To harden direct internet facing hosts.
- Define and enable an alternate port for ssh in Firewalld.
- Inform SELINUX that sshd can also listen on the alternate port.
- Configure sshd to use it's traditional port and the new port.
- Close off direct ssh login to root.
- Disable traditional ssh port in Firewalld.
Make Sure you have a sudo capable account on the system before using this playbook!
See the ansible_onbaord repo for an example on how to set up such an account.
The very first run of the playbook can be done with root, or any user that has sudo privileges.
ansible-playbook ssh-altport.yml -u svcuser -k -K
As the host is now only reachable on the alternate port, update your ~/.ssh/config to use the new port be default.
Host host1.example.com
Port 22869
And connect using your pre established unprivileged user with sudo privileges.
ansible-playbook ssh-altport.yml -u svcuser -k -K
This Playbook was tested against CentOS 7.4 and Fedora 26 + 27, and should work with newer releases.
All the variables that define the alternate port are defined in:
/roles/ssh-altport/vars/main.yml
Please change those to something suitable for your environment.