Skip to content

Commit

Permalink
Merge pull request dev-sec#34 from hardening-io/separate_ssh_ports
Browse files Browse the repository at this point in the history
Separate ssh client and server ports. Fix dev-sec#33
  • Loading branch information
chris-rock committed Aug 9, 2015
2 parents 1f36e9a + 11155f7 commit 0eaeb59
Show file tree
Hide file tree
Showing 3 changed files with 7 additions and 4 deletions.
7 changes: 5 additions & 2 deletions roles/ansible-ssh-hardening/defaults/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -20,8 +20,11 @@ ssh_server_weak_kex: false # sshd
# If true, password login is allowed. For sshd, it is always set to no password login.
ssh_client_password_login: false # ssh

# ports to which ssh-server should listen to and ssh-client should connect to
ssh_ports: ['22'] # sshd + ssh
# ports to which ssh-server should listen to
ssh_server_ports: ['22'] # sshd

# ports to which ssh-client should connect to
ssh_client_ports: ['22'] # ssh

# one or more ip addresses, to which ssh-server should listen to. Default is empty, but should be configured for security reasons!
ssh_listen_to: ['0.0.0.0'] # sshd
Expand Down
2 changes: 1 addition & 1 deletion roles/ansible-ssh-hardening/templates/openssh.conf.j2
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,7 @@ Host {{host}}
{% endfor %}

# The port at the destination should be defined
{% for port in ssh_ports -%}
{% for port in ssh_client_ports -%}
Port {{port}}
{% endfor %}

Expand Down
2 changes: 1 addition & 1 deletion roles/ansible-ssh-hardening/templates/opensshd.conf.j2
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@
PermitRootLogin {{ 'without-password' if ssh_allow_root_with_key else 'no' }}

# Define which port sshd should listen to. Default to `22`.
{% for port in ssh_ports -%}
{% for port in ssh_server_ports -%}
Port {{port}}
{% endfor %}

Expand Down

0 comments on commit 0eaeb59

Please sign in to comment.