added ssh_hardening role

ansible/roles/ssh_hardening/README.md

@@ -0,0 +1,9 @@
+Role Name
+=========
+
+Role for copy a hardened sshd_config and restarts the ssh service
+
+License
+-------
+
+BSD

ansible/roles/ssh_hardening/defaults/main.yml

@@ -0,0 +1,3 @@
+#SPDX-License-Identifier: MIT-0
+---
+# defaults file for ssh_hardening

ansible/roles/ssh_hardening/files/sshd_config

@@ -0,0 +1,41 @@
+#LogLevel VERBOSE
+Protocol 2
+PrintMotd no
+
+UseDNS no
+TCPKeepAlive no
+
+Compression no
+IgnoreRhosts yes
+
+AllowAgentForwarding no
+AllowTcpForwarding no
+AllowStreamLocalForwarding no
+DisableForwarding yes
+
+PermitTunnel no
+
+X11Forwarding no
+
+AuthenticationMethods publickey
+PasswordAuthentication no
+UsePAM yes
+ChallengeResponseAuthentication no
+MaxAuthTries 6
+PermitEmptyPasswords no
+PermitRootLogin no
+
+Ciphers aes256-gcm@openssh.com,aes128-gcm@openssh.com
+HostKeyAlgorithms rsa-sha2-512,rsa-sha2-256,ssh-ed25519
+MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com
+
+HostKey /etc/ssh/ssh_host_ed25519_key
+KexAlgorithms sntrup761x25519-sha512@openssh.com,curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group18-sha512,diffie-hellman-group16-sha512
+
+ClientAliveCountMax 3
+ClientAliveInterval 500
+PermitUserEnvironment no
+
+MaxSessions 3
+
+Subsystem sftp internal-sftp

ansible/roles/ssh_hardening/handlers/main.yml

@@ -0,0 +1,8 @@
+#SPDX-License-Identifier: MIT-0
+---
+# handlers file for ssh_hardening
+
+- name: restart_sshd
+  ansible.builtin.service:
+    name: sshd
+    state: restarted

ansible/roles/ssh_hardening/meta/main.yml

@@ -0,0 +1,35 @@
+#SPDX-License-Identifier: MIT-0
+galaxy_info:
+  author: your name
+  description: your role description
+  company: your company (optional)
+
+  # If the issue tracker for your role is not on github, uncomment the
+  # next line and provide a value
+  # issue_tracker_url: http://example.com/issue/tracker
+
+  # Choose a valid license ID from https://spdx.org - some suggested licenses:
+  # - BSD-3-Clause (default)
+  # - MIT
+  # - GPL-2.0-or-later
+  # - GPL-3.0-only
+  # - Apache-2.0
+  # - CC-BY-4.0
+  license: license (GPL-2.0-or-later, MIT, etc)
+
+  min_ansible_version: 2.1
+
+  # If this a Container Enabled role, provide the minimum Ansible Container version.
+  # min_ansible_container_version:
+
+  galaxy_tags: []
+    # List tags for your role here, one per line. A tag is a keyword that describes
+    # and categorizes the role. Users find roles by searching for tags. Be sure to
+    # remove the '[]' above, if you add tags to this list.
+    #
+    # NOTE: A tag is limited to a single word comprised of alphanumeric characters.
+    #       Maximum 20 tags per role.
+
+dependencies: []
+  # List your role dependencies here, one per line. Be sure to remove the '[]' above,
+  # if you add dependencies to this list.

ansible/roles/ssh_hardening/tasks/main.yml

@@ -0,0 +1,12 @@
+#SPDX-License-Identifier: MIT-0
+---
+# tasks file for ssh_hardening
+
+- name: Copy hardened sshd config
+  ansible.builtin.copy:
+    src: sshd_config
+    dest: /etc/ssh/sshd_config
+    owner: root
+    group: root
+    mode: 0600
+  notify: restart_sshd

ansible/roles/ssh_hardening/tests/inventory

@@ -0,0 +1,3 @@
+#SPDX-License-Identifier: MIT-0
+localhost
+

ansible/roles/ssh_hardening/tests/test.yml

@@ -0,0 +1,6 @@
+#SPDX-License-Identifier: MIT-0
+---
+- hosts: localhost
+  remote_user: root
+  roles:
+    - ssh_hardening

ansible/roles/ssh_hardening/vars/main.yml

@@ -0,0 +1,3 @@
+#SPDX-License-Identifier: MIT-0
+---
+# vars file for ssh_hardening