February 2, 2018

Ansible: dealing with SSH vulnerabilities

Posted in Ansible at 3:57 pm by alessiodini

Today the customer asked to help him fixing a couple of issues on multiple Linux systems. Those vulnerabilities were:

Medium

The remote SSH server is configured to allow weak encryption algorithms or no algorithm at all.

Contact the vendor or consult product documentation to remove the weak ciphers.       N/A       90317

 

Low

“The remote SSH server is configured to allow MD5 and 96-bit MAC

algorithms.”

“Contact the vendor or consult product documentation to disable MD5 and

96-bit MAC algorithms.”               N/A 71049

I was funny to fix both of them with a simple playbook called fixssh.yaml :


– name: MAC SSH Vulnerability FIX
hosts: all
tasks:

– name: Backing up /etc/ssh/sshd_config
shell: cp -prf /etc/ssh/sshd_config /etc/ssh/sshd_config.02-02-18
become: true
become_method: sudo

– name: Updating MACs directive in /etc/ssh/sshd_config file
lineinfile:
path: /etc/ssh/sshd_config
regexp: ‘^MACs’
line: ‘MACs hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160@openssh.com’
become: true
become_method: sudo

– name: Updating ciphers directive in /etc/ssh/sshd_config file
lineinfile:
path: /etc/ssh/sshd_config
regexp: ‘^Ciphers’
line: ‘Ciphers aes128-ctr,aes192-ctr,aes256-ctr’
become: true
become_method: sudo

– name: Restarting sshd service
service: name=sshd state=restarted
become: true
become_method: sudo

 

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: