update

2 years ago · 9b02b8d339
1 changed files with 89 additions and 0 deletions
--- a/ansible-harden_ssh.yml
+++ b/ansible-harden_ssh.yml
@ -0,0 +1,89 @@
+---
+- name: Harden SSH Service
+  hosts: all
+  become: true
+
+  tasks:
+    - name: Install updates
+      apt:
+        update_cache: yes
+        upgrade: dist
+      when: ansible_os_family == 'Debian'
+
+    - name: Backup current SSH config file
+      copy:
+        src: /etc/ssh/sshd_config
+        dest: /etc/ssh/sshd_config.backup
+        owner: root
+        group: root
+        mode: '0644'
+        remote_src: yes
+
+    - name: Disable root SSH login
+      lineinfile:
+        path: /etc/ssh/sshd_config
+        regexp: '^PermitRootLogin'
+        line: 'PermitRootLogin no'
+        state: present
+        validate: '/usr/sbin/sshd -t -f %s'
+
+#    - name: Disable SSH password authentication
+#      lineinfile:
+#        path: /etc/ssh/sshd_config
+#        regexp: '^PasswordAuthentication'
+#        line: 'PasswordAuthentication no'
+#        state: present
+#        validate: '/usr/sbin/sshd -t -f %s'
+#
+    - name: Disable empty passwords
+      lineinfile:
+        path: /etc/ssh/sshd_config
+        regexp: '^PermitEmptyPasswords'
+        line: 'PermitEmptyPasswords no'
+        state: present
+        validate: '/usr/sbin/sshd -t -f %s'
+
+    - name: Disable X11 forwarding
+      lineinfile:
+        path: /etc/ssh/sshd_config
+        regexp: '^X11Forwarding'
+        line: 'X11Forwarding no'
+        state: present
+        validate: '/usr/sbin/sshd -t -f %s'
+
+    - name: Limit SSH protocol to 2
+      lineinfile:
+        path: /etc/ssh/sshd_config
+        regexp: '^Protocol'
+        line: 'Protocol 2'
+        state: present
+        validate: '/usr/sbin/sshd -t -f %s'
+
+    - name: Set SSH LoginGraceTime to one minute
+      lineinfile:
+        path: /etc/ssh/sshd_config
+        regexp: '^LoginGraceTime'
+        line: 'LoginGraceTime 1m'
+        state: present
+        validate: '/usr/sbin/sshd -t -f %s'
+
+    - name: Set maximum number of authentication attempts to 3
+      lineinfile:
+        path: /etc/ssh/sshd_config
+        regexp: '^MaxAuthTries'
+        line: 'MaxAuthTries 9'
+        state: present
+        validate: '/usr/sbin/sshd -t -f %s'
+
+#    - name: Set maximum sessions per network connection to 2
+#      lineinfile:
+#        path: /etc/ssh/sshd_config
+#        regexp: '^MaxSessions'
+#        line: 'MaxSessions 2'
+#        state: present
+#        validate: '/usr/sbin/sshd -t -f %s'
+#
+    - name: Restart SSH to apply changes
+      systemd:
+        name: ssh
+        state: restarted