add ssh-enforcement playbook

This commit is contained in:
staticsafe 2020-08-22 15:47:16 -04:00
parent b6946a3e26
commit 2bfed5b9ed
5 changed files with 54 additions and 0 deletions

View File

@ -0,0 +1 @@
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC2DmG7640FmD9QDLDrydiU5kmhJM/ScKOhhHPYndWEdFGMmfnJpqyoPOq5a6cDwLAFyl6ALTjVr6+y4U2hqHmqIs/ds9SeiNzOnPsMUp1DkuVoNyH4WekaA9oXgsb9ZCjHSXB+W3rOgvGYTAuC8GyLYGppInrd6+OKoyZtgx01JYAatfSWGncerNw+x8LiQaF+o62cCDq+3OpyZBbGpLg/wNMtg/Wsaton7fwo2hi8lOkQjzJZPUvPaOcpezK9SLXExyUl+oIcMmGqmExHpXwhA8+TuwbeM5XXT5RJCOw4c2WlMTb93FmdCjtXtInUYc/M80SftdLPokmbzc7uWDV+PX5XVoQCp7JiYS92gkAdlv8aeNMzpbGvd9uUjGKm08dh1aT76I9b9O4sA+vL2PwW2lKdsesksiseF92446kqvOEumB/wh+7yd1N9yOS3Vggasl2iEYgbNiDoCqyXnH6GSHkdxr9CwAyuWy5vmqR5zdV1UsQnRzECrQIFbJpFU98rLfuRM1L9qN4kqxuciv+DAPRm17WAhrjhoZL5xh5+t8TfaO+7qMmjvNO1oRbeTkM0JqdlvcvTUFB7sxDIPuCySIMfi2KTTUpk0i9HHRfJrOr1K02VvwKC302GkFnVEDYKPlXivoI6i1bLaubSZHqDIgUuZeGLTXhG47ner6dMKw== Network Management

View File

@ -0,0 +1,26 @@
# Supported HostKey algorithms by order of preference.
HostKey /etc/ssh/ssh_host_ed25519_key
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
# Password based logins are disabled - only public key based logins are allowed.
AuthenticationMethods publickey
# LogLevel VERBOSE logs user's key fingerprint on login. Needed to have a clear audit track of which key was using to log in.
LogLevel VERBOSE
# Log sftp level file access (read/write/etc.) that would not be easily logged otherwise.
Subsystem sftp /usr/lib/openssh/sftp-server -f AUTHPRIV -l INFO
# Some of the Debian specific options sans X11 Forwarding
# X11 Forwarding is turned off because we don't run X11 on servers
ChallengeResponseAuthentication no
PrintMotd no
AcceptEnv LANG LC_*
UsePAM yes

View File

@ -0,0 +1,5 @@
- name: restart sshd
service:
name: ssh
state: restarted
enabled: yes

View File

@ -0,0 +1,15 @@
---
# This task enforces our OpenSSH server config and authorized_keys for
# cloud servers
- name: Copy our authorized_keys
copy:
src: authorized_keys
dest: /root/.ssh/authorized_keys
- name: Copy our sshd_config
copy:
src: sshd_config
dest: /etc/ssh/sshd_config
notify:
- restart sshd

View File

@ -73,3 +73,10 @@
roles:
- ipset-deploy
- name: SSH Enforcement
hosts: cloud
user: root
roles:
- ssh-enforcement