Dirk Wirts
2 years ago
1 changed files with 89 additions and 0 deletions
@ -0,0 +1,89 @@ |
|||||
|
--- |
||||
|
- name: Harden SSH Service |
||||
|
hosts: all |
||||
|
become: true |
||||
|
|
||||
|
tasks: |
||||
|
- name: Install updates |
||||
|
apt: |
||||
|
update_cache: yes |
||||
|
upgrade: dist |
||||
|
when: ansible_os_family == 'Debian' |
||||
|
|
||||
|
- name: Backup current SSH config file |
||||
|
copy: |
||||
|
src: /etc/ssh/sshd_config |
||||
|
dest: /etc/ssh/sshd_config.backup |
||||
|
owner: root |
||||
|
group: root |
||||
|
mode: '0644' |
||||
|
remote_src: yes |
||||
|
|
||||
|
- name: Disable root SSH login |
||||
|
lineinfile: |
||||
|
path: /etc/ssh/sshd_config |
||||
|
regexp: '^PermitRootLogin' |
||||
|
line: 'PermitRootLogin no' |
||||
|
state: present |
||||
|
validate: '/usr/sbin/sshd -t -f %s' |
||||
|
|
||||
|
# - name: Disable SSH password authentication |
||||
|
# lineinfile: |
||||
|
# path: /etc/ssh/sshd_config |
||||
|
# regexp: '^PasswordAuthentication' |
||||
|
# line: 'PasswordAuthentication no' |
||||
|
# state: present |
||||
|
# validate: '/usr/sbin/sshd -t -f %s' |
||||
|
# |
||||
|
- name: Disable empty passwords |
||||
|
lineinfile: |
||||
|
path: /etc/ssh/sshd_config |
||||
|
regexp: '^PermitEmptyPasswords' |
||||
|
line: 'PermitEmptyPasswords no' |
||||
|
state: present |
||||
|
validate: '/usr/sbin/sshd -t -f %s' |
||||
|
|
||||
|
- name: Disable X11 forwarding |
||||
|
lineinfile: |
||||
|
path: /etc/ssh/sshd_config |
||||
|
regexp: '^X11Forwarding' |
||||
|
line: 'X11Forwarding no' |
||||
|
state: present |
||||
|
validate: '/usr/sbin/sshd -t -f %s' |
||||
|
|
||||
|
- name: Limit SSH protocol to 2 |
||||
|
lineinfile: |
||||
|
path: /etc/ssh/sshd_config |
||||
|
regexp: '^Protocol' |
||||
|
line: 'Protocol 2' |
||||
|
state: present |
||||
|
validate: '/usr/sbin/sshd -t -f %s' |
||||
|
|
||||
|
- name: Set SSH LoginGraceTime to one minute |
||||
|
lineinfile: |
||||
|
path: /etc/ssh/sshd_config |
||||
|
regexp: '^LoginGraceTime' |
||||
|
line: 'LoginGraceTime 1m' |
||||
|
state: present |
||||
|
validate: '/usr/sbin/sshd -t -f %s' |
||||
|
|
||||
|
- name: Set maximum number of authentication attempts to 3 |
||||
|
lineinfile: |
||||
|
path: /etc/ssh/sshd_config |
||||
|
regexp: '^MaxAuthTries' |
||||
|
line: 'MaxAuthTries 9' |
||||
|
state: present |
||||
|
validate: '/usr/sbin/sshd -t -f %s' |
||||
|
|
||||
|
# - name: Set maximum sessions per network connection to 2 |
||||
|
# lineinfile: |
||||
|
# path: /etc/ssh/sshd_config |
||||
|
# regexp: '^MaxSessions' |
||||
|
# line: 'MaxSessions 2' |
||||
|
# state: present |
||||
|
# validate: '/usr/sbin/sshd -t -f %s' |
||||
|
# |
||||
|
- name: Restart SSH to apply changes |
||||
|
systemd: |
||||
|
name: ssh |
||||
|
state: restarted |
||||
Write
Preview
Loading…
Cancel
Save
Reference in new issue