From 6330015120f950761630757207f1497c99d98d08 Mon Sep 17 00:00:00 2001 From: m0e Date: Thu, 30 Oct 2025 15:27:25 +0100 Subject: [PATCH] added ssh_hardening role --- ansible/roles/ssh_hardening/README.md | 9 ++++ ansible/roles/ssh_hardening/defaults/main.yml | 3 ++ ansible/roles/ssh_hardening/files/sshd_config | 41 +++++++++++++++++++ ansible/roles/ssh_hardening/handlers/main.yml | 8 ++++ ansible/roles/ssh_hardening/meta/main.yml | 35 ++++++++++++++++ ansible/roles/ssh_hardening/tasks/main.yml | 12 ++++++ ansible/roles/ssh_hardening/tests/inventory | 3 ++ ansible/roles/ssh_hardening/tests/test.yml | 6 +++ ansible/roles/ssh_hardening/vars/main.yml | 3 ++ 9 files changed, 120 insertions(+) create mode 100644 ansible/roles/ssh_hardening/README.md create mode 100644 ansible/roles/ssh_hardening/defaults/main.yml create mode 100644 ansible/roles/ssh_hardening/files/sshd_config create mode 100644 ansible/roles/ssh_hardening/handlers/main.yml create mode 100644 ansible/roles/ssh_hardening/meta/main.yml create mode 100644 ansible/roles/ssh_hardening/tasks/main.yml create mode 100644 ansible/roles/ssh_hardening/tests/inventory create mode 100644 ansible/roles/ssh_hardening/tests/test.yml create mode 100644 ansible/roles/ssh_hardening/vars/main.yml diff --git a/ansible/roles/ssh_hardening/README.md b/ansible/roles/ssh_hardening/README.md new file mode 100644 index 0000000..701a701 --- /dev/null +++ b/ansible/roles/ssh_hardening/README.md @@ -0,0 +1,9 @@ +Role Name +========= + +Role for copy a hardened sshd_config and restarts the ssh service + +License +------- + +BSD diff --git a/ansible/roles/ssh_hardening/defaults/main.yml b/ansible/roles/ssh_hardening/defaults/main.yml new file mode 100644 index 0000000..6e51294 --- /dev/null +++ b/ansible/roles/ssh_hardening/defaults/main.yml @@ -0,0 +1,3 @@ +#SPDX-License-Identifier: MIT-0 +--- +# defaults file for ssh_hardening diff --git a/ansible/roles/ssh_hardening/files/sshd_config b/ansible/roles/ssh_hardening/files/sshd_config new file mode 100644 index 0000000..f98ac84 --- /dev/null +++ b/ansible/roles/ssh_hardening/files/sshd_config @@ -0,0 +1,41 @@ +#LogLevel VERBOSE +Protocol 2 +PrintMotd no + +UseDNS no +TCPKeepAlive no + +Compression no +IgnoreRhosts yes + +AllowAgentForwarding no +AllowTcpForwarding no +AllowStreamLocalForwarding no +DisableForwarding yes + +PermitTunnel no + +X11Forwarding no + +AuthenticationMethods publickey +PasswordAuthentication no +UsePAM yes +ChallengeResponseAuthentication no +MaxAuthTries 6 +PermitEmptyPasswords no +PermitRootLogin no + +Ciphers aes256-gcm@openssh.com,aes128-gcm@openssh.com +HostKeyAlgorithms rsa-sha2-512,rsa-sha2-256,ssh-ed25519 +MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com + +HostKey /etc/ssh/ssh_host_ed25519_key +KexAlgorithms sntrup761x25519-sha512@openssh.com,curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group18-sha512,diffie-hellman-group16-sha512 + +ClientAliveCountMax 3 +ClientAliveInterval 500 +PermitUserEnvironment no + +MaxSessions 3 + +Subsystem sftp internal-sftp diff --git a/ansible/roles/ssh_hardening/handlers/main.yml b/ansible/roles/ssh_hardening/handlers/main.yml new file mode 100644 index 0000000..96c3169 --- /dev/null +++ b/ansible/roles/ssh_hardening/handlers/main.yml @@ -0,0 +1,8 @@ +#SPDX-License-Identifier: MIT-0 +--- +# handlers file for ssh_hardening + +- name: restart_sshd + ansible.builtin.service: + name: sshd + state: restarted diff --git a/ansible/roles/ssh_hardening/meta/main.yml b/ansible/roles/ssh_hardening/meta/main.yml new file mode 100644 index 0000000..36b9858 --- /dev/null +++ b/ansible/roles/ssh_hardening/meta/main.yml @@ -0,0 +1,35 @@ +#SPDX-License-Identifier: MIT-0 +galaxy_info: + author: your name + description: your role description + company: your company (optional) + + # If the issue tracker for your role is not on github, uncomment the + # next line and provide a value + # issue_tracker_url: http://example.com/issue/tracker + + # Choose a valid license ID from https://spdx.org - some suggested licenses: + # - BSD-3-Clause (default) + # - MIT + # - GPL-2.0-or-later + # - GPL-3.0-only + # - Apache-2.0 + # - CC-BY-4.0 + license: license (GPL-2.0-or-later, MIT, etc) + + min_ansible_version: 2.1 + + # If this a Container Enabled role, provide the minimum Ansible Container version. + # min_ansible_container_version: + + galaxy_tags: [] + # List tags for your role here, one per line. A tag is a keyword that describes + # and categorizes the role. Users find roles by searching for tags. Be sure to + # remove the '[]' above, if you add tags to this list. + # + # NOTE: A tag is limited to a single word comprised of alphanumeric characters. + # Maximum 20 tags per role. + +dependencies: [] + # List your role dependencies here, one per line. Be sure to remove the '[]' above, + # if you add dependencies to this list. diff --git a/ansible/roles/ssh_hardening/tasks/main.yml b/ansible/roles/ssh_hardening/tasks/main.yml new file mode 100644 index 0000000..d60874b --- /dev/null +++ b/ansible/roles/ssh_hardening/tasks/main.yml @@ -0,0 +1,12 @@ +#SPDX-License-Identifier: MIT-0 +--- +# tasks file for ssh_hardening + +- name: Copy hardened sshd config + ansible.builtin.copy: + src: sshd_config + dest: /etc/ssh/sshd_config + owner: root + group: root + mode: 0600 + notify: restart_sshd diff --git a/ansible/roles/ssh_hardening/tests/inventory b/ansible/roles/ssh_hardening/tests/inventory new file mode 100644 index 0000000..03ca42f --- /dev/null +++ b/ansible/roles/ssh_hardening/tests/inventory @@ -0,0 +1,3 @@ +#SPDX-License-Identifier: MIT-0 +localhost + diff --git a/ansible/roles/ssh_hardening/tests/test.yml b/ansible/roles/ssh_hardening/tests/test.yml new file mode 100644 index 0000000..517da50 --- /dev/null +++ b/ansible/roles/ssh_hardening/tests/test.yml @@ -0,0 +1,6 @@ +#SPDX-License-Identifier: MIT-0 +--- +- hosts: localhost + remote_user: root + roles: + - ssh_hardening diff --git a/ansible/roles/ssh_hardening/vars/main.yml b/ansible/roles/ssh_hardening/vars/main.yml new file mode 100644 index 0000000..0e96b9f --- /dev/null +++ b/ansible/roles/ssh_hardening/vars/main.yml @@ -0,0 +1,3 @@ +#SPDX-License-Identifier: MIT-0 +--- +# vars file for ssh_hardening