From d064109fd1fcea036661c8d8ebf7ed39466638f1 Mon Sep 17 00:00:00 2001
From: Michele Cereda <cereda.michele@gmail.com>
Date: Thu, 16 Mar 2023 00:44:28 +0100
Subject: [PATCH] Added SSH hardening example

---
 examples/cloud-init/base.yaml             |  4 ++++
 examples/cloud-init/boinc-client.yum.yaml |  6 +++--
 examples/cloud-init/docker.yum.yaml       |  3 +++
 examples/cloud-init/sshd.hardening.yaml   | 28 +++++++++++++++++++++++
 4 files changed, 39 insertions(+), 2 deletions(-)
 create mode 100644 examples/cloud-init/sshd.hardening.yaml

diff --git a/examples/cloud-init/base.yaml b/examples/cloud-init/base.yaml
index 6a5e257..2d11bcd 100644
--- a/examples/cloud-init/base.yaml
+++ b/examples/cloud-init/base.yaml
@@ -1,5 +1,9 @@
 #cloud-config
 
+# Tested on:
+# - RHEL 8.6
+# - Oracle Linux 8.6
+
 # Upgrade the instance.
 # Deactivated, as this could take a long time if the image is old.
 #
diff --git a/examples/cloud-init/boinc-client.yum.yaml b/examples/cloud-init/boinc-client.yum.yaml
index 7787713..09dbc52 100644
--- a/examples/cloud-init/boinc-client.yum.yaml
+++ b/examples/cloud-init/boinc-client.yum.yaml
@@ -1,5 +1,8 @@
 #cloud-config
 
+# Tested on:
+# - Oracle Linux 8.6
+
 yum_repos:
   epel:
     name: Extra Packages for Enterprise Linux 8 - $basearch
@@ -12,8 +15,7 @@ packages:
   - boinc-tui
 
 bootcmd:
-  # `cloud-init` has issues with `firewall-cmd`.
-  # Using the offline version.
+  # `cloud-init` has issues with `firewall-cmd`, using the offline version.
   - firewall-offline-cmd --add-port='31416/tcp' --zone='public'
 
 runcmd:
diff --git a/examples/cloud-init/docker.yum.yaml b/examples/cloud-init/docker.yum.yaml
index 3a363b2..4ca74e1 100644
--- a/examples/cloud-init/docker.yum.yaml
+++ b/examples/cloud-init/docker.yum.yaml
@@ -1,5 +1,8 @@
 #cloud-config
 
+# Tested on:
+# - RHEL 8.6
+#
 # Sources:
 # - https://github.com/trajano/terraform-docker-swarm-aws/blob/master/common.cloud-config
 
diff --git a/examples/cloud-init/sshd.hardening.yaml b/examples/cloud-init/sshd.hardening.yaml
new file mode 100644
index 0000000..e0c9639
--- /dev/null
+++ b/examples/cloud-init/sshd.hardening.yaml
@@ -0,0 +1,28 @@
+#cloud-config
+
+# Use port 2222 instead of the default 22. Also, close port 22 behind.
+# Do not allow the 'root' user to login from SSH.
+#
+# Tested on:
+# - Oracle Linux 8.6
+
+# On cloud instances, remember to open the port in the NSG.
+
+bootcmd:
+  # `cloud-init` has issues with `firewall-cmd`, using the offline version.
+  - firewall-offline-cmd --add-port='2222/tcp' --zone='public'
+  - firewall-offline-cmd --remove-service='ssh'  --zone='public'
+
+runcmd:
+  # Allow the new port in SELinux.
+  - semanage port -a -t ssh_port_t -p tcp '2222'
+
+  # Change the port from the default to 2222.
+  - sed -Ei 's|^\#*\s*(Port)\s+[0-9]+\s*$|\1 2222|' '/etc/ssh/sshd_config'
+
+  # Do not permit 'root' login
+  - sed -Ei 's|^\#*\s*(PermitRootLogin)\s+[Yy][Ee][Ss]\s*$|\1 no|' '/etc/ssh/sshd_config'
+
+  # Apply the changes.
+  - systemctl reload 'firewalld.service'
+  - systemctl restart 'sshd.service'