Ansible Practices - Part II

January 16, 2021

In this tutorial, we’re gonna make some changes on SSH service for hardening perspectice.

Create a playbook called sshd.yaml that runs on all instances and configures sshd daemon with those:

  • Set Banner to /etc/motd
  • Set MaxAuthTries to 2
  • Set PasswordAuthentication to no
  • Set UsePAM to yes
  • Set PermitRootLogin to no

Finally, restart the sshd daemon.

Note: You should use handler to perform this operation.

Let’s go.

This is the current configuration:

1

As you can see, MaxAuthTries and PermitRootLogin settings enabled, others are comment out.

- name: Set banner
    lineinfile:
      regexp: ^[ \t]*Banner([ \t]+.*)$
      line: Banner /etc/motd
      dest: /etc/ssh/sshd_config

We used regular expression to capture relevant line with regexp: ^[ \t]*Banner([ \t]+.*)$.

With line function, we specified the desired one. Then SSH configuration file set with dest function. Main structure same for all configuration.

Only difference is we used notify with last change because we must reload sshd daemon to active the changes. Of course we could use service module too.

Here is the final status of sshd.yaml file:

2

Run with ansible-playbook:

3

Now, all changes must be available in the clients. Let’s check one of them.

4

Done.

To be continued.



Written by Deniz Parlak