Ansible 101 – Episode 9 – First 5 min server security with Ansible

Cool to see you being proud for 10k/20k subscibers 😉 You're at 274k while I'm watching this, so cool.

@59:50 ec2 user-data and a bit of sed should sort you out…

@45:00 name: – log4j state: absent

I demand the Kubernetes Song!!!

Phenomenal presentation Jeff! I'm watching this series many times!

I just discovered your channel while searching for Raspberry Pi projects. I'm now working my way through your Ansible series. It is good to see a fellow St. Louisan that loves tech. Keep up the good work.

Never heard of Big wheel for people in charge. But have heard similar to the following quote from the cambridge online dictionary for someone taking control, even outside driving.
"Would you mind taking the wheel (= driving) for a couple of hours?" Only what I remember was "why don't you take the wheel" when playing games ages ago.
From uk.

What about the DevOps guitar solo now that you have 118k subs?

When adding a task like your yum-cron install – do you typically use a when: ansible_os_family == 'Redhat' ? Or not?

"weird that it worked on port 22 with ansible there .." It's actually something the SSH client can do and is probably configured to do in your Mac, since you were already logged in in the other terminal on port 22, when you try to login a second time it will reuse that connection looking at a matching host:port:user IIRC. Once you terminate the last connection in your terminal it drops it completely so this no longer works.
See https://www.linux.com/news/accelerating-openssh-connections-controlmaster/

Thank you Jeff for this wonderful series I am re-watching all videos to help me fully use the technology to the fullest.

Best practice is to put the johndoe sudo stuff in /etc/sudoers.d/johndoe, more easy to keep track and also easy to disable ICE, you do have to enable the include in /etc/sudoers.

Thank you so much for this awesome series and all your other work! One thing I'd like to mention is that moving the ssh port to a non-privileged port above 1023 is very controversal, see e. g. https://www.adayinthelifeof.nl/2012/03/12/why-putting-ssh-on-another-port-than-22-is-bad-idea/ Many people even see moving ssh to another privileged port as security-by-obscurity, not gaining any more security but only reducing the noise in your logs. The most important step is disabling password login, this makes brute-forcing ssh as hard as finding a single atom in the universe. Even disabling root login does not add much more security on top of that in my opinion. Especially when you create a passwordless sudo user, I don't see any benefit for this effort?
EDIT: One word on fail2ban. While it is great to secure your webserver, there is a risk you accidently lock yourself out if you have many ssh keys and set too strict rules for the ssh port. I see no benefit using fail2ban on ssh, because guessing a secret ssh key is as impossible in 10 tries as in 10 billion tries. This might change in times of quantum computing 🙂

HI Jeff,
Thanks for the videos. I am going to assume that you issued EC2 Inbound Policies for ports 22 and 2849 beforehand? Just trying to ease my mind.

https://unix.stackexchange.com/questions/1262/where-did-the-wheel-group-get-its-name

@geerlingguy I was a bit too quick with my comment but there is additional info on how to check the validity of the sshd_config file. `sshd -f <the file to validate> -t` or `-T` for extended validation. -t is the recommended option in the sshd(8) man page.

The book about SSH that was mentioned: SSH Mastery by Michael Warren Lucas https://mwl.io/nonfiction/tools#ssh is fantastic (as are his books on SNMP, ZFS, sudo and some other useful tools, skills and operating systems) and it will probably stay on your desk for a quick lookup. He also gave a talk about OpenSSH some time ago https://www.youtube.com/watch?v=fnkG9_jy2qc but you want the book either way now that OpenSSH is in Windows 10 and Windows Server 2019 as well. (You can install it on other recent versions of Windows using https://gitlab.com/DarwinJS/ChocoPackages/tree/master/openssh and probably at some point use Ansible over SSH with Windows instead of WinRM). And you can (mis)use SSH for almost any secure connection needs you might have, shameless plug, I gave a talk about it just last year: https://www.youtube.com/watch?v=UpXqW2DFfMI

two requests. Please put Ansible 101 into it's own playlist, and please order the playlists in reverse to the way the currently are (at-least the ansible one anyway) as the YouTube playlist player plays them in reverse order currently.

Excellent video series. Thank you! Just got caught up. How do you get your roles to have 1 name in GitHub but a different name in Galaxy? Example is your Jenkins role?

Hi Jeff
Will you not be covering Chapter 7 and Chapter 8?
I was really looking forward to Dynamic inventories and the Ansible cookbooks.

can anyone help with this https://stackoverflow.com/questions/61858011/cant-checkout-export-svn-repo-with-ansible

$1000/mo for doing this?
If you don’t do it for the love of it….
It shows and comes across. Some people don’t mind, some mind a lot.