BCM Security Hardening#

This manual describes security hardening for the BCM headnode. Similar steps can be followed to harden the software images as well. Each topic will be covered by separate ansible playbook.

Warning

The SSH hardening playbook disables password-based login for all users, including root. Before applying these changes, ensure that SSH key-based authentication is configured for any accounts that require access to the headnode.

SSH hardening#

  1. Start by installing ansible-core on the headnode:

apt install ansible-core -y

  1. Create the required playbook:

cat > ssh-hardening.yaml << _EOF_
- hosts: localhost
  gather_facts: true
  tasks:
  - name: modify sshd_config
    ansible.builtin.lineinfile:
      path: /etc/ssh/sshd_config
      regexp: "{{ item.regexp }}"
      line: "{{ item.line }}"
    loop: "{{ lines }}"
    vars:
      lines:
      - { regexp: "^PermitRootLogin yes", line: "PermitRootLogin prohibit-password", state: present }
      - { regexp: "^PasswordAuthentication yes|^#PasswordAuthentication yes", line: "PasswordAuthentication no", state: present }
      - { regexp: "^MaxAuthTries", line: "MaxAuthTries 20", state: present }
      - { regexp: "^SyslogFacility", line: "SyslogFacility AUTH", state: present }
      - { regexp: "^LogLevel", line: "LogLevel VERBOSE", state: present }
      - { regexp: "^X11Forwarding", line: "X11Forwarding no", state: present }
      - { regexp: "Banner.*", line: "Banner /etc/issue", state: present }
      - { regexp: "HostbasedAuthentication.*", line: "HostbasedAuthentication no", state: present }
      - { regexp: "PermitEmptyPasswords.*", line: "PermitEmptyPasswords no", state: present }
      - { regexp: "PermitUserEnvironment.*", line: "PermitUserEnvironment no", state: present }
      - { regexp: "IgnoreRhosts.*", line: "IgnoreRhosts yes", state: present }
      - { regexp: "MaxSessions.*", line: "MaxSessions 20", state: present }
      - { regexp: "^Include", line: "", state: absent }
      - { regexp: "UsePrivilegeSeparation", line: "", state: absent }
      - { regexp: "KeyRegenerationInterval", line: "", state: absent }
      - { regexp: "ServerKeyBits", line: "", state: absent }
      - { regexp: "RSAAuthentication", line: "", state: absent }
      - { regexp: "RhostsRSAAuthentication", line: "", state: absent }

  - name: restart service httpd
    ansible.builtin.service:
      name: sshd
      state: restarted
_EOF_

  1. Run the playbook on the headnode:

ansible-playbook ssh-hardening.yaml
On this page