66 lines
1.9 KiB
YAML
66 lines
1.9 KiB
YAML
---
|
||
- name: Change SSH Port
|
||
hosts: all
|
||
become: true
|
||
vars:
|
||
new_ssh_port: 22233
|
||
old_ssh_port: 22
|
||
|
||
tasks:
|
||
# 1. Настройка SELinux (для CentOS/RHEL/Fedora)
|
||
- name: Check if SELinux is enabled
|
||
command: getenforce
|
||
register: selinux_status
|
||
changed_when: false
|
||
ignore_errors: true
|
||
|
||
- name: Allow SSH on new port via SELinux
|
||
community.general.seport:
|
||
ports: "{{ new_ssh_port }}"
|
||
proto: tcp
|
||
setype: ssh_port_t
|
||
state: present
|
||
when:
|
||
- selinux_status.stdout is defined
|
||
- selinux_status.stdout == "Enforcing"
|
||
ignore_errors: true
|
||
# Игнорируем ошибки, если semanage не установлен,
|
||
# но лучше установить policycoreutils-python-utils заранее.
|
||
|
||
# 2. Настройка Firewall (UFW для Ubuntu/Debian)
|
||
- name: Open new SSH port in UFW
|
||
community.general.ufw:
|
||
rule: allow
|
||
port: "{{ new_ssh_port }}"
|
||
proto: tcp
|
||
when: ansible_os_family == "Debian"
|
||
|
||
# 3. Настройка Firewall (Firewalld для CentOS/RHEL)
|
||
- name: Open new SSH port in Firewalld
|
||
ansible.posix.firewalld:
|
||
port: "{{ new_ssh_port }}/tcp"
|
||
permanent: yes
|
||
state: enabled
|
||
immediate: yes
|
||
when: ansible_os_family == "RedHat"
|
||
|
||
# 4. Изменение конфигурации SSHD
|
||
- name: Update SSH port in sshd_config
|
||
lineinfile:
|
||
path: /etc/ssh/sshd_config
|
||
regexp: '^#?Port\s+'
|
||
line: "Port {{ new_ssh_port }}"
|
||
state: present
|
||
validate: '/usr/sbin/sshd -t -f %s'
|
||
notify: Restart SSH
|
||
|
||
handlers:
|
||
- name: Restart SSH
|
||
service:
|
||
name: "{{ item }}"
|
||
state: restarted
|
||
loop:
|
||
- ssh
|
||
- sshd
|
||
ignore_errors: true
|
||
# Используем loop, так как в Ubuntu служба называется 'ssh', а в CentOS 'sshd' |