debian.ansible.basics/hardening.yml

72 lines
2.0 KiB
YAML
Raw Normal View History

2023-08-21 11:42:45 +02:00
---
- name: Basic Debian Linux Hardening
hosts: all
tasks:
- name: check if we are in an container env by existing systemd
stat:
path: /usr/bin/systemd
register: nocontainer
2023-09-28 12:49:13 +02:00
# - name: Remove root-Password
# user:
# name: root
# password: '*'
# when: nocontainer.stat.exists == true
2023-08-21 11:42:45 +02:00
- name: SSHD hardening
blockinfile:
path: /etc/ssh/sshd_config.d/hardening.conf
mode: "0444"
owner: root
group: root
create: yes
insertbefore: BOF # Beginning of the file
marker: "# {mark} ANSIBLE MANAGED BLOCK"
block: |
Port 22
Port 33
PermitRootLogin prohibit-password
PermitUserRC no
PermitUserEnvironment no
PubkeyAuthentication yes
X11Forwarding no
AllowAgentForwarding no
AllowTcpForwarding yes
Subsystem sftp internal-sftp -f AUTH -l INFO -u 0007
## Ciphers Check https://sshcheck.com/server/{{inventory_hostname}}/
# nmap -p22 -n -sV --script ssh2-enum-algos localhost
KexAlgorithms curve25519-sha256@libssh.org
HostKeyAlgorithms ssh-ed25519
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com
IgnoreRhosts yes
LogLevel VERBOSE
AddressFamily any
backup: yes
validate: /usr/sbin/sshd -T -f %s
2024-10-23 09:10:43 +02:00
notify:
- Restart sshd
2023-08-21 11:42:45 +02:00
when: nocontainer.stat.exists == true
- name: Disable external sftp-Subsystem
replace:
path: /etc/ssh/sshd_config
regexp: '(^Subsystem.*sftp.*)'
replace: '#\1'
validate: /usr/sbin/sshd -T -f %s
backup: yes
2024-10-23 09:10:43 +02:00
notify:
- Restart sshd
2023-08-21 11:42:45 +02:00
when: nocontainer.stat.exists == true
2024-10-23 09:10:43 +02:00
handlers:
- name: Restart sshd
service:
name: ssh
state: restarted
2023-08-21 11:42:45 +02:00