Last active
November 10, 2017 13:20
-
-
Save wynro/8f781af36e30250bf8f12c7b276305fd to your computer and use it in GitHub Desktop.
Secure a new installation of ssh in Ubuntu (checked in 14.04 and 16.04)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Remember to copy your public key to the server (ssh-copy-id) before executing this, or you'll lose access to it. | |
| # Also, be sure to either execute a command with sudo before (something like 'sudo ls' is enough) to prevent sudo asking for the password on every command | |
| sudo sed -i 's/PermitRootLogin .*/PermitRootLogin no/' /etc/ssh/sshd_config | |
| sudo sed -i 's/#PermitEmptyPasswords .*/PermitEmptyPasswords no/' /etc/ssh/sshd_config | |
| sudo sed -i 's/#PasswordAuthentication .*/PasswordAuthentication no/' /etc/ssh/sshd_config | |
| # Remember to add an AllowUsers clause, with the correct users and network. Example: | |
| # sudo sh -c 'echo "AllowUsers [email protected]/16" >> /etc/ssh/sshd_config | |
| sudo service ssh restart |
With ansible:
- tasks:
- name: disallow ssh root login
lineinfile:
path: /etc/ssh/sshd_config
regexp: '^PermitRootLogin '
line: 'PermitRootLogin no'
state: present
notify: restart ssh server
- name: disallow ssh empty password
lineinfile:
path: /etc/ssh/sshd_config
regexp: '^PermitEmptyPasswords '
line: 'PermitEmptyPasswords no'
state: present
notify: restart ssh server
- name: disallow ssh password authentication
lineinfile:
path: /etc/ssh/sshd_config
regexp: '^PasswordAuthentication '
line: 'PasswordAuthentication no'
state: present
notify: restart ssh server
handlers:
- name: restart ssh server
service:
name: sshd
state: restarted
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I should do this with Ansible/Puppet/Salt...