From 682e16dbdfeb0859cc1682371740df53099679ef Mon Sep 17 00:00:00 2001
From: olli <olli@ds9.dedyn.io>
Date: Mon, 21 Aug 2023 11:42:45 +0200
Subject: [PATCH] =?UTF-8?q?hardening.yml=20hinzugef=C3=BCgt?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 hardening.yml | 71 +++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 71 insertions(+)
 create mode 100644 hardening.yml

diff --git a/hardening.yml b/hardening.yml
new file mode 100644
index 0000000..a494dcf
--- /dev/null
+++ b/hardening.yml
@@ -0,0 +1,71 @@
+---
+- name: Basic Debian Linux Hardening
+  hosts: all
+  tasks:
+
+    - name: check if we are in an container env by existing systemd
+      stat:
+        path: /usr/bin/systemd
+      register: nocontainer
+
+    - name: Remove root-Password
+      user:
+        name: root
+        password: '*'
+      when: nocontainer.stat.exists == true
+
+    - name: SSHD hardening
+      blockinfile:
+        path: /etc/ssh/sshd_config.d/hardening.conf
+        mode: "0444"
+        owner: root
+        group: root
+        create: yes
+        insertbefore: BOF # Beginning of the file
+        marker: "# {mark} ANSIBLE MANAGED BLOCK"
+        block: |
+          Port 22
+          Port 33
+          PermitRootLogin prohibit-password
+          PermitUserRC no
+          PermitUserEnvironment no
+          PubkeyAuthentication yes
+          X11Forwarding no
+          AllowAgentForwarding no
+          AllowTcpForwarding yes
+          Subsystem sftp internal-sftp -f AUTH -l INFO -u 0007
+          ## Ciphers Check https://sshcheck.com/server/{{inventory_hostname}}/
+          # nmap -p22 -n -sV --script ssh2-enum-algos localhost
+          KexAlgorithms curve25519-sha256@libssh.org
+          HostKeyAlgorithms ssh-ed25519
+          Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com
+          MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com
+          IgnoreRhosts yes
+          LogLevel VERBOSE
+          AddressFamily any
+        backup: yes
+        validate: /usr/sbin/sshd -T -f %s
+      notify:
+      - Restart sshd
+      when: nocontainer.stat.exists == true
+
+    - name: Disable external sftp-Subsystem
+      replace:
+        path: /etc/ssh/sshd_config
+        regexp: '(^Subsystem.*sftp.*)'
+        replace: '#\1'
+        validate: /usr/sbin/sshd -T -f %s
+        backup: yes
+      notify:
+      - Restart sshd
+      when: nocontainer.stat.exists == true
+
+
+  handlers:
+
+    - name: Restart sshd
+      service:
+        name: sshd
+        state: restarted
+
+