From 2bfed5b9ed47f7d7d2d5f28d5dd6d5859444f91d Mon Sep 17 00:00:00 2001 From: staticsafe Date: Sat, 22 Aug 2020 15:47:16 -0400 Subject: [PATCH] add ssh-enforcement playbook --- .../ssh-enforcement/files/authorized_keys | 1 + .../roles/ssh-enforcement/files/sshd_config | 26 +++++++++++++++++++ .../roles/ssh-enforcement/handlers/main.yml | 5 ++++ ubuntu/roles/ssh-enforcement/tasks/main.yml | 15 +++++++++++ ubuntu/site.yml | 7 +++++ 5 files changed, 54 insertions(+) create mode 100644 ubuntu/roles/ssh-enforcement/files/authorized_keys create mode 100644 ubuntu/roles/ssh-enforcement/files/sshd_config create mode 100644 ubuntu/roles/ssh-enforcement/handlers/main.yml create mode 100644 ubuntu/roles/ssh-enforcement/tasks/main.yml diff --git a/ubuntu/roles/ssh-enforcement/files/authorized_keys b/ubuntu/roles/ssh-enforcement/files/authorized_keys new file mode 100644 index 0000000..b6a95bd --- /dev/null +++ b/ubuntu/roles/ssh-enforcement/files/authorized_keys @@ -0,0 +1 @@ +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC2DmG7640FmD9QDLDrydiU5kmhJM/ScKOhhHPYndWEdFGMmfnJpqyoPOq5a6cDwLAFyl6ALTjVr6+y4U2hqHmqIs/ds9SeiNzOnPsMUp1DkuVoNyH4WekaA9oXgsb9ZCjHSXB+W3rOgvGYTAuC8GyLYGppInrd6+OKoyZtgx01JYAatfSWGncerNw+x8LiQaF+o62cCDq+3OpyZBbGpLg/wNMtg/Wsaton7fwo2hi8lOkQjzJZPUvPaOcpezK9SLXExyUl+oIcMmGqmExHpXwhA8+TuwbeM5XXT5RJCOw4c2WlMTb93FmdCjtXtInUYc/M80SftdLPokmbzc7uWDV+PX5XVoQCp7JiYS92gkAdlv8aeNMzpbGvd9uUjGKm08dh1aT76I9b9O4sA+vL2PwW2lKdsesksiseF92446kqvOEumB/wh+7yd1N9yOS3Vggasl2iEYgbNiDoCqyXnH6GSHkdxr9CwAyuWy5vmqR5zdV1UsQnRzECrQIFbJpFU98rLfuRM1L9qN4kqxuciv+DAPRm17WAhrjhoZL5xh5+t8TfaO+7qMmjvNO1oRbeTkM0JqdlvcvTUFB7sxDIPuCySIMfi2KTTUpk0i9HHRfJrOr1K02VvwKC302GkFnVEDYKPlXivoI6i1bLaubSZHqDIgUuZeGLTXhG47ner6dMKw== Network Management diff --git a/ubuntu/roles/ssh-enforcement/files/sshd_config b/ubuntu/roles/ssh-enforcement/files/sshd_config new file mode 100644 index 0000000..75739a7 --- /dev/null +++ b/ubuntu/roles/ssh-enforcement/files/sshd_config @@ -0,0 +1,26 @@ +# Supported HostKey algorithms by order of preference. +HostKey /etc/ssh/ssh_host_ed25519_key +HostKey /etc/ssh/ssh_host_rsa_key +HostKey /etc/ssh/ssh_host_ecdsa_key + +KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256 + +Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr + +MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com + +# Password based logins are disabled - only public key based logins are allowed. +AuthenticationMethods publickey + +# LogLevel VERBOSE logs user's key fingerprint on login. Needed to have a clear audit track of which key was using to log in. +LogLevel VERBOSE + +# Log sftp level file access (read/write/etc.) that would not be easily logged otherwise. +Subsystem sftp /usr/lib/openssh/sftp-server -f AUTHPRIV -l INFO + +# Some of the Debian specific options sans X11 Forwarding +# X11 Forwarding is turned off because we don't run X11 on servers +ChallengeResponseAuthentication no +PrintMotd no +AcceptEnv LANG LC_* +UsePAM yes diff --git a/ubuntu/roles/ssh-enforcement/handlers/main.yml b/ubuntu/roles/ssh-enforcement/handlers/main.yml new file mode 100644 index 0000000..d08f85d --- /dev/null +++ b/ubuntu/roles/ssh-enforcement/handlers/main.yml @@ -0,0 +1,5 @@ +- name: restart sshd + service: + name: ssh + state: restarted + enabled: yes diff --git a/ubuntu/roles/ssh-enforcement/tasks/main.yml b/ubuntu/roles/ssh-enforcement/tasks/main.yml new file mode 100644 index 0000000..4a51b1a --- /dev/null +++ b/ubuntu/roles/ssh-enforcement/tasks/main.yml @@ -0,0 +1,15 @@ +--- +# This task enforces our OpenSSH server config and authorized_keys for +# cloud servers + +- name: Copy our authorized_keys + copy: + src: authorized_keys + dest: /root/.ssh/authorized_keys + +- name: Copy our sshd_config + copy: + src: sshd_config + dest: /etc/ssh/sshd_config + notify: + - restart sshd diff --git a/ubuntu/site.yml b/ubuntu/site.yml index 160214c..cf11ae0 100644 --- a/ubuntu/site.yml +++ b/ubuntu/site.yml @@ -73,3 +73,10 @@ roles: - ipset-deploy + +- name: SSH Enforcement + hosts: cloud + user: root + + roles: + - ssh-enforcement