BCM Security Hardening#

This manual describes security hardening for the BCM headnode. Similar steps can be followed to harden the software images as well. Each topic will be covered by separate ansible playbook.

SSH hardening#

  1. We will start by installing ansible-core on the headnode,

apt install ansible-core -y

  1. Then create the required playbook

cat > ssh-hardening.yaml << _EOF_
- hosts: localhost
  gather_facts: true
  tasks:
  - name: modify sshd_config
    ansible.builtin.lineinfile:
      path: /etc/ssh/sshd_config
      regexp: "{{ item.regexp }}"
      line: "{{ item.line }}"
    loop: "{{ lines }}"
    vars:
      lines:
      - { regexp: "^PermitRootLogin yes", line: "PermitRootLogin prohibit-password", state: present }
      - { regexp: "^PasswordAuthentication yes|^#PasswordAuthentication yes", line: "PasswordAuthentication no", state: present }
      - { regexp: "^Include", line: "", state: absent }
      - { regexp: "^MaxAuthTries", line: "MaxAuthTries 20", state: present }
      - { regexp: "^SyslogFacility", line: "SyslogFacility AUTH", state: present }
      - { regexp: "^LogLevel", line: "LogLevel VERBOSE", state: present }
      - { regexp: "^X11Forwarding", line: "X11Forwarding no", state: present }
      - { regexp: "Banner.*", line: "Banner /etc/issue", state: present }
      - { regexp: "HostbasedAuthentication.*", line: "HostbasedAuthentication no", state: present }
      - { regexp: "PermitEmptyPasswords.*", line: "PermitEmptyPasswords no", state: present }
      - { regexp: "PermitUserEnvironment.*", line: "PermitUserEnvironment no", state: present }
      - { regexp: "IgnoreRhosts.*", line: "IgnoreRhosts yes", state: present }
      - { regexp: "MaxSessions.*", line: "MaxSessions 20", state: present }
      - { regexp: "^Include", line: "", state: absent }
      - { regexp: "UsePrivilegeSeparation", line: "", state: absent }
      - { regexp: "KeyRegenerationInterval", line: "", state: absent }
      - { regexp: "ServerKeyBits", line: "", state: absent }
      - { regexp: "RSAAuthentication", line: "", state: absent }
      - { regexp: "RhostsRSAAuthentication", line: "", state: absent }

  - name: restart service httpd
    ansible.builtin.service:
      name: sshd
      state: restarted
_EOF_

  1. And finally run the playbook on the headnode

ansible-playbook ssh-hardening.yaml
On this page