├── vars ├── main.yml └── RedHat.yml ├── handlers └── main.yml ├── meta └── main.yml ├── defaults └── main.yml ├── README.md └── tasks └── main.yml /vars/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # vars file for sshd 3 | -------------------------------------------------------------------------------- /vars/RedHat.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # vars file for RedHat 3 | sshd_config_path: /etc/ssh/sshd_config 4 | sshd_service_name: sshd 5 | sshd_iptables_data: /etc/sysconfig/iptables 6 | -------------------------------------------------------------------------------- /handlers/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # handlers file for sshd 3 | 4 | - name: save iptables 5 | shell: iptables-save > {{ sshd_iptables_data }} 6 | 7 | - name: restart sshd 8 | service: "name={{ sshd_service_name }} state=restarted" 9 | -------------------------------------------------------------------------------- /meta/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | dependencies: [] 3 | 4 | galaxy_info: 5 | author: z 6 | description: Security sshd. 7 | company: 8 | license: license (BSD, MIT) 9 | min_ansible_version: 1.7 10 | platforms: 11 | - name: EL 12 | versions: 13 | - 6 14 | - 7 15 | categories: 16 | - system 17 | - security 18 | -------------------------------------------------------------------------------- /defaults/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # defaults file for sshd 3 | # standard setting 4 | sshd_port: 22 5 | sshd_use_dns: "no" 6 | sshd_gssapi_authentication: "no" 7 | 8 | # more secure 9 | sshd_security: false 10 | sshd_protocol: 2 11 | sshd_permit_root_login: "no" 12 | sshd_password_authentication: "yes" 13 | 14 | # set up firewall 15 | sshd_setup_firewall: true 16 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Ansible Role: sshd 2 | 3 | Set up a secure config for OpenSSH Server 4 | 5 | * Change the sshd port 6 | * Disable SSH version 1 7 | * Disable root login 8 | 9 | ## Requirements 10 | 11 | * 执行本role之前请确认已经添加了除了root以外拥有管理权限的用户. 12 | * 如果不更改sshd的端口,请将`sshd_setup_firewall`设置为false,否则防火墙设置会报错. 13 | 14 | ## Role Variables 15 | 16 | ### `defaults/main.yml` 17 | *default lower priority variables for this role* 18 | 19 | * `sshd_port: 22` 20 | * `sshd_use_dns: no` 21 | * `sshd_gssapi_authentication: no` 22 | * `sshd_security: false` 23 | * `sshd_protocol: 2` 24 | * `sshd_permit_root_login: no` 25 | * `sshd_password_authentication: yes` 26 | * `sshd_setup_firewall: true` 27 | 28 | ### `vars/RedHat.yml` 29 | The variables for RedHat/CentOS 30 | 31 | * `sshd_config_path: /etc/ssh/sshd_config` 32 | * `sshd_service_name: sshd` 33 | 34 | ## Dependencies 35 | 36 | None. 37 | 38 | ## Example Playbook 39 | 40 | - name: update SSH configuration to be more secure 41 | hosts: servers 42 | vars: 43 | sshd_port: 22 44 | sshd_security: true # enabled sshd security configure 45 | sshd_setup_firewall: false # if not change the sshd port 46 | roles: 47 | - sshd 48 | 49 | ## License 50 | 51 | MIT / BSD 52 | 53 | ## Author Information 54 | 55 | z 56 | -------------------------------------------------------------------------------- /tasks/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # tasks file for sshd 3 | 4 | - name: Include OS-specific variables. 5 | include_vars: "{{ ansible_os_family }}.yml" 6 | 7 | - name: Update SSH configuration to be standard setting. 8 | lineinfile: > 9 | dest={{ sshd_config_path }} 10 | regexp="{{ item.regexp }}" 11 | line="{{ item.line }}" 12 | state=present 13 | with_items: 14 | - { regexp: "^#?Port", line: "Port {{ sshd_port }}" } 15 | - { regexp: "^#?UseDNS", line: "UseDNS {{ sshd_use_dns }}" } 16 | - { regexp: "^GSSAPIAuthentication", line: "GSSAPIAuthentication {{ sshd_gssapi_authentication}}" } 17 | notify: restart sshd 18 | 19 | - name: Update SSH configuration to be more secure. 20 | lineinfile: > 21 | dest={{ sshd_config_path }} 22 | regexp="{{ item.regexp }}" 23 | line="{{ item.line }}" 24 | state=present 25 | with_items: 26 | - { regexp: "^#?Protocol", line: "Protocol {{ sshd_protocol }}" } 27 | - { regexp: "^#?PermitRootLogin", line: "PermitRootLogin {{ sshd_permit_root_login }}" } 28 | - { regexp: "^PasswordAuthentication", line: "PasswordAuthentication {{ sshd_password_authentication }}" } 29 | notify: restart sshd 30 | when: sshd_security 31 | 32 | - name: Setup firewalld 33 | firewalld: port={{ sshd_port }}/tcp permanent=true state=enabled immediate=true 34 | when: sshd_setup_firewall and ansible_os_family == 'RedHat' and ansible_distribution_major_version == '7' 35 | ignore_errors: True 36 | 37 | - name: Setup iptables 38 | command: iptables -I INPUT 5 -p tcp -m state --state NEW -m tcp --dport {{ sshd_port }} -j ACCEPT 39 | notify: save iptables 40 | when: sshd_setup_firewall and ansible_os_family == 'RedHat' and ansible_distribution_major_version == '6' 41 | ignore_errors: True 42 | --------------------------------------------------------------------------------