ssh_hardening_ansible

ssh_hardening.yml

---
# After first run, root access is disabled. Use
# ansible-playbook -i hosts -b -u deploy ssh_hardening.yml

- hosts: all

  vars:
    COMMON_ROOT_PASSWORD: ""
    COMMON_DEPLOY_PASSWORD: ""
    # COMMON_LOGWATCH_EMAIL: "{{ lookup('env', 'COMMON_EMAIL') }}"
    common_deploy_user_name: deploy
    common_deploy_user_group: wheel
    common_github_user_name: andrzej-zuralovic

    common_required_packages:
      - ufw
      - fail2ban
      - unattended-upgrades
      # - logwatch

    common_optional_packages:
      # - mosh
      - vim
      - htop

    common_ssh_port: 22
    # common_mosh_from_port: 60000
    # common_mosh_to_port: 60010

  tasks:
    - name: Change root password
      user: name=root password="{{ COMMON_ROOT_PASSWORD }}"

    - name: Add group
      group:
        name: "{{ common_deploy_user_group }}"
        state: present

    - name: Add deploy user
      user:
        name: "{{ common_deploy_user_name }}"
        password: "{{ COMMON_DEPLOY_PASSWORD }}"
        group: "{{ common_deploy_user_group }}"
        shell: /bin/bash

    - name: Add authorized keys for deploy user
      authorized_key:
        user: "{{ common_deploy_user_name }}"
        key: "https://github.com/{{ common_github_user_name }}.keys"

    - name: Add deploy user to sudoers
      lineinfile:
        dest: /etc/sudoers
        regexp: "{{ common_deploy_user_group }} ALL"
        line: "%{{ common_deploy_user_group }} ALL=(ALL) NOPASSWD: ALL"
        state: present

    - name: Update APT package cache
      apt: update_cache=yes cache_valid_time=3600

    - name: Upgrade APT to the latest packages
      apt: upgrade=safe

    - name: Install required packages
      apt: state=present pkg={{ item }}
      with_items: "{{ common_required_packages }}"

    - name: Install optional packages
      apt: state=present pkg={{ item }}
      with_items: "{{ common_optional_packages }}"

    - name: Allow ssh traffic
      ufw: rule=allow port={{ common_ssh_port }} proto=tcp

    # - name: Allow mosh traffic
    #   ufw:
    #     rule: allow
    #     proto: udp
    #     port: "{{ common_mosh_from_port }}:{{ common_mosh_to_port }}"
    #   when: "'mosh' in common_optional_packages"

    - name: Setup ufw
      ufw: state=enabled policy=deny

    # - name: Set up Postfix to relay mail
    #   debconf:
    #     name: postfix
    #     question: '{{ item.question }}'
    #     value: '{{ item.value }}'
    #     vtype: '{{ item.vtype }}'
    #   with_items:
    #     - { question: 'postfix/mailname', value: '{{ ansible_fqdn }}', vtype: 'string' }
    #     - { question: 'postfix/main_mailer_type', value: 'Internet Site', vtype: 'string' }

    # - name: Email log summary daily
    #   lineinfile:
    #     dest: /etc/cron.daily/00logwatch
    #     regexp: "^/usr/sbin/logwatch"
    #     line: "/usr/sbin/logwatch --output mail --mailto {{ COMMON_LOGWATCH_EMAIL }} --detail high"
    #     state: present
    #     create: yes

    - name: Change ssh port
      lineinfile:
        dest: /etc/ssh/sshd_config
        regexp: "^Port\\s"
        line: "Port {{ common_ssh_port }}"
        state: present
      notify:
      - restart ssh

    - name: Disallow password authentication
      lineinfile:
        dest: /etc/ssh/sshd_config
        regexp: "^PasswordAuthentication"
        line: "PasswordAuthentication no"
        state: present
      notify:
      - restart ssh

    - name: Disallow root SSH access
      lineinfile:
        dest: /etc/ssh/sshd_config
        regexp: "^PermitRootLogin"
        line: "PermitRootLogin no"
        state: present
      notify:
      - restart ssh

  handlers:
    - name: restart ssh
      service:
        name: ssh
        state: restarted