml -i host.ini -e "@variables.yaml"

🧠 Why This Project Matters

Security isn't just about toolsβ€”it's about consistency and automation. Doing these tasks manually is error-prone, time-consuming, and hard to replicate across environments.

With oslock, you ensure every server you provision meets the same hardened baseline. Whether it's your cloud VMs, Ethereum validator nodes, or internal infra, oslock helps you start secure and stay secure.

πŸ“„ License

MIT β€” open for contributions and forks. Just don’t forget to change your SSH key πŸ˜‰

πŸ”— GitHub

πŸ‘‰ https://github.com/devops-gautamjha/Hardened-Linux-Infrastructure

πŸ™Œ Author

Built by Gautam Jha β€” DevOps engineer with a mission to make infra safer, smarter, and more scalable.

0
Subscribe to my newsletter

Read articles from Gautam Jha directly inside your inbox. Subscribe to the newsletter, and don't miss out.

LinuxhardeningSecurityDevops

Written by

Gautam Jha
Gautam Jha