--- - name: Harden SSH Service hosts: all become: true tasks: - name: Install updates apt: update_cache: yes upgrade: dist when: ansible_os_family == 'Debian' - name: Backup current SSH config file copy: src: /etc/ssh/sshd_config dest: /etc/ssh/sshd_config.backup owner: root group: root mode: '0644' remote_src: yes - name: Disable root SSH login lineinfile: path: /etc/ssh/sshd_config regexp: '^PermitRootLogin' line: 'PermitRootLogin no' state: present validate: '/usr/sbin/sshd -t -f %s' # - name: Disable SSH password authentication # lineinfile: # path: /etc/ssh/sshd_config # regexp: '^PasswordAuthentication' # line: 'PasswordAuthentication no' # state: present # validate: '/usr/sbin/sshd -t -f %s' # - name: Disable empty passwords lineinfile: path: /etc/ssh/sshd_config regexp: '^PermitEmptyPasswords' line: 'PermitEmptyPasswords no' state: present validate: '/usr/sbin/sshd -t -f %s' - name: Disable X11 forwarding lineinfile: path: /etc/ssh/sshd_config regexp: '^X11Forwarding' line: 'X11Forwarding no' state: present validate: '/usr/sbin/sshd -t -f %s' - name: Limit SSH protocol to 2 lineinfile: path: /etc/ssh/sshd_config regexp: '^Protocol' line: 'Protocol 2' state: present validate: '/usr/sbin/sshd -t -f %s' - name: Set SSH LoginGraceTime to one minute lineinfile: path: /etc/ssh/sshd_config regexp: '^LoginGraceTime' line: 'LoginGraceTime 1m' state: present validate: '/usr/sbin/sshd -t -f %s' - name: Set maximum number of authentication attempts to 3 lineinfile: path: /etc/ssh/sshd_config regexp: '^MaxAuthTries' line: 'MaxAuthTries 9' state: present validate: '/usr/sbin/sshd -t -f %s' # - name: Set maximum sessions per network connection to 2 # lineinfile: # path: /etc/ssh/sshd_config # regexp: '^MaxSessions' # line: 'MaxSessions 2' # state: present # validate: '/usr/sbin/sshd -t -f %s' # - name: Restart SSH to apply changes systemd: name: ssh state: restarted