init
This commit is contained in:
Hrankin, Aleksandr (contracted)
25
ansible/roles/harden/sshd_config/tasks/main.yml
Normal file
25
ansible/roles/harden/sshd_config/tasks/main.yml
Normal file
@@ -0,0 +1,25 @@
|
||||
---
|
||||
- name: ensure sshd_config.d directory exists
|
||||
become: true
|
||||
file:
|
||||
path: "/etc/ssh/sshd_config.d"
|
||||
state: directory
|
||||
owner: root
|
||||
group: root
|
||||
mode: "0755"
|
||||
|
||||
- name: deploy sshd config file
|
||||
become: true
|
||||
template:
|
||||
src: "00-sshd_config-hardening.conf.j2"
|
||||
dest: "/etc/ssh/sshd_config.d/00-sshd_config-hardening.conf"
|
||||
owner: root
|
||||
group: root
|
||||
mode: "0644"
|
||||
validate: "sshd -t -f %s"
|
||||
|
||||
- name: restart SSH service
|
||||
become: true
|
||||
service:
|
||||
name: ssh
|
||||
state: restarted
|
||||
@@ -0,0 +1,107 @@
|
||||
# --- MAIN ---
|
||||
|
||||
# Change default port 22 → {{ ssh_port }} (reduces noise from scanners)
|
||||
Port {{ ssh_port }}
|
||||
|
||||
# Optionally limit interfaces (default is all)
|
||||
# ListenAddress 0.0.0.0 # IPv4
|
||||
# ListenAddress :: # IPv6
|
||||
|
||||
# Allow only SSH protocol version 2 (v1 is insecure)
|
||||
Protocol 2
|
||||
|
||||
|
||||
# --- AUTHENTICATION ---
|
||||
|
||||
# Disable root login (only via sudo)
|
||||
PermitRootLogin prohibit-password
|
||||
|
||||
# Disable password login (keys only)
|
||||
PasswordAuthentication no
|
||||
|
||||
# Disable interactive keyboard auth (OTP, TOTP, etc.)
|
||||
KbdInteractiveAuthentication no
|
||||
|
||||
# Disable challenge-response auth (legacy)
|
||||
ChallengeResponseAuthentication no
|
||||
|
||||
# Enable public key authentication (main method)
|
||||
PubkeyAuthentication yes
|
||||
|
||||
|
||||
# --- ACCESS ---
|
||||
|
||||
# Allow only specific user
|
||||
# AllowUsers adminuser
|
||||
# Or alternatively allow a group:
|
||||
# AllowGroups sshusers
|
||||
|
||||
|
||||
# --- FUNCTION RESTRICTIONS ---
|
||||
|
||||
# Disallow empty passwords
|
||||
PermitEmptyPasswords no
|
||||
|
||||
# Disallow user environment modification (~/.ssh/environment)
|
||||
PermitUserEnvironment no
|
||||
|
||||
# Disable X11 forwarding (no GUI sessions)
|
||||
X11Forwarding no
|
||||
|
||||
# Disable TCP forwarding (no tunnels)
|
||||
AllowTcpForwarding yes
|
||||
|
||||
# Disable gateway ports (no external binding)
|
||||
GatewayPorts no
|
||||
|
||||
# Disable VPN tunnels via SSH
|
||||
PermitTunnel no
|
||||
|
||||
# Disable SSH agent forwarding
|
||||
AllowAgentForwarding yes
|
||||
|
||||
|
||||
# --- ANTI-BRUTEFORCE & STABILITY ---
|
||||
|
||||
# Login timeout (20 seconds)
|
||||
LoginGraceTime 20
|
||||
|
||||
# Max 3 auth attempts per connection
|
||||
MaxAuthTries 3
|
||||
|
||||
# Limit simultaneous connections
|
||||
# Allow 10 new, start dropping at 30, max 60 queued
|
||||
MaxStartups 10:30:60
|
||||
|
||||
|
||||
# --- SESSION ACTIVITY ---
|
||||
|
||||
# Ping client every 300s (5 minutes)
|
||||
ClientAliveInterval 300
|
||||
|
||||
# Disconnect if no response twice
|
||||
ClientAliveCountMax 2
|
||||
|
||||
# Disable TCP keepalive
|
||||
TCPKeepAlive no
|
||||
|
||||
# Skip DNS checks for faster login
|
||||
UseDNS no
|
||||
|
||||
|
||||
# --- SFTP ---
|
||||
|
||||
# Use internal SFTP subsystem
|
||||
Subsystem sftp internal-sftp
|
||||
|
||||
|
||||
# --- CRYPTOGRAPHY (optional) ---
|
||||
|
||||
# Modern key exchange algorithms (if supported)
|
||||
# KexAlgorithms sntrup761x25519-sha512@openssh.com,curve25519-sha256
|
||||
|
||||
# Modern ciphers
|
||||
# Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr
|
||||
|
||||
# Modern MAC algorithms
|
||||
# MACs umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com
|
||||
Reference in New Issue
Block a user