In today’s Ansible series, we will learn about automating changes using Ansible. Specifically, we will automate changes to the sshd config file. Table of Contents
Learn how to secure SSH with Ansible and protect your Linux systems from unauthorized access with this step-by-step guide.
Ansible is a popular automation tool that is used for managing IT infrastructure. It was developed by Michael DeHaan in 2012 and has since then become one of the most popular automation tools in the market. Ansible is written in Python and uses YAML syntax to define playbooks. Ansible has many features, including agentless architecture, idempotency, and a vast collection of modules.
In this article, we will show you how to secure SSH with Ansible. We will provide you with a step-by-step guide that will help you secure SSH on your Linux systems. We will demonstrate how to disable root login and enforce SSH key passphrases using an example with three hosts.
Example:
Let’s assume that we have three Linux hosts: host1, host2, and host3. We want to disable root login and enforce SSH key passphrases on these hosts. We can achieve this by writing a playbook that performs the following tasks:
sshd_config
file.sshd_config
file.An inventory file for host1, host2, and host3 might look like this:
[my_servers]
host1 ansible_host=192.168.0.1
host2 ansible_host=192.168.0.2
host3 ansible_host=192.168.0.3
In this inventory file, we defined a group called “my_servers” and added the three hosts to it. We also specified the IP addresses for each host using the “ansible_host” parameter. This inventory file can be used in the playbook we discussed earlier to apply the SSH security settings to all three hosts.
The playbook that performs these tasks is shown below.
- name: Secure SSH
hosts: all
become: true
vars:
sshd_config_file: /etc/ssh/sshd_config
tasks:
- name: Disable root login
lineinfile:
path: "{{ sshd_config_file }}"
regexp: "^PermitRootLogin"
line: "PermitRootLogin no"
backup: yes
notify: restart sshd
- name: Enforce SSH key passphrases
lineinfile:
path: "{{ sshd_config_file }}"
regexp: "^#PermitEmptyPasswords"
line: "PermitEmptyPasswords no"
backup: yes
notify: restart sshd
handlers:
- name: restart sshd
service:
name: sshd
state: restarted
"Secure SSH,"
and the first line designates its name."all,"
implying that the playbook will run on all hosts."become: true"
on the third line."sshd_config_file"
is defined, containing the path to the sshd_config file."lineinfile"
module, disables root login by searching for a line beginning with "PermitRootLogin"
in the sshd_config file and replacing it with “PermitRootLogin no.” Upon completion of this task, the “restart sshd” handler is executed, as specified by “notify: restart sshd.”"lineinfile"
module. It searches for a line beginning with "#PermitEmptyPasswords"
in the sshd_config file and replaces it with “PermitEmptyPasswords no.” Similar to the previous task, the “restart sshd” handler is triggered upon completion."handlers"
section contains the “restart sshd” handler, responsible for restarting the sshd service. This handler executes when either of the preceding tasks concludes.In summary, prioritizing the security of SSH is imperative and should not be underestimated. This article has provided a demonstration of utilizing Ansible for the purpose of disabling root login and enforcing SSH key passphrases.
By proactively securing SSH, organizations can enhance the resilience of their systems, guarding against potential security threats and unauthorized access. Ansible’s automation capabilities play a pivotal role in streamlining this process, ensuring the efficient and consistent application of security measures across various hosts.
If you found this article beneficial, we encourage you to share your thoughts in the comments below and consider sharing it with others who may benefit from this valuable information. Your feedback and support are greatly appreciated!
Related Posts
In today’s Ansible series, we will learn about automating changes using Ansible. Specifically, we will automate changes to the sshd config file. Table of Contents
In this article, we will examine a play used to change the root password using Ansible. It will also encrypt the file the password is stored
In this article, we will review how we can automate a task that checks the timezone using Ansible, offering a detailed walkthrough of the steps