elnappo.secure_openssh_server

Panoramica Versioni Approfondimenti

Ansible Role to Secure OpenSSH Server

Build Status Ansible Galaxy

This playbook sets up a safe configuration for OpenSSH Server version 6.5 and above. It adds to your existing sshd configuration instead of replacing it.

Key Features:

  • Disable SSH version 1
  • Disable RSA Authentication (only available in version 1)
  • Prevent empty passwords
  • Allow root login only without a password
  • Use StrictModes for security
  • Only allow recommended KexAlgorithms, Ciphers, and MACs from Secure Secure Shell
  • By default, it removes DSA and ECDSA host keys. Change the setting ssh_remove_deprecated_server_keys if you prefer to keep them.
  • Regenerate the RSA host key if it's shorter than 4096 bits (default).
  • Disable password login by default, setting MaxAuthTries to 1 and LoginGraceTime to 30 seconds.
Host *
    HashKnownHosts yes
    PasswordAuthentication no
    PubkeyAuthentication yes
    ChallengeResponseAuthentication no
    HostKeyAlgorithms [email protected],[email protected],ssh-ed25519,ssh-rsa,[email protected],[email protected],[email protected],ecdsa-sha2-nistp521,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256
    KexAlgorithms [email protected],diffie-hellman-group-exchange-sha256
    Ciphers [email protected],[email protected],[email protected],aes256-ctr,aes192-ctr,aes128-ctr
    MACs [email protected],[email protected],[email protected],[email protected],hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,[email protected]

Legacy Connection Alias

Use this alias for older connections:

alias ssh_ignore="ssh -F /dev/null"

Inspiration From

Requirements

  • Ubuntu or Debian
  • OpenSSH Server version 6.5 or higher (included in Ubuntu 14.04+ and Debian 8+)

Role Variables

  • ssh_sshd_config_dir: /etc/ssh/
  • ssh_sshd_config_path: "{{ ssh_sshd_config_dir }}sshd_config"
  • ssh_permit_root_login: "without-password" (quotes are required!)
  • ssh_disable_password_login: true
  • ssh_remove_deprecated_server_keys: true (removes DSA, ECDSA and regenerates RSA key if shorter than specified)
  • ssh_host_rsa_key_length: 4096
  • ssh_setup_ufw: true
  • ssh_port: 22

Dependencies

None.

Example Playbook

- hosts: server
  remote_user: root
  vars:
    - ssh_remove_deprecated_server_keys: false
    - ssh_port: 1813
  roles:
    - { role: elnappo.secure_openssh_server }

License

MIT

Author

elnappo elnappo@nerdpol.io

Informazioni sul progetto

Sets a secure config for openssh server >= 6.5

role networking security ssh system
Installa
ansible-galaxy install elnappo.secure_openssh_server
GitHub repository
6 stelle
2 fork
0 problemi aperti
Licenza
Unknown
Download
80
Proprietario