Hardening ssh configs a little bit
This commit is contained in:
		
							parent
							
								
									702cc02edd
								
							
						
					
					
						commit
						eeb4295984
					
				
							
								
								
									
										86
									
								
								infra/static-vultr/ansible/files/ssh.conf
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										86
									
								
								infra/static-vultr/ansible/files/ssh.conf
									
									
									
									
									
										Normal file
									
								
							| @ -0,0 +1,86 @@ | ||||
| PermitRootLogin yes | ||||
| 
 | ||||
| Include /etc/ssh/sshd_config.d/*.conf | ||||
| 
 | ||||
| #Port 22 | ||||
| #AddressFamily any | ||||
| #ListenAddress 0.0.0.0 | ||||
| #ListenAddress :: | ||||
| 
 | ||||
| SyslogFacility AUTH | ||||
| LogLevel INFO | ||||
| 
 | ||||
| # Authentication: | ||||
| 
 | ||||
| LoginGraceTime 1m | ||||
| PermitRootLogin prohibit-password | ||||
| StrictModes yes | ||||
| MaxAuthTries 6 | ||||
| MaxSessions 3 | ||||
| 
 | ||||
| #PubkeyAuthentication yes | ||||
| 
 | ||||
| # Expect .ssh/authorized_keys2 to be disregarded by default in future. | ||||
| #AuthorizedKeysFile	.ssh/authorized_keys .ssh/authorized_keys2 | ||||
| 
 | ||||
| #AuthorizedPrincipalsFile none | ||||
| 
 | ||||
| #AuthorizedKeysCommand none | ||||
| #AuthorizedKeysCommandUser nobody | ||||
| 
 | ||||
| # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts | ||||
| #HostbasedAuthentication no | ||||
| # Change to yes if you don't trust ~/.ssh/known_hosts for | ||||
| # HostbasedAuthentication | ||||
| #IgnoreUserKnownHosts no | ||||
| # Don't read the user's ~/.rhosts and ~/.shosts files | ||||
| #IgnoreRhosts yes | ||||
| 
 | ||||
| # To disable tunneled clear text passwords, change to no here! | ||||
| PasswordAuthentication no | ||||
| PermitEmptyPasswords no | ||||
| 
 | ||||
| # Change to yes to enable challenge-response passwords (beware issues with | ||||
| # some PAM modules and threads) | ||||
| KbdInteractiveAuthentication no | ||||
| 
 | ||||
| UsePAM yes | ||||
| 
 | ||||
| #AllowAgentForwarding yes | ||||
| #AllowTcpForwarding yes | ||||
| #GatewayPorts no | ||||
| X11Forwarding no | ||||
| #X11DisplayOffset 10 | ||||
| #X11UseLocalhost yes | ||||
| #PermitTTY yes | ||||
| 
 | ||||
| PrintMotd no | ||||
| 
 | ||||
| #PrintLastLog yes | ||||
| #TCPKeepAlive yes | ||||
| #PermitUserEnvironment no | ||||
| #Compression delayed | ||||
| #ClientAliveInterval 0 | ||||
| #ClientAliveCountMax 3 | ||||
| #UseDNS no | ||||
| #PidFile /run/sshd.pid | ||||
| #MaxStartups 10:30:100 | ||||
| #PermitTunnel no | ||||
| #ChrootDirectory none | ||||
| #VersionAddendum none | ||||
| 
 | ||||
| # no default banner path | ||||
| #Banner none | ||||
| 
 | ||||
| # Allow client to pass locale environment variables | ||||
| AcceptEnv LANG LC_* | ||||
| 
 | ||||
| # override default of no subsystems | ||||
| Subsystem	sftp	/usr/lib/openssh/sftp-server | ||||
| 
 | ||||
| # Example of overriding settings on a per-user basis | ||||
| #Match User anoncvs | ||||
| #	X11Forwarding no | ||||
| #	AllowTcpForwarding no | ||||
| #	PermitTTY no | ||||
| #	ForceCommand cvs server | ||||
| @ -4,4 +4,6 @@ | ||||
|   tasks: | ||||
|     - name: Setup UFW | ||||
|       import_tasks: ../tasks/ufw-setup.yml | ||||
|     - name: Harden ssh configuration | ||||
|       import_tasks: ../tasks/ssh.yml | ||||
| 
 | ||||
|  | ||||
							
								
								
									
										6
									
								
								infra/static-vultr/ansible/tasks/ssh.yml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										6
									
								
								infra/static-vultr/ansible/tasks/ssh.yml
									
									
									
									
									
										Normal file
									
								
							| @ -0,0 +1,6 @@ | ||||
| - name: Harden the SSH configuration | ||||
|   copy: | ||||
|     src: ../files/ssh.conf | ||||
|     dest: /etc/sshd_config | ||||
|     mode: 644 | ||||
| 
 | ||||
		Loading…
	
		Reference in New Issue
	
	Block a user