Puppet module which secures your Ubuntu/Debian

bridge2 at tuukkamerilainen.com

For those who just want this module head to: https://github.com/RakField/puppet-secure-like-linode


For the past year I have done Linodes securing your server guide configurations for so many times. Finally I decide to make puppet module to automate the process.

Alright you might have heard about Puppet already, if not you propably should. I have been playing with it for couple months and I love it already. It is so what I have been looking for. It just makes life easier. Once you have configured something once, you can do it again in minutes! :]

Puppet is open source configuration management software. Basicly you write script with puppet language which includes your needs. For example you would like to install apache with php5 and some virtual hosts. You just write script and puppet will do the installation. It can be setupped master node way where one machine acts as the puppetmaster and others are clients which are asking catalogs from master.


Module details

So I wanted to make module to automate steps from this guide: https://www.linode.com/docs/security/securing-your-server

  1. Add user for administration
  2. Use SSH key pair authentication
  3. Disable SSH Password Authentication and Root Login
  4. Create a firewall
  5. Install fail2ban

This module is tested on Ubuntu 14.04 LTS and Debian 7.6.



|-- secure
|   |-- files
|   |   |-- authorized_keys
|   |   |-- iptables.firewall.rules
|   |   `-- sshd_config
|   |-- lib
|   |   `-- puppet
|   |       `-- parser
|   |           `-- functions
|   |               `-- pw_hash.rb
|   `-- manifests
|       |-- fail2ban.pp
|       |-- firewall.pp
|       |-- init.pp
|       `-- ssh.pp

Operating principle

All configurations are made by placing configurations files to specific places. For example the modelu first installs openssh server and then replaces original sshd_config file with modified version. If you would like to make changes to openssh server configuration or firewall you should modify files at secure/files.



Works almost from the box. First thing to do is change authorized_keys files content with your own rsa key. To use module it is required to define user and system variables. This can be done in site.pp:

adminuser {’username’: usr_pw => ’userpassword’, }
Exec { path => [ “/bin/”, “/sbin/” , “/usr/bin/”, “/usr/sbin/” ] }


Investigate and download the module




pschyska. PW hashing with puppet parser function. URL: https://gist.github.com/pschyska/26002d5f8ee0da2a9ea0
Linode. Securing Your Server. URL: https://www.linode.com/docs/security/securing-your-server

Leave a Reply