{"id":19701223,"url":"https://github.com/dockpack/secure_ssh","last_synced_at":"2025-04-29T13:32:56.159Z","repository":{"id":43686399,"uuid":"195572582","full_name":"dockpack/secure_ssh","owner":"dockpack","description":"▦ An Ansible role to harden SSH on Centos 7.","archived":false,"fork":false,"pushed_at":"2024-01-04T12:02:00.000Z","size":84,"stargazers_count":3,"open_issues_count":0,"forks_count":2,"subscribers_count":1,"default_branch":"master","last_synced_at":"2025-04-25T14:27:47.084Z","etag":null,"topics":["ansible-role","certificates","hacktoberfest","hardening","security-automation","security-hardening","ssh-client","ssh-config","ssh-keys","ssh-server"],"latest_commit_sha":null,"homepage":"","language":"HCL","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/dockpack.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null}},"created_at":"2019-07-06T18:44:59.000Z","updated_at":"2023-10-13T21:57:07.000Z","dependencies_parsed_at":"2023-10-14T23:03:52.294Z","dependency_job_id":null,"html_url":"https://github.com/dockpack/secure_ssh","commit_stats":null,"previous_names":[],"tags_count":18,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dockpack%2Fsecure_ssh","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dockpack%2Fsecure_ssh/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dockpack%2Fsecure_ssh/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dockpack%2Fsecure_ssh/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/dockpack","download_url":"https://codeload.github.com/dockpack/secure_ssh/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":251509813,"owners_count":21600709,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["ansible-role","certificates","hacktoberfest","hardening","security-automation","security-hardening","ssh-client","ssh-config","ssh-keys","ssh-server"],"created_at":"2024-11-11T21:08:16.434Z","updated_at":"2025-04-29T13:32:55.835Z","avatar_url":"https://github.com/dockpack.png","language":"HCL","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Hardened SSH\n[![Galaxy](https://img.shields.io/badge/galaxy-dockpack.secure__ssh-blue.svg?style=flat)](https://galaxy.ansible.com/dockpack/secure_ssh)\n![Build Status](https://api.travis-ci.com/dockpack/secure_ssh.svg)\n\nAn Ansible role to harden SSH on Centos 7 with several options, like using a trusted CA.\n\nThis role is based on insights gained working with DISA-STIG, CIS, USG, NCSC, NIST, PCI, and other security norms. After scanning with openscap, I audited my server using the [SSH Observatory of Mozilla](https://observatory.mozilla.org), and finally with [ssh-audit](https://github.com/arthepsy/ssh-audit). I can still connect to Centos 7 with macOS Mojave.\n\nI can run port forwarding, X11Forwarding, but an incredible amount of options is configurable.\n\n\n## License: MIT\n\n\n\nKey Management Requires Attention\n---------------------------------\n\n`distribute_ssh_keys: true`\nIn any larger organization, use of SSH key management solutions is almost\nnecessary. SSH keys should also be moved to root-owned locations with proper provisioning and termination processes. Users will not be able to modify their\npubkey because the immutable file attribute is set.\n\n` AuthorizedKeysFile: '/etc/ssh/authorized_keys/%u'`\n\n\nHashicorp Vault\n---------------\nThis role can be used to manage access to SSH by the means of signed ssh keys,\nand to sftp with OTP.\n\nSigned SSH keys\n---------------\n\nSee SECURITY.md\n\n\nTo manage groups  without IAM, LDAP, AD.\n----------------------------------------\n`manage_ssh_groups: true` # Default is false.\n\nCreates groups for various purposes.\n```\nssh_groups:\n  with_items:\n    - wheel\n    - staff\n    - users\n    - games\n    - chroot\n```\n\nManage users without IAM, LDAP, AD.\n--------------------------------------\n`manage_ssh_users: true` # Default is false.\nAdds all users in 'ssh_users:' removes all 'non_users:'\nCheck the defaults/main.yml\n\n```\nssh_users:\n  - username: vagrant\n    shell: /bin/bash\n    group: wheel\n    seuser: unconfined_u\n```\n\n# The `seuser` property of a user helps to confine users to policy classes\n`semanage_ssh_users: true`\n\n# There are five main SELinux seuser values:\n- guest\\_u: - no X windows, no sudo, and no networking\n- xguest\\_u: - same as guest\\_u, but X and web connectivity is allowed\n- user\\_u: - same as xguest\\_u, but networking isn’t restricted\n- staff\\_u: - same as user\\_u, but sudo is allowed (su isn’t allowed)\n- unconfined\\_u: - full access\n\n\nFail2ban\n--------\n\nSome commands to verify the config. Hackers show up in /var/log/secure.\n\n```\nfirewall-cmd --list-rich-rules\nipset list fail2ban-sshd\nfirewall-cmd --ipset=fail2ban-sshd --add-entry=222.186.52.124\nipset add fail2ban-sshd  112.85.42.237timeout 86400 -exist\nfail2ban-client status sshd\n```\n\n45.55.176.164 The Mozilla SSH Observatory scans from sshscan.rubidus.com at 45.55.176.164.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdockpack%2Fsecure_ssh","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fdockpack%2Fsecure_ssh","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdockpack%2Fsecure_ssh/lists"}