42 lines
1.1 KiB
YAML
42 lines
1.1 KiB
YAML
---
|
|
- name: enable post-quantum key exchange for sshd
|
|
become: true
|
|
ansible.builtin.template:
|
|
src: sshd-pq-kex.conf.j2
|
|
dest: /etc/ssh/sshd_config.d/30-pq-kex.conf
|
|
mode: 0600
|
|
notify: restart_sshd
|
|
tags: security, sshd
|
|
|
|
- name: ensure sshd disallows passwords
|
|
become: true
|
|
ansible.builtin.lineinfile:
|
|
path: /etc/ssh/sshd_config
|
|
regexp: "{{ item.re }}"
|
|
line: "{{ item.li }}"
|
|
loop:
|
|
- { re: "^[# ]*PasswordAuthentication ", li: "PasswordAuthentication no" }
|
|
- { re: "^[# ]*PermitEmptyPasswords ", li: "PermitEmptyPasswords no" }
|
|
- { re: "^[# ]*PermitRootLogin ", li: "PermitRootLogin no" }
|
|
notify: restart_sshd
|
|
tags: security
|
|
|
|
- name: setup fail2ban jails
|
|
become: true
|
|
ansible.builtin.copy:
|
|
src: files/fail2ban/jails/{{ item }}
|
|
dest: /etc/fail2ban/jail.d/{{ item }}
|
|
mode: 0644
|
|
loop: "{{ fail2ban_jails }}"
|
|
notify: restart_fail2ban
|
|
tags: security
|
|
|
|
- name: adjust fail2ban sshd filter
|
|
become: true
|
|
ansible.builtin.lineinfile:
|
|
path: /etc/fail2ban/filter.d/sshd.conf
|
|
regexp: "^[#]*filter ="
|
|
line: "filter = sshd[mode=extra]"
|
|
notify: restart_fail2ban
|
|
tags: security
|