From 9b02b8d3393c194dd36fa9caf680b67595ab794a Mon Sep 17 00:00:00 2001
From: Dirk Wirts <d.wirts@asmodee.com>
Date: Fri, 3 Nov 2023 14:52:45 +0100
Subject: [PATCH] update

---
 ansible-harden_ssh.yml | 89 ++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 89 insertions(+)
 create mode 100644 ansible-harden_ssh.yml

diff --git a/ansible-harden_ssh.yml b/ansible-harden_ssh.yml
new file mode 100644
index 0000000..6150161
--- /dev/null
+++ b/ansible-harden_ssh.yml
@@ -0,0 +1,89 @@
+---
+- name: Harden SSH Service
+  hosts: all
+  become: true
+
+  tasks:
+    - name: Install updates
+      apt:
+        update_cache: yes
+        upgrade: dist
+      when: ansible_os_family == 'Debian'
+
+    - name: Backup current SSH config file
+      copy:
+        src: /etc/ssh/sshd_config
+        dest: /etc/ssh/sshd_config.backup
+        owner: root
+        group: root
+        mode: '0644'
+        remote_src: yes
+
+    - name: Disable root SSH login
+      lineinfile:
+        path: /etc/ssh/sshd_config
+        regexp: '^PermitRootLogin'
+        line: 'PermitRootLogin no'
+        state: present
+        validate: '/usr/sbin/sshd -t -f %s'
+
+#    - name: Disable SSH password authentication
+#      lineinfile:
+#        path: /etc/ssh/sshd_config
+#        regexp: '^PasswordAuthentication'
+#        line: 'PasswordAuthentication no'
+#        state: present
+#        validate: '/usr/sbin/sshd -t -f %s'
+#
+    - name: Disable empty passwords
+      lineinfile:
+        path: /etc/ssh/sshd_config
+        regexp: '^PermitEmptyPasswords'
+        line: 'PermitEmptyPasswords no'
+        state: present
+        validate: '/usr/sbin/sshd -t -f %s'
+
+    - name: Disable X11 forwarding
+      lineinfile:
+        path: /etc/ssh/sshd_config
+        regexp: '^X11Forwarding'
+        line: 'X11Forwarding no'
+        state: present
+        validate: '/usr/sbin/sshd -t -f %s'
+
+    - name: Limit SSH protocol to 2
+      lineinfile:
+        path: /etc/ssh/sshd_config
+        regexp: '^Protocol'
+        line: 'Protocol 2'
+        state: present
+        validate: '/usr/sbin/sshd -t -f %s'
+
+    - name: Set SSH LoginGraceTime to one minute
+      lineinfile:
+        path: /etc/ssh/sshd_config
+        regexp: '^LoginGraceTime'
+        line: 'LoginGraceTime 1m'
+        state: present
+        validate: '/usr/sbin/sshd -t -f %s'
+
+    - name: Set maximum number of authentication attempts to 3
+      lineinfile:
+        path: /etc/ssh/sshd_config
+        regexp: '^MaxAuthTries'
+        line: 'MaxAuthTries 9'
+        state: present
+        validate: '/usr/sbin/sshd -t -f %s'
+
+#    - name: Set maximum sessions per network connection to 2
+#      lineinfile:
+#        path: /etc/ssh/sshd_config
+#        regexp: '^MaxSessions'
+#        line: 'MaxSessions 2'
+#        state: present
+#        validate: '/usr/sbin/sshd -t -f %s'
+#
+    - name: Restart SSH to apply changes
+      systemd:
+        name: ssh
+        state: restarted