netcup-setup/ansible/custom_hardening.yml

---
- name: Apply SSH best practices configuration
  hosts: all
  become: yes
  tasks:
    - name: Ensure the sshd_config.d directory exists
      file:
        path: /etc/ssh/sshd_config.d
        state: directory
        owner: root
        group: root
        mode: '0755'

    - name: Create a configuration file to apply SSH best practices
      copy:
        content: |
          # Disable password authentication
          PasswordAuthentication no
          
          # Disable challenge-response authentication
          ChallengeResponseAuthentication no
          
          # Allow root login
          PermitRootLogin yes
          
          # Disable empty passwords
          PermitEmptyPasswords no
          
          # Disable X11 forwarding
          X11Forwarding no
          
          # Use only protocol 2
          Protocol 2
          
          # Log more verbosely
          LogLevel VERBOSE
          
          # Keep-alive packets to ensure connection stability
          TCPKeepAlive yes
          ClientAliveInterval 60
          ClientAliveCountMax 10          
        dest: /etc/ssh/sshd_config.d/best_practices.conf
        owner: root
        group: root
        mode: '0644'

    - name: Restart SSH service to apply changes
      service:
        name: sshd
        state: restarted

    - name: Verify SSH configuration settings
      shell: "sshd -T"
      register: ssh_config_result

    - name: Check specific SSH settings
      debug:
        msg: "{{ ssh_config_result.stdout_lines | select('search', 'passwordauthentication no') | list }}\n
              {{ ssh_config_result.stdout_lines | select('search', 'challengeresponseauthentication no') | list }}\n
              {{ ssh_config_result.stdout_lines | select('search', 'permitrootlogin yes') | list }}\n
              {{ ssh_config_result.stdout_lines | select('search', 'permitemptypasswords no') | list }}\n
              {{ ssh_config_result.stdout_lines | select('search', 'x11forwarding no') | list }}\n
              {{ ssh_config_result.stdout_lines | select('search', 'protocol 2') | list }}\n
              {{ ssh_config_result.stdout_lines | select('search', 'loglevel verbose') | list }}\n
              {{ ssh_config_result.stdout_lines | select('search', 'clientaliveinterval 60') | list }}\n
              {{ ssh_config_result.stdout_lines | select('search', 'clientalivecountmax 3') | list }}\n
              {{ ssh_config_result.stdout_lines | select('search', 'tcpkeepalive yes') | list }}"