29 lines
933 B
YAML
29 lines
933 B
YAML
---
|
|
# SSH hardening tasks
|
|
|
|
- name: Configure SSH daemon
|
|
ansible.builtin.lineinfile:
|
|
path: /etc/ssh/sshd_config
|
|
regexp: "{{ item.regexp }}"
|
|
line: "{{ item.line }}"
|
|
state: present
|
|
validate: 'sshd -t -f %s'
|
|
loop:
|
|
- regexp: "^#?Port"
|
|
line: "Port {{ common_ssh_port }}"
|
|
- regexp: "^#?PermitRootLogin"
|
|
line: "PermitRootLogin {{ common_ssh_permit_root_login }}"
|
|
- regexp: "^#?PasswordAuthentication"
|
|
line: "PasswordAuthentication {{ common_ssh_password_authentication }}"
|
|
- regexp: "^#?PubkeyAuthentication"
|
|
line: "PubkeyAuthentication {{ common_ssh_pubkey_authentication }}"
|
|
- regexp: "^#?X11Forwarding"
|
|
line: "X11Forwarding no"
|
|
- regexp: "^#?MaxAuthTries"
|
|
line: "MaxAuthTries 3"
|
|
- regexp: "^#?ClientAliveInterval"
|
|
line: "ClientAliveInterval 300"
|
|
- regexp: "^#?ClientAliveCountMax"
|
|
line: "ClientAliveCountMax 2"
|
|
notify: Restart sshd
|