Hardening SSH service

This will be like a more traditional approach, with a modern automated method, using Ansible. Some of the items included here are:

• Disabling the root user login, and instead creating a different user, and, if required, providing the sudo privilege:

    - name: create new user
      user:
        name: "{{ new_user_name }}"
        password: "{{ new_user_password }}"

        shell: /bin/bash
        groups: sudo
        append: yes

• Using key-based authentication to log in. Unlike with password-based authentication, we can generate SSH keys and add the public key to the authorized keys:

    - name: add ssh key for new user
      authorized_key:
        user: "{{ new_user_name }}"
        key: "{{ lookup('file', '/home/user/.ssh/id_rsa.pub') }}"
        state: present

• Some of the configuration tweaks using the SSH configuration file; for example, PermitRootLogin, PubkeyAuthentication, and PasswordAuthentication:

    - name: ssh configuration tweaks
      lineinfile:
        dest: /etc/ssh/sshd_config
        state: present
        line: "{{ item }}"
        backups: yes

      with_items:
        - "PermitRootLogin no"
        - "PasswordAuthentication no"

      notify:
        - restart ssh

• We can also set up services like fail2ban for protecting against basic attacks.
• Also, we can enable MFA, if required to log in. For more information, visit https://www.digitalocean.com/community/tutorials/how-to-set-up-multi-factor-authentication-for-ssh-on-ubuntu-16-04.

The following playbook will provide more advanced features for SSH hardening by dev-sec team: https://github.com/dev-sec/ansible-ssh-hardening