From 3d701748e7758ca75862f7869812b94a04bab0cc Mon Sep 17 00:00:00 2001
From: draxaris1010 <axel.dezittere@gmail.com>
Date: Tue, 19 Nov 2024 17:22:51 +0100
Subject: [PATCH 1/2] whitelist DICT scanners

---
 roles/ssh-config/files/sshd_config | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/roles/ssh-config/files/sshd_config b/roles/ssh-config/files/sshd_config
index 23f9b52f..554bc112 100644
--- a/roles/ssh-config/files/sshd_config
+++ b/roles/ssh-config/files/sshd_config
@@ -14,3 +14,6 @@ UsePAM no
 PrintMotd no
 AcceptEnv LANG LC_*
 Subsystem	sftp	/usr/lib/openssh/sftp-server
+
+# whitelist DICT scanners https://helpdesk.ugent.be/security/vulnerability-scanning.php
+PerSourcePenaltyExemptList 172.18.1.0/26

From c24d90748639f1a7f72419eecbab7b2953bfb3bb Mon Sep 17 00:00:00 2001
From: draxaris1010 <axel.dezittere@gmail.com>
Date: Thu, 21 Nov 2024 14:07:55 +0100
Subject: [PATCH 2/2] avoid overwriting default config

---
 roles/ssh-config/files/sshd_config | 2 --
 roles/ssh-config/tasks/main.yml    | 2 +-
 2 files changed, 1 insertion(+), 3 deletions(-)

diff --git a/roles/ssh-config/files/sshd_config b/roles/ssh-config/files/sshd_config
index 554bc112..8dc7bff8 100644
--- a/roles/ssh-config/files/sshd_config
+++ b/roles/ssh-config/files/sshd_config
@@ -13,7 +13,5 @@ UsePAM no
 
 PrintMotd no
 AcceptEnv LANG LC_*
-Subsystem	sftp	/usr/lib/openssh/sftp-server
-
 # whitelist DICT scanners https://helpdesk.ugent.be/security/vulnerability-scanning.php
 PerSourcePenaltyExemptList 172.18.1.0/26
diff --git a/roles/ssh-config/tasks/main.yml b/roles/ssh-config/tasks/main.yml
index 2c1be649..a006140c 100644
--- a/roles/ssh-config/tasks/main.yml
+++ b/roles/ssh-config/tasks/main.yml
@@ -2,6 +2,6 @@
 - name: Copy ssh config
   copy:
     src: sshd_config
-    dest: /etc/ssh/sshd_config
+    dest: /etc/ssh/sshd_config.d/10-custom-defaults.conf
   notify:
     - restart sshd