An Ansible role to harden SSH on Centos 7 with several options, like using a trusted CA.
This role is based on insights gained working with DISA-STIG, CIS, USG, NCSC, NIST, PCI, and other security norms. After scanning with openscap, I audited my server using the SSH Observatory of Mozilla, and finally with ssh-audit. I can still connect to Centos 7 with macOS Mojave.
I can run port forwarding, X11Forwarding, but an incredible amount of options is configurable.
distribute_ssh_keys: true
In any larger organization, use of SSH key management solutions is almost
necessary. SSH keys should also be moved to root-owned locations with proper provisioning and termination processes. Users will not be able to modify their
pubkey because the immutable file attribute is set.
AuthorizedKeysFile: '/etc/ssh/authorized_keys/%u'
This role can be used to manage access to SSH by the means of signed ssh keys, and to sftp with OTP.
See SECURITY.md
manage_ssh_groups: true # Default is false.
Creates groups for various purposes.
ssh_groups:
with_items:
- wheel
- staff
- users
- games
- chroot
manage_ssh_users: true # Default is false.
Adds all users in 'ssh_users:' removes all 'non_users:'
Check the defaults/main.yml
ssh_users:
- username: vagrant
shell: /bin/bash
group: wheel
seuser: unconfined_u
semanage_ssh_users: true
- guest_u: - no X windows, no sudo, and no networking
- xguest_u: - same as guest_u, but X and web connectivity is allowed
- user_u: - same as xguest_u, but networking isn’t restricted
- staff_u: - same as user_u, but sudo is allowed (su isn’t allowed)
- unconfined_u: - full access
Some commands to verify the config. Hackers show up in /var/log/secure.
firewall-cmd --list-rich-rules
ipset list fail2ban-sshd
firewall-cmd --ipset=fail2ban-sshd --add-entry=222.186.52.124
ipset add fail2ban-sshd 112.85.42.237timeout 86400 -exist
fail2ban-client status sshd
45.55.176.164 The Mozilla SSH Observatory scans from sshscan.rubidus.com at 45.55.176.164.