jcloude/press/playbooks/roles/sshd_hardening/tasks/main.yml

---

- name: "Ensure SSH X11 forwarding is disabled"
  lineinfile:
      state: present
      dest: /etc/ssh/sshd_config
      regexp: "^#X11Forwarding|^X11Forwarding"
      line: 'X11Forwarding no'

- name: " Ensure SSH MaxAuthTries is set to 4 or less"
  lineinfile:
      state: present
      dest: /etc/ssh/sshd_config
      regexp: '^(#)?MaxAuthTries \d'
      line: 'MaxAuthTries 6'

- name: "Ensure SSH PermitEmptyPasswords is disabled"
  lineinfile:
      state: present
      dest: /etc/ssh/sshd_config
      regexp: "^#PermitEmptyPasswords|^PermitEmptyPasswords"
      line: 'PermitEmptyPasswords no'

- name: "Ensure SSH PermitUserEnvironment is disabled"
  lineinfile:
      state: present
      dest: /etc/ssh/sshd_config
      regexp: "^#PermitUserEnvironment|^PermitUserEnvironment"
      line: 'PermitUserEnvironment no'

- name: "Ensure SSH Idle Timeout Interval is configured"
  block:
    - name: "Ensure SSH Idle Timeout Interval is configured | Add line in sshd_config for ClientAliveInterval"
      lineinfile:
          state: present
          dest: /etc/ssh/sshd_config
          regexp: '^ClientAliveInterval'
          line: "ClientAliveInterval {{ sshd['clientaliveinterval'] }}"

    - name: "Ensure SSH Idle Timeout Interval is configured | Ensure SSH ClientAliveCountMax set to <= 3"
      lineinfile:
          state: present
          dest: /etc/ssh/sshd_config
          regexp: '^ClientAliveCountMax'
          line: "ClientAliveCountMax {{ sshd['clientalivecountmax'] }}"

- name: "Ensure SSH warning banner is configured"
  lineinfile:
    state: present
    dest: /etc/ssh/sshd_config
    regexp: '^Banner'
    line: "Banner /etc/login.warn"

- name: "Ensure SSH MaxStartups is configured"
  lineinfile:
      state: present
      dest: /etc/ssh/sshd_config
      regexp: "^#MaxStartups|^MaxStartups"
      line: 'MaxStartups 10:30:60'

- name: "Ensure SSH MaxSessions is limited"
  lineinfile:
      state: present
      dest: /etc/ssh/sshd_config
      regexp: "^#MaxSessions|^MaxSessions"
      line: 'MaxSessions {{ ssh_maxsessions }}'

- name: Restart SSHD service
  service:
    name: sshd
    state: reloaded