- Security Automation with Ansible 2
- Madhu Akula Akash Mahajan
- 191字
- 2021-07-02 21:59:59
Hardening SSH service
This will be like a more traditional approach, with a modern automated method, using Ansible. Some of the items included here are:
- Disabling the root user login, and instead creating a different user, and, if required, providing the sudo privilege:
- name: create new user
user:
name: "{{ new_user_name }}"
password: "{{ new_user_password }}"
shell: /bin/bash
groups: sudo
append: yes
- Using key-based authentication to log in. Unlike with password-based authentication, we can generate SSH keys and add the public key to the authorized keys:
- name: add ssh key for new user
authorized_key:
user: "{{ new_user_name }}"
key: "{{ lookup('file', '/home/user/.ssh/id_rsa.pub') }}"
state: present
- Some of the configuration tweaks using the SSH configuration file; for example, PermitRootLogin, PubkeyAuthentication, and PasswordAuthentication:
- name: ssh configuration tweaks
lineinfile:
dest: /etc/ssh/sshd_config
state: present
line: "{{ item }}"
backups: yes
with_items:
- "PermitRootLogin no"
- "PasswordAuthentication no"
notify:
- restart ssh
- We can also set up services like fail2ban for protecting against basic attacks.
- Also, we can enable MFA, if required to log in. For more information, visit https://www.digitalocean.com/community/tutorials/how-to-set-up-multi-factor-authentication-for-ssh-on-ubuntu-16-04.
The following playbook will provide more advanced features for SSH hardening by dev-sec team: https://github.com/dev-sec/ansible-ssh-hardening