ssh-hardening ========= SSH server hardening, based on https://www.sshaudit.com & more Requirements ------------ - OpenSSH versions 6.5+ Role Variables -------------- Defaults: - `ssh_hardening_hostkeys`: `rsa`, `ed25519` - `ssh_hardening_hostkeys_all`: `dsa`, `ecdsa`, `rsa`, `ed25519` - `ssh_hardening_moduli`: `/etc/ssh/moduli` - `ssh_hardening_moduli_backup`: `/etc/ssh/moduli.not-hardened` - `ssh_hardening_root_group`: `root` - `ssh_hardening_service_name`: `sshd` - `ssh_hardening_sshd_config`: `/etc/ssh/sshd_config` Included via `vars/ssh_*`: - `ssh_hardening_opts`: Parameter/Values to set for specific SSH version Included via `vars/os_*`: - `ssh_hardening_moduli` - `ssh_hardening_moduli_backup` - `ssh_hardening_service_name` - `ssh_hardening_root_group` Command line variables (undefined): - `ssh_hardening_force`: version/id to include, overwrites detected version! Dependencies ------------ - None Example Playbook ---------------- - hosts: servers roles: - { role: ssh-hardening } SSH versions ------------ - 6.0: [_] Debian 7 "wheezy" - 6.5: (support for `curve25519-sha256@libssh.org`, `ssh-ed25519`, `chacha20-poly1305@openssh.com`) - 6.6: ✅ Ubuntu 14.04 "trusty" - 6.7: ✅ Debian 8 "jessie" - 7.0: - 7.1: - 7.2: ✅ Ubuntu 16.04 "xenial" - 7.4: ✅ Debian 9 "stretch", ✅ RedHat 7 - (added `curve25519-sha256`) - 7.6: ✅ Ubuntu 18.04 "bionic" - 7.7: - 7.8: - 7.9: ✅ Debian 10 "buster" - 8.0: ✅ RedHat 8 - 8.1: ✅ Suse 15.2 - 8.2: ✅ Ubuntu 20.04 "focal" - 8.3: - 8.4: ✅ Alpine 3.13, ✅ Debian 11 "bullseye", ✅ Fedora 33, ✅ OpenSUSE 15.3/15.4 - 8.5: (added `sntrup761x25519-sha512@openssh.com`) - 8.6: ✅ Alpine 3.14, ✅ Fedora 34 - 8.7: ✅ Fedora 35 - 8.8: ✅ Alpine 3.15, ✅ Fedora 36, ✅ Fedora 37 - 8.9: ✅ Ubuntu 22.04 "jammy" - 9.0: ✅ Alpine 3.16, ✅ Fedora 38, ✅ Ubuntu 22.10 "kinetic", ✅ Ubuntu 23.04 "lunar" - 9.1: ✅ Alpine 3.17 - 9.2: ✅ Debian 12 "bookworm" - 9.3: ✅ Alpine 3.18, ✅ Fedora 39, ✅ Ubuntu 23.10 "mantic" - 9.4: - 9.5: - 9.6: ✅ Alpine 3.19, Fedora 40, Ubuntu 24.04 "noble" - 9.7: ✅ Alpine 3.20 - 9.8: Archlinux, ✅ Voidlinux License ------- AGPL3.0-or-later Author Information ------------------ - Sven Velt - https://git.velt.biz/