Secure SSH with Ansible

secure SSH with Ansible

Learn how to secure SSH with Ansible and protect your Linux systems from unauthorized access with this step-by-step guide.

Table of Contents

Introduction

Ansible is a popular automation tool that is used for managing IT infrastructure. It was developed by Michael DeHaan in 2012 and has since then become one of the most popular automation tools in the market. Ansible is written in Python and uses YAML syntax to define playbooks. Ansible has many features, including agentless architecture, idempotency, and a vast collection of modules.

In this article, we will show you how to secure SSH with Ansible. We will provide you with a step-by-step guide that will help you secure SSH on your Linux systems. We will demonstrate how to disable root login and enforce SSH key passphrases using an example with three hosts.

Example:
Let’s assume that we have three Linux hosts: host1, host2, and host3. We want to disable root login and enforce SSH key passphrases on these hosts. We can achieve this by writing a playbook that performs the following tasks:

  1. Disables root login by modifying the sshd_config file.
  2. Enforces SSH key passphrases by modifying the sshd_config file.
  3. Restarts the sshd service to apply the changes.

Secure SSH with Ansible

Sample Inventory file

An inventory file for host1, host2, and host3 might look like this:

				
					[my_servers] 
host1 ansible_host=192.168.0.1 
host2 ansible_host=192.168.0.2 
host3 ansible_host=192.168.0.3
				
			

In this inventory file, we defined a group called “my_servers” and added the three hosts to it. We also specified the IP addresses for each host using the “ansible_host” parameter. This inventory file can be used in the playbook we discussed earlier to apply the SSH security settings to all three hosts.

Sample Playbook

The playbook that performs these tasks is shown below.

				
					- name: Secure SSH
  hosts: all
  become: true
  vars:
    sshd_config_file: /etc/ssh/sshd_config
  tasks:
    - name: Disable root login
      lineinfile:
        path: "{{ sshd_config_file }}"
        regexp: "^PermitRootLogin"
        line: "PermitRootLogin no"
        backup: yes
      notify: restart sshd

    - name: Enforce SSH key passphrases
      lineinfile:
        path: "{{ sshd_config_file }}"
        regexp: "^#PermitEmptyPasswords"
        line: "PermitEmptyPasswords no"
        backup: yes
      notify: restart sshd

  handlers:
    - name: restart sshd
      service:
        name: sshd
        state: restarted
				
			

Breakdown of each line of the playbook

  • We named our playbook "Secure SSH," and the first line designates its name.
  • The second line indicates the hosts on which the playbook will run; in this instance, we specified "all," implying that the playbook will run on all hosts.
  • To grant root privileges to the tasks in the playbook, we utilized "become: true" on the third line.
  • On the fourth line, a variable named "sshd_config_file" is defined, containing the path to the sshd_config file.
  • The subsequent task, utilizing the "lineinfile" module, disables root login by searching for a line beginning with "PermitRootLogin" in the sshd_config file and replacing it with “PermitRootLogin no.” Upon completion of this task, the “restart sshd” handler is executed, as specified by “notify: restart sshd.”
  • Another task enforces SSH key passphrases using the "lineinfile" module. It searches for a line beginning with "#PermitEmptyPasswords" in the sshd_config file and replaces it with “PermitEmptyPasswords no.” Similar to the previous task, the “restart sshd” handler is triggered upon completion.
  • The "handlers" section contains the “restart sshd” handler, responsible for restarting the sshd service. This handler executes when either of the preceding tasks concludes.

Conclusion

In summary, prioritizing the security of SSH is imperative and should not be underestimated. This article has provided a demonstration of utilizing Ansible for the purpose of disabling root login and enforcing SSH key passphrases.

By proactively securing SSH, organizations can enhance the resilience of their systems, guarding against potential security threats and unauthorized access. Ansible’s automation capabilities play a pivotal role in streamlining this process, ensuring the efficient and consistent application of security measures across various hosts.

If you found this article beneficial, we encourage you to share your thoughts in the comments below and consider sharing it with others who may benefit from this valuable information. Your feedback and support are greatly appreciated!

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *