Configure fail2ban

machine.yml

@@ -145,6 +145,42 @@
         mail_postfix_conf is changed or
         mail_postfix_credentials is changed
 
+    # ----------------------------------------------------------------------------------------------
+    # Fail2Ban configuration.
+    # ----------------------------------------------------------------------------------------------
+
+    - name: Install fail2ban
+      apt:
+        name: fail2ban
+
+    - name: Configure fail2ban
+      template:
+        src: ./root/etc/fail2ban/jail.local.j2
+        dest: /etc/fail2ban/jail.local
+        mode: 0644
+      register: fail2ban_conf
+
+    - name: Configure fail2ban sshd jail
+      template:
+        src: ./root/etc/fail2ban/jail.d/sshd.local.j2
+        dest: /etc/fail2ban/jail.d/sshd.local
+        mode: 0644
+      register: fail2ban_sshd_jail
+
+    - name: Enable/start fail2ban
+      service:
+        name: fail2ban
+        state: started
+        enabled: yes
+
+    - name: Restart fail2ban
+      service:
+        name: fail2ban
+        state: restarted
+      when:
+        fail2ban_conf is changed or
+        fail2ban_sshd_jail is changed
+
     # ----------------------------------------------------------------------------------------------
     # SystemD mails.
     # ----------------------------------------------------------------------------------------------

root/etc/fail2ban/jail.d/sshd.local.j2

@@ -0,0 +1,5 @@
+[sshd]
+enabled = true
+port = {{ ansible_port }}
+findtime  = 1d
+bantime   = 2w

root/etc/fail2ban/jail.local.j2

@@ -0,0 +1,32 @@
+[DEFAULT]
+
+# "ignoreip" can be a list of IP addresses, CIDR masks or DNS hosts. Fail2ban
+# will not ban a host which matches an address in this list. Several addresses
+# can be defined using space (and/or comma) separator.
+ignoreip = 127.0.0.1/8 ::1 {{ subnet_address }}/{{ subnet_masklen }}
+
+# "bantime" is the number of seconds that a host is banned.
+bantime  = 1d
+
+# Destination email address used solely for the interpolations in jail.{conf,local,d/*}
+# configuration files.
+destemail = root
+
+# Sender email address used solely for some actions
+sender = fail2ban
+
+# Specify chain where jumps would need to be added in ban-actions expecting parameter chain. Chain
+# variable needs to be overridden in jail.local, as the uppercase `chain = INPUT` declaration in
+# jail.conf shadows proper lowercase declaration in nftables-common.conf.
+chain = input
+
+# Default banning action (e.g. iptables, iptables-new, iptables-multiport, shorewall, etc) It is
+# used to define action_* variables. Can be overridden globally or per section within jail.local
+# file. Use nftables instead of iptables.
+banaction = nftables[type=multiport]
+banaction_allports = nftables[type=allports]
+
+# Choose default action. To change, just override value of 'action' with the interpolation to the
+# chosen action shortcut (e.g. action_mw, action_mwl, etc) in jail.local globally (section
+# [DEFAULT]) or per specific section.
+action = %(action_mw)s

secrets.def.yml

@@ -8,6 +8,8 @@ ssh_user:
 # Machine variables
 hostname:
 domain:
+subnet_address:
+subnet_masklen:
 
 # Postfix variables
 postfix_smtp_server: