Skip to content

Instantly share code, notes, and snippets.

@wynro
Last active November 10, 2017 13:20
Show Gist options
  • Save wynro/8f781af36e30250bf8f12c7b276305fd to your computer and use it in GitHub Desktop.
Save wynro/8f781af36e30250bf8f12c7b276305fd to your computer and use it in GitHub Desktop.
Secure a new installation of ssh in Ubuntu (checked in 14.04 and 16.04)
# Remember to copy your public key to the server (ssh-copy-id) before executing this, or you'll lose access to it.
# Also, be sure to either execute a command with sudo before (something like 'sudo ls' is enough) to prevent sudo asking for the password on every command
sudo sed -i 's/PermitRootLogin .*/PermitRootLogin no/' /etc/ssh/sshd_config
sudo sed -i 's/#PermitEmptyPasswords .*/PermitEmptyPasswords no/' /etc/ssh/sshd_config
sudo sed -i 's/#PasswordAuthentication .*/PasswordAuthentication no/' /etc/ssh/sshd_config
# Remember to add an AllowUsers clause, with the correct users and network. Example:
# sudo sh -c 'echo "AllowUsers [email protected]/16" >> /etc/ssh/sshd_config
sudo service ssh restart
@wynro
Copy link
Author

wynro commented May 12, 2017

I should do this with Ansible/Puppet/Salt...

@wynro
Copy link
Author

wynro commented Nov 10, 2017

With ansible:

- tasks:
    - name: disallow ssh root login
      lineinfile:
        path: /etc/ssh/sshd_config
        regexp: '^PermitRootLogin '
        line: 'PermitRootLogin no'
        state: present
      notify: restart ssh server
    - name: disallow ssh empty password
      lineinfile:
        path: /etc/ssh/sshd_config
        regexp: '^PermitEmptyPasswords '
        line: 'PermitEmptyPasswords no'
        state: present
      notify: restart ssh server
    - name: disallow ssh password authentication
      lineinfile:
        path: /etc/ssh/sshd_config
        regexp: '^PasswordAuthentication '
        line: 'PasswordAuthentication no'
        state: present
      notify: restart ssh server

  handlers:
    - name: restart ssh server
      service:
        name: sshd
        state: restarted

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment