siw36.ansible_ssh_hardening
Ansible SSH Hardening
=========
This role helps to secure SSH by doing the following:
- Change the SSH port
- Turn off SSH password login
- Set SELinux settings
- Allow the new SSH port in the firewall
- Install and set up fail2ban for SSH
How to Get This Role
Run the following command:
ansible-galaxy install --roles-path ./roles/ siw36.ansible_ssh_hardening
Requirements
- A RHEL-based operating system (like RHEL, CentOS, or Fedora)
- Python 3 should be the default Python interpreter
- The user on the remote machine must be able to run
sudocommands without needing to enter a password.
Role Variables
| Name | Description | Default Value |
|---|---|---|
| sshPort | New SSH port | 1337 |
| f2bEnabled | Enable fail2ban for SSH | true |
| f2bRetries | Number of failed logins before banning | 5 |
| f2bBanTime | Ban duration in seconds | 3600 |
| f2bIgnoreIP | List of IPs/Subnets to ignore | 127.0.0.1/32 |
| vmAdmins | List of user accounts and SSH keys with access | <none - optional> |
| allowedInterfaces | Network interfaces where SSHD should be available | <none - optional> |
Example Playbook
Create a file called playbook.yml:
- hosts: servers
become: true
roles:
- siw36.ansible_ssh_hardening
Add this to vars/main.yml:
vmAdmins:
- user: siw36
sshKey: ssh-rsa xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx siw36
allowedInterfaces:
- eth0
License
This project is licensed under the GNU General Public License v3.0.
Author Information
Created by Robin 'siw36' Klussmann (07/2019)
Installa
ansible-galaxy install siw36.ansible_ssh_hardeningLicenza
Unknown
Download
158
Proprietario
Platform & DevOps Engineer