Day three: enhance SSH security in two separate phases. Closes #3
This commit is contained in:
parent
198242e1d5
commit
197ac5d0ef
4 changed files with 166 additions and 0 deletions
38
phase2user.yml
Normal file
38
phase2user.yml
Normal file
|
|
@ -0,0 +1,38 @@
|
|||
---
|
||||
- name: Lock down root & SSH on the server
|
||||
hosts: UpskillChallengeNode
|
||||
|
||||
tasks:
|
||||
- name: Disable root login over ssh
|
||||
ansible.builtin.lineinfile:
|
||||
path: /etc/ssh/sshd_config
|
||||
regexp: '^PermitRootLogin'
|
||||
line: 'PermitRootLogin no'
|
||||
|
||||
- name: Disable all users' password login
|
||||
ansible.builtin.lineinfile:
|
||||
path: /etc/ssh/sshd_config
|
||||
regexp: '^PasswordAuthentication'
|
||||
line: 'PasswordAuthentication no'
|
||||
|
||||
- name: Change SSH port
|
||||
ansible.builtin.lineinfile:
|
||||
path: /etc/ssh/sshd_config
|
||||
regexp: '^#?Port '
|
||||
line: 'Port 22022'
|
||||
|
||||
- name: update and upgrade packages
|
||||
ansible.builtin.apt:
|
||||
update_cache: yes
|
||||
upgrade: yes
|
||||
|
||||
- name: install fail2ban
|
||||
ansible.builtin.apt:
|
||||
package: fail2ban
|
||||
state: present
|
||||
|
||||
- name: restart ssh
|
||||
service:
|
||||
name: ssh
|
||||
state: restarted
|
||||
|
||||
Reference in a new issue