-
Notifications
You must be signed in to change notification settings - Fork 0
/
debian-harden-sshd.yml
87 lines (76 loc) · 3.31 KB
/
debian-harden-sshd.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
# _ __ _ _ ____ _
# | |/ /__ ___ ____ _(_|_) _ \ __ _ _ __ | |_ ___ _ _
# | ' // _` \ \ /\ / / _` | | | |_) / _` | '_ \| __/ __| | | |
# | . \ (_| |\ V V / (_| | | | __/ (_| | | | | |_\__ \ |_| |
# |_|\_\__,_| \_/\_/ \__,_|_|_|_| \__,_|_| |_|\__|___/\__,_|
# ____ _ _ _
# [ ANSIBLE ] | _ \| | __ _ _ _| |__ ___ ___ | | _____
# Please only use | |_) | |/ _` | | | | '_ \ / _ \ / _ \| |/ / __|
# playbooks if | __/| | (_| | |_| | |_) | (_) | (_) | <\__ \
# you know what |_| |_|\__,_|\__, |_.__/ \___/ \___/|_|\_\___/
# they change/do |___/
#
# .---------| Debian "Kawaiipantsu custom" Harden SSHd config
# |
# | This is a special playbook that uses my special custom sshd
# | harden sshd_config file. This should work in most cases and
# | for production usage, all commented and easy to follow.
# |
# | Taking it directly from GIST, so single point to keep updated
# |
# | Also i have kept sftp subsystem, but would had like to
# | disable it as well but ansible is using it in many cases ...
# |
# | PS: This will add a pre-auth default message as well!!
# | Change afterwards if you dont want the default...
# `---------------------------------------------------------------
---
- hosts: debian
tasks:
- name: Get timestamp for bak files
ansible.builtin.set_fact:
bak_ts: "{{ lookup('pipe', 'date +%Y%m%dT%H%M%S') }}"
- name: Audit log output for what FQDN hosts is being custom sshd harden
ansible.builtin.debug:
msg: "This is host/server: {{ ansible_hostname }}"
- name: Backup previous sshd config and banner
shell: |
mv -n /etc/ssh/sshd_config /etc/ssh/sshd_config.{{bak_ts}}.bak 2> /dev/null || true
mv -n /etc/ssh/sshd_public_banner.txt /etc/ssh/sshd_public_banner.txt.{{bak_ts}}.bak 2> /dev/null || true
check_mode: false
changed_when: true
- name: Download custom harden sshd_config
ansible.builtin.get_url:
url: https://gist.githubusercontent.com/kawaiipantsu/b27d953de9793731b60b4636bad7a3dc/raw/sshd_config
dest: /etc/ssh/sshd_config
mode: '0644'
- name: Download public-pre-auth sshd_public_banner.txt
ansible.builtin.get_url:
url: https://gist.githubusercontent.com/kawaiipantsu/b27d953de9793731b60b4636bad7a3dc/raw/sshd_public_banner.txt
dest: /etc/ssh/sshd_public_banner.txt
mode: '0644'
- name: Get checksum of new sshd_config
stat:
path : "/etc/ssh/sshd_config"
register: sshd_config_new
- name: New sshd_config SHA1
set_fact:
file1: "{{ sshd_config_new.stat.checksum }}"
- name: Get checksum of old sshd_config
stat:
path : "/etc/ssh/sshd_config.{{bak_ts}}.bak"
register: sshd_config_bak
- name: Bak sshd_config SHA1
set_fact:
file2: "{{ sshd_config_bak.stat.checksum }}"
- name: Did we make updates to our curremt sshd config
debug:
msg: "sshd_config updated! - Will restart sshd"
failed_when: file1 != file2
register: sshd_updated
ignore_errors: true
- name: Restart SSH daemon
ansible.builtin.systemd:
name: sshd
state: restarted
when: sshd_updated