With all the shit coming down from the NSA leaks, I have taken it upon myself to secure all machines I administer. I am short on time, but I share it with you below;
[snippet id=”75″ title=”Ansible Playbook: Hardening SSH with secure key regeneration” height=”0″ line_numbers=”true”]
and here’s the Ansible-ized sshd config
[snippet id=”92″ title=”Ansible Template: Hardened OpenSSH config” height=”40″ line_numbers=”true”]
Client Side Setup
There’s also changes that need to be made to clients connecting to SSH. Typically the following can be placed in ~/.ssh/config
[snippet id=”103″ title=”Ansible Playbook: Hardening SSH Client” height=”0″ line_numbers=”true”]
Important Notes (Read These!)
This playbook has only been tested and used on Debian 7 and OpenBSD 5.5. You have been warned.
It is a bad idea to make changes to your sshd configuration without having a backup terminal open or second sshd daemon running, so that you still have access to the machine in the event something goes wrong. You can do this by simply opening another ssh session with the target. If you don’t do this and end up on the short end of the stick, it’s not my fault.