-
-
Save cron410/ff726833d6c55683cf267a92ad5ef886 to your computer and use it in GitHub Desktop.
Secure SSH configuration ansible playbook
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- | |
| # Ansible playbook for SSH server hardening, | |
| # in line with https://stribika.github.io/2015/01/04/secure-secure-shell.html | |
| - hosts: all | |
| vars: | |
| become: true | |
| become_method: sudo | |
| tasks: | |
| # Ansible setup | |
| - name: Populate service facts | |
| service_facts: | |
| - name: Print service facts | |
| debug: | |
| var: ansible_facts.services["sshd.service"] | |
| # Specify SSH2 | |
| - name: Protocols | |
| lineinfile: | |
| path: /etc/ssh/sshd_config | |
| regexp: '^Protocol 2' | |
| line: 'Protocol 2' | |
| notify: | |
| - Restart SSHD | |
| # Removed: hmac-ripemd160 and hmac-ripemd160-etm@openssh.com | |
| # Mozilla's SSH guidelines are stricter and avoid using them. | |
| - name: MACs | |
| lineinfile: | |
| path: /etc/ssh/sshd_config | |
| regexp: '^MACs' | |
| line: 'MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com' | |
| notify: | |
| - Restart SSHD | |
| - name: Key exchange | |
| lineinfile: | |
| path: /etc/ssh/sshd_config | |
| regexp: '^KexAlgorithms' | |
| line: 'KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256' | |
| notify: | |
| - Restart SSHD | |
| - name: Ciphers | |
| lineinfile: | |
| path: /etc/ssh/sshd_config | |
| regexp: '^Ciphers' | |
| line: 'Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr' | |
| notify: | |
| - Restart SSHD | |
| - name: Pubkey Auth Enable | |
| lineinfile: | |
| dest: /etc/ssh/sshd_config | |
| regexp: '^#?PubkeyAuthentication' | |
| line: 'PubkeyAuthentication yes' | |
| notify: | |
| - Restart SSHD | |
| - name: Pubkey Auth Only | |
| lineinfile: | |
| dest: /etc/ssh/sshd_config | |
| regexp: '^#?AuthenticationMethods' | |
| line: 'AuthenticationMethods publickey' | |
| notify: | |
| - Restart SSHD | |
| - name: Password Auth Disable | |
| lineinfile: | |
| dest: /etc/ssh/sshd_config | |
| regexp: '^#?PasswordAuthentication' | |
| line: 'PasswordAuthentication no' | |
| notify: | |
| - Restart SSHD | |
| - name: ChallengeResponse Disable | |
| lineinfile: | |
| dest: /etc/ssh/sshd_config | |
| regexp: '^#?ChallengeResponseAuthentication' | |
| line: 'ChallengeResponseAuthentication no' | |
| notify: | |
| - Restart SSHD | |
| # Log sftp level file access (read/write/etc.) that would not be easily logged otherwise. | |
| - name: Log SFTP level file access | |
| lineinfile: | |
| dest: /etc/ssh/sshd_config | |
| regexp: '^Subsystem.+sftp' | |
| line: 'Subsystem sftp /usr/lib/openssh/sftp-server -f AUTHPRIV -l INFO' | |
| notify: | |
| - Restart SSHD | |
| # LogLevel VERBOSE logs user's key fingerprint on login. Needed to have a clear audit track of which key was using to log in. | |
| - name: User key fingerprint Verbose Logging | |
| lineinfile: | |
| dest: /etc/ssh/sshd_config | |
| regexp: '^LogLevel' | |
| line: 'LogLevel VERBOSE' | |
| notify: | |
| - Restart SSHD | |
| - name: Root Login Disable | |
| lineinfile: | |
| dest: /etc/ssh/sshd_config | |
| regexp: '^PermitRootLogin' | |
| line: 'PermitRootLogin No' | |
| notify: | |
| - Restart SSHD | |
| # Use kernel sandbox mechanisms where possible in unprivileged processes | |
| - name: Privilege Separation Enable | |
| lineinfile: | |
| dest: /etc/ssh/sshd_config | |
| regexp: '^UsePrivilegeSeparation' | |
| line: 'UsePrivilegeSeparation sandbox' | |
| notify: | |
| - Restart SSHD | |
| - name: Host Key ed25519 - Enable | |
| lineinfile: | |
| path: /etc/ssh/sshd_config | |
| regexp: '^HostKey /etc/ssh/ssh_host_ed25519_key' | |
| line: 'HostKey /etc/ssh/ssh_host_ed25519_key' | |
| notify: | |
| - Restart SSHD | |
| - name: Host Key RSA - Enable | |
| lineinfile: | |
| path: /etc/ssh/sshd_config | |
| regexp: '^HostKey /etc/ssh/ssh_host_rsa_key' | |
| line: 'HostKey /etc/ssh/ssh_host_rsa_key' | |
| notify: | |
| - Restart SSHD | |
| # Generate an ed25519 Host Key if it doesn't already exist. | |
| - name: Check for ed25519 Host Keys | |
| stat: | |
| path: /etc/ssh/ssh_host_ed25519_key.pub | |
| register: ed25519_key_exists | |
| changed_when: not ed25519_key_exists.stat.exists | |
| notify: generate ed25519 | |
| # Generate an RSA Host Key if it doesn't already exist. | |
| - name: Check for RSA Host Keys | |
| stat: | |
| path: /etc/ssh/ssh_host_rsa_key.pub | |
| register: rsa_key_exists | |
| changed_when: not rsa_key_exists.stat.exists | |
| notify: generate rsa | |
| - name: Host Key ECDSA Disable | |
| lineinfile: | |
| path: /etc/ssh/sshd_config | |
| regexp: '^HostKey /etc/ssh/ssh_host_ecdsa_key' | |
| state: absent | |
| notify: Restart SSHD | |
| - name: Host Key DSA Disable | |
| lineinfile: | |
| path: /etc/ssh/sshd_config | |
| regexp: '^HostKey /etc/ssh/ssh_host_dsa_key' | |
| state: absent | |
| notify: Restart SSHD | |
| - name: Find outdated Host Keys | |
| find: | |
| paths: /etc/ssh/ | |
| patterns: '^ssh_host.+dsa\w*' | |
| use_regex: true | |
| register: outdated_keys | |
| - name: List outdated host keys for Deletion | |
| debug: | |
| var: outdated_keys.files|map(attribute='path')|list | |
| - name: Delete outdated Host Keys | |
| file: | |
| state: absent | |
| path: "{{ item }}" | |
| loop: "{{ outdated_keys.files|map(attribute='path')|list }}" | |
| notify: Restart SSHD | |
| handlers: | |
| # If any of the above options or keys change, restart SSH service | |
| - name: Restart SSHD | |
| service: | |
| name: sshd | |
| state: restarted | |
| when: | |
| - ansible_facts.services["sshd.service"] ['state'] == 'active' or 'running' | |
| - ansible_facts.services["sshd.service"] ['status'] == 'enabled' | |
| # Generate an ed25519 Host Key if it doesn't already exist. | |
| - name: generate ed25519 | |
| become: true | |
| command: ssh-keygen -t ed25519 -N '' -f /etc/ssh/ssh_host_ed25519_key | |
| when: (not ed25519_key_exists.stat.exists) | |
| # Generate an RSA Host Key if it doesn't already exist. | |
| - name: generate rsa | |
| become: true | |
| command: ssh-keygen -t rsa -N '' -f /etc/ssh/ssh_host_rsa_key | |
| when: (not rsa_key_exists.stat.exists) | |
| # Client-side, ssh_config modifications | |
| - name: Generic ssh client settings. Includes special settings for Github; it needs diffie-hellman-group-exchange-sha1 some of the time but not always. | |
| blockinfile: | |
| dest: /etc/ssh/ssh_config | |
| block: | | |
| Host * | |
| KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256 | |
| PasswordAuthentication no | |
| ChallengeResponseAuthentication no | |
| PubkeyAuthentication yes | |
| HostKeyAlgorithms ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-ed25519,ssh-rsa | |
| MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com | |
| Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr | |
| UseRoaming no | |
| Host github.com | |
| KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1 | |
| - debug: | |
| msg: "If needed, Generate client keys using the following command: ssh-keygen -t ed25519 -o -a 100 && ssh-keygen -t rsa -b 4096 -o -a 100" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment