diff --git a/test-playbooks/change_ssh_port.yml b/test-playbooks/change_ssh_port.yml new file mode 100644 index 0000000..29e962b --- /dev/null +++ b/test-playbooks/change_ssh_port.yml @@ -0,0 +1,66 @@ +--- +- name: Change SSH Port + hosts: all + become: true + vars: + new_ssh_port: 22233 + old_ssh_port: 22 + + tasks: + # 1. Настройка SELinux (для CentOS/RHEL/Fedora) + - name: Check if SELinux is enabled + command: getenforce + register: selinux_status + changed_when: false + ignore_errors: true + + - name: Allow SSH on new port via SELinux + community.general.seport: + ports: "{{ new_ssh_port }}" + proto: tcp + setype: ssh_port_t + state: present + when: + - selinux_status.stdout is defined + - selinux_status.stdout == "Enforcing" + ignore_errors: true + # Игнорируем ошибки, если semanage не установлен, + # но лучше установить policycoreutils-python-utils заранее. + + # 2. Настройка Firewall (UFW для Ubuntu/Debian) + - name: Open new SSH port in UFW + community.general.ufw: + rule: allow + port: "{{ new_ssh_port }}" + proto: tcp + when: ansible_os_family == "Debian" + + # 3. Настройка Firewall (Firewalld для CentOS/RHEL) + - name: Open new SSH port in Firewalld + ansible.posix.firewalld: + port: "{{ new_ssh_port }}/tcp" + permanent: yes + state: enabled + immediate: yes + when: ansible_os_family == "RedHat" + + # 4. Изменение конфигурации SSHD + - name: Update SSH port in sshd_config + lineinfile: + path: /etc/ssh/sshd_config + regexp: '^#?Port\s+' + line: "Port {{ new_ssh_port }}" + state: present + validate: '/usr/sbin/sshd -t -f %s' + notify: Restart SSH + + handlers: + - name: Restart SSH + service: + name: "{{ item }}" + state: restarted + loop: + - ssh + - sshd + ignore_errors: true + # Используем loop, так как в Ubuntu служба называется 'ssh', а в CentOS 'sshd' \ No newline at end of file