jack
fccbd1a45a
Cloudflare DNS-01 ACME: - Switch Traefik cert resolver from httpChallenge to dnsChallenge using Cloudflare provider (resolvers: 1.1.1.1, 1.0.0.1) - Add CLOUDFLARE_DNS_API_TOKEN env to Traefik container - Add CF_ZONE_ID + cloudflare_dns_api_token to all/main.yml - Store API token in Ansible Vault Docker daemon hardening: - Add log-driver: json-file with max-size 10m / max-file 3 (prevents disk fill from unbounded container logs) - Add live-restore: true (containers survive Docker daemon restart) Kernel hardening (sysctl): - New roles/base/tasks/sysctl.yml via ansible.posix.sysctl - IP spoofing protection (rp_filter) - Disable ICMP redirects and broadcast pings - SYN flood protection (syncookies, backlog) - Disable IPv6 (not used) - Restrict kernel pointers and dmesg to root - Disable SysRq, suid core dumps Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
52 lines
3.1 KiB
YAML
52 lines
3.1 KiB
YAML
---
|
|
# Kernel hardening via sysctl
|
|
# Applied permanently via /etc/sysctl.d/99-hardening.conf
|
|
|
|
- name: Apply kernel hardening parameters
|
|
ansible.posix.sysctl:
|
|
name: "{{ item.name }}"
|
|
value: "{{ item.value }}"
|
|
state: present
|
|
sysctl_file: /etc/sysctl.d/99-hardening.conf
|
|
reload: true
|
|
loop:
|
|
# ── Network: IP Spoofing protection ───────────────────────────────────────
|
|
- { name: net.ipv4.conf.all.rp_filter, value: "1" }
|
|
- { name: net.ipv4.conf.default.rp_filter, value: "1" }
|
|
|
|
# ── Network: Ignore ICMP redirects ────────────────────────────────────────
|
|
- { name: net.ipv4.conf.all.accept_redirects, value: "0" }
|
|
- { name: net.ipv4.conf.default.accept_redirects, value: "0" }
|
|
- { name: net.ipv4.conf.all.send_redirects, value: "0" }
|
|
- { name: net.ipv4.conf.default.send_redirects, value: "0" }
|
|
- { name: net.ipv6.conf.all.accept_redirects, value: "0" }
|
|
- { name: net.ipv6.conf.default.accept_redirects, value: "0" }
|
|
|
|
# ── Network: Ignore broadcast pings ───────────────────────────────────────
|
|
- { name: net.ipv4.icmp_echo_ignore_broadcasts, value: "1" }
|
|
|
|
# ── Network: Ignore bogus error responses ────────────────────────────────
|
|
- { name: net.ipv4.icmp_ignore_bogus_error_responses, value: "1" }
|
|
|
|
# ── Network: SYN flood protection ────────────────────────────────────────
|
|
- { name: net.ipv4.tcp_syncookies, value: "1" }
|
|
- { name: net.ipv4.tcp_max_syn_backlog, value: "2048" }
|
|
- { name: net.ipv4.tcp_synack_retries, value: "2" }
|
|
- { name: net.ipv4.tcp_syn_retries, value: "5" }
|
|
|
|
# ── Network: Disable IPv6 if not needed ──────────────────────────────────
|
|
- { name: net.ipv6.conf.all.disable_ipv6, value: "1" }
|
|
- { name: net.ipv6.conf.default.disable_ipv6, value: "1" }
|
|
- { name: net.ipv6.conf.lo.disable_ipv6, value: "1" }
|
|
|
|
# ── Kernel: Restrict dmesg to root ───────────────────────────────────────
|
|
- { name: kernel.dmesg_restrict, value: "1" }
|
|
|
|
# ── Kernel: Hide kernel pointers ─────────────────────────────────────────
|
|
- { name: kernel.kptr_restrict, value: "2" }
|
|
|
|
# ── Kernel: Disable SysRq ────────────────────────────────────────────────
|
|
- { name: kernel.sysrq, value: "0" }
|
|
|
|
# ── Memory: Disable core dumps for suid programs ─────────────────────────
|
|
- { name: fs.suid_dumpable, value: "0" }
|