ZTL stands for Zona Traffico Limitato — the enforced restricted zones that guard Italian old towns from unauthorized traffic. This project guards your Linux servers the same way: one run and only the right people get in.
ZTL is an Ansible playbook that takes a fresh Linux server and hardens it in a single run. It creates a user with SSH key auth, locks down SSH, sets up a firewall, enables automatic security updates, and tightens kernel parameters.
- Creates a user with a generated ED25519 SSH key pair
- Moves SSH to a custom port, disables root and password login
- Configures UFW firewall (deny all incoming, allow SSH only from your IPs)
- Installs fail2ban with progressive banning
- Enables automatic security updates with auto-reboot at 02:00
- Applies kernel hardening (ASLR, SYN cookies, reverse path filtering, etc.)
- Install Ansible
- Copy the example inventory and fill in your details:
cp inventory.yml.example inventory.yml
- Edit
inventory.ymlwith your server IPs and allowed IP ranges
First run (fresh server with root access):
ansible-playbook ztl.yml -u root --ask-passAll subsequent runs (connects as your created user automatically):
ansible-playbook ztl.ymlTarget a specific host:
ansible-playbook ztl.yml --limit server1Dry run:
ansible-playbook ztl.yml --check