Secure SSH configuration ansible playbook. Last updated years ago, NOT recommended for use. There are better ways to do this today.

secure-ssh.yml

---
# SSH server settings, in line with https://stribika.github.io/2015/01/04/secure-secure-shell.html
# Before using, change myhosts to your hosts' nickname and myuser to your username (two instances! make sure you replace both or you'll be locked out of ssh!)
- hosts: myhosts
  become: true
  remote_user: myuser
  tasks:
    # Key exchange, ciphers and MACs
    - lineinfile: dest=/etc/ssh/sshd_config regexp='^KexAlgorithms' line='KexAlgorithms [email protected],diffie-hellman-group-exchange-sha256'
    
    - lineinfile: dest=/etc/ssh/sshd_config regexp='^Ciphers' line='Ciphers [email protected],[email protected],[email protected],aes256-ctr,aes192-ctr,aes128-ctr'
        
    # I have removed hmac-ripemd160 and [email protected] from the following line, as Mozilla's SSH guidelines are stricter and avoid using them. Just to be on the safe side.
    - lineinfile: dest=/etc/ssh/sshd_config regexp='^MACs' line='MACs [email protected],[email protected],[email protected],hmac-sha2-512,hmac-sha2-256,[email protected]'

    - name: Enable the most secure server auth algos and protocol version
      lineinfile: dest=/etc/ssh/sshd_config regexp='^Protocol 2' line='Protocol 2' 
    - lineinfile: dest=/etc/ssh/sshd_config regexp='^HostKey /etc/ssh/ssh_host_ed25519_key' line='HostKey /etc/ssh/ssh_host_ed25519_key'
    - lineinfile: dest=/etc/ssh/sshd_config regexp='^HostKey /etc/ssh/ssh_host_rsa_key' line='HostKey /etc/ssh/ssh_host_rsa_key'   

    - name: Disable bad ones
      lineinfile: 
        dest: /etc/ssh/sshd_config 
        regexp: '^HostKey /etc/ssh/ssh_host_ecdsa_key' 
        state: absent
    - lineinfile: 
        dest: /etc/ssh/sshd_config 
        regexp: '^HostKey /etc/ssh/ssh_host_dsa_key'
        state: absent
    - name: And remove the files
      file:
        dest: /etc/ssh/ssh_host_ecdsa_key.pub
        state: absent
    - file:
        dest: /etc/ssh/ssh_host_ecdsa_key
        state: absent
    - file:
        dest: /etc/ssh/ssh_host_dsa_key.pub
        state: absent
    - file:
        dest: /etc/ssh/ssh_host_dsa_key
        state: absent
 
    - name: Password based logins are disabled - only public key based logins are allowed.
      lineinfile: dest=/etc/ssh/sshd_config regexp='^#?AuthenticationMethods' line='AuthenticationMethods publickey'
    - lineinfile: dest=/etc/ssh/sshd_config regexp='^#?PasswordAuthentication' line='PasswordAuthentication no'
    - lineinfile: dest=/etc/ssh/sshd_config regexp='^#?ChallengeResponseAuthentication' line='ChallengeResponseAuthentication no'
    - lineinfile: dest=/etc/ssh/sshd_config regexp='^#?PubkeyAuthentication' line='PubkeyAuthentication yes'   
      
    # LogLevel VERBOSE logs user's key fingerprint on login. Needed to have a clear audit track of which key was using to log in.
    - lineinfile: dest=/etc/ssh/sshd_config regexp='^LogLevel' line='LogLevel VERBOSE'
 
    # Log sftp level file access (read/write/etc.) that would not be easily logged otherwise.
    - lineinfile: dest=/etc/ssh/sshd_config regexp='^Subsystem sftp' line='Subsystem sftp  /usr/lib/openssh/sftp-server -f AUTHPRIV -l INFO'
 
    # Root login is not allowed for auditing reasons. This is because it's difficult to track which process belongs to which root user
    # On Linux, user sessions are tracking using a kernel-side session id, however, this session id is not recorded by OpenSSH.
    # Additionally, only tools such as systemd and auditd record the process session id.
    # On other OSes, the user session id is not necessarily recorded at all kernel-side.
    # Using regular users in combination with /bin/su or /usr/bin/sudo ensure a clear audit track.
    - lineinfile: dest=/etc/ssh/sshd_config regexp='^PermitRootLogin' line='PermitRootLogin No'
 
    # Use kernel sandbox mechanisms where possible in unprivileged processes
    # Systrace on OpenBSD, Seccomp on Linux, seatbelt on MacOSX/Darwin, rlimit elsewhere.
    - lineinfile: dest=/etc/ssh/sshd_config regexp='^UsePrivilegeSeparation' line='UsePrivilegeSeparation sandbox'
    
    # Only allow specific users to login remotely (may be more suitable to change this to AllowGroups).
    - lineinfile: dest=/etc/ssh/sshd_config regexp='^AllowUsers' line='AllowUsers myuser'


    # And some client-side, ssh_config modifications
    - name: Generic ssh client settings. Includes special settings for Github; it needs diffie-hellman-group-exchange-sha1 some of the time but not always.
      blockinfile:
        dest: /etc/ssh/ssh_config
        block: |
          Host *
              KexAlgorithms [email protected],diffie-hellman-group-exchange-sha256
              PasswordAuthentication no
              ChallengeResponseAuthentication no
              PubkeyAuthentication yes
              HostKeyAlgorithms [email protected],[email protected],ssh-ed25519,ssh-rsa
              MACs [email protected],[email protected],[email protected],[email protected],hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,[email protected]
              Ciphers [email protected],[email protected],[email protected],aes256-ctr,aes192-ctr,aes128-ctr
              UseRoaming no

          Host github.com
              KexAlgorithms [email protected],diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1

    - debug:
        msg: "If needed, Generate client keys using the following command: ssh-keygen -t ed25519 -o -a 100 && ssh-keygen -t rsa -b 4096 -o -a 100"

Hey @wojciehm, for private use, I'd just use https://infosec.mozilla.org/guidelines/openssh nowadays.

Thanks, @cmavr8 I was more wondering how you implement the rules not which rule. You mentioned templates.

@wojciehm ah ok gotcha. Well I haven't updated my playbooks lately, and I cannot publish them as is right now.

So you'd have to look into Ansible templating or search through Galaxy to find someone else's solution you can re-use. Github seems to have a few too, but none references Mozilla's guidelines directly.

Sorry I can't be of more help! :/