X-Git-Url: https://gerrit.akraino.org/r/gitweb?p=ta%2Finfra-ansible.git;a=blobdiff_plain;f=roles%2Fssh_conf_hardening%2Ftasks%2Fmain.yaml;h=256620c6050c3c995100c376c161e02518c503dd;hp=1058a5286ddeabbbb9b7089ef03f9f19c54d7238;hb=407c56bb4dab1eac542f37c5b0b25cb63133b2f0;hpb=76de2b3e9925960e461fd7d26e6cc1d00063078e

diff --git a/roles/ssh_conf_hardening/tasks/main.yaml b/roles/ssh_conf_hardening/tasks/main.yaml
index 1058a52..256620c 100644
--- a/roles/ssh_conf_hardening/tasks/main.yaml
+++ b/roles/ssh_conf_hardening/tasks/main.yaml
@@ -62,7 +62,7 @@
 - name: User Alive Interval setting
   ssh_conf:
     regexp: '[\s]*ClientAliveInterval'
-    values: "ClientAliveInterval 900\n"
+    values: "ClientAliveInterval 300\n"
 
 - name: Disable the X11forwarding
   ssh_conf:
@@ -107,13 +107,23 @@
 - name: MaxAuthTries setting
   ssh_conf:
     regexp: '[\s]*MaxAuthTries'
-    values: "MaxAuthTries 6\n"
+    values: "MaxAuthTries 3\n"
+
+- name: "Limit interactive session count to 2"
+  ssh_conf:
+    regexp: '[\s]*MaxSessions"
+    values: "MaxSessions 2\n"
 
 - name: Banner creation
   ssh_conf:
     regexp: '[\s]*Banner'
     values: "Banner /etc/banner\n"
 
+- name: "Disable Keepalive"
+  ssh_conf:
+    regexp: '[\s]*TCPKeepAlive'
+    values: "TCPKeepAlive no\n"
+
 - name: "Enable the Ipv6"
   lineinfile:
     path: /etc/ssh/sshd_config
@@ -140,6 +150,11 @@
     regexp: '[\s]*ClientAliveCountMax'
     values: "ClientAliveCountMax 0\n"
 
+- name: "Limit logins to members of {{ users['admin_user_name'] }} group"
+  ssh_conf:
+    regexp: '[\s]*AllowGroups'
+    values: "AllowGroups {{ users['admin_user_name'] }}\n"
+
 - name: "Disable SSH Support for User Known Hosts"
   ssh_conf:
     regexp: '[\s]*IgnoreUserKnownHosts'