In this tutorial, we’re gonna make some changes on SSH service for hardening perspectice.
Create a playbook called sshd.yaml that runs on all instances and configures sshd daemon with those:
- Set Banner to /etc/motd
- Set MaxAuthTries to 2
- Set PasswordAuthentication to no
- Set UsePAM to yes
- Set PermitRootLogin to no
Finally, restart the sshd daemon.
Note: You should use handler to perform this operation.
This is the current configuration:
As you can see, MaxAuthTries and PermitRootLogin settings enabled, others are comment out.
- name: Set banner lineinfile: regexp: ^[ \t]*Banner([ \t]+.*)$ line: Banner /etc/motd dest: /etc/ssh/sshd_config
We used regular expression to capture relevant line with
regexp: ^[ \t]*Banner([ \t]+.*)$.
With line function, we specified the desired one. Then SSH configuration file set with dest function. Main structure same for all configuration.
Only difference is we used notify with last change because we must reload sshd daemon to active the changes. Of course we could use service module too.
Here is the final status of sshd.yaml file:
Run with ansible-playbook:
Now, all changes must be available in the clients. Let’s check one of them.
To be continued.