Configure fail2ban

This commit is contained in:
Wojciech Kozlowski 2022-08-30 16:46:44 +02:00
parent 86170d0393
commit e0c008be2c
4 changed files with 75 additions and 0 deletions

View File

@ -145,6 +145,42 @@
mail_postfix_conf is changed or
mail_postfix_credentials is changed
# ----------------------------------------------------------------------------------------------
# Fail2Ban configuration.
# ----------------------------------------------------------------------------------------------
- name: Install fail2ban
apt:
name: fail2ban
- name: Configure fail2ban
template:
src: ./root/etc/fail2ban/jail.local.j2
dest: /etc/fail2ban/jail.local
mode: 0644
register: fail2ban_conf
- name: Configure fail2ban sshd jail
template:
src: ./root/etc/fail2ban/jail.d/sshd.local.j2
dest: /etc/fail2ban/jail.d/sshd.local
mode: 0644
register: fail2ban_sshd_jail
- name: Enable/start fail2ban
service:
name: fail2ban
state: started
enabled: yes
- name: Restart fail2ban
service:
name: fail2ban
state: restarted
when:
fail2ban_conf is changed or
fail2ban_sshd_jail is changed
# ----------------------------------------------------------------------------------------------
# SystemD mails.
# ----------------------------------------------------------------------------------------------

View File

@ -0,0 +1,5 @@
[sshd]
enabled = true
port = {{ ansible_port }}
findtime = 1d
bantime = 2w

View File

@ -0,0 +1,32 @@
[DEFAULT]
# "ignoreip" can be a list of IP addresses, CIDR masks or DNS hosts. Fail2ban
# will not ban a host which matches an address in this list. Several addresses
# can be defined using space (and/or comma) separator.
ignoreip = 127.0.0.1/8 ::1 {{ subnet_address }}/{{ subnet_masklen }}
# "bantime" is the number of seconds that a host is banned.
bantime = 1d
# Destination email address used solely for the interpolations in jail.{conf,local,d/*}
# configuration files.
destemail = root
# Sender email address used solely for some actions
sender = fail2ban
# Specify chain where jumps would need to be added in ban-actions expecting parameter chain. Chain
# variable needs to be overridden in jail.local, as the uppercase `chain = INPUT` declaration in
# jail.conf shadows proper lowercase declaration in nftables-common.conf.
chain = input
# Default banning action (e.g. iptables, iptables-new, iptables-multiport, shorewall, etc) It is
# used to define action_* variables. Can be overridden globally or per section within jail.local
# file. Use nftables instead of iptables.
banaction = nftables[type=multiport]
banaction_allports = nftables[type=allports]
# Choose default action. To change, just override value of 'action' with the interpolation to the
# chosen action shortcut (e.g. action_mw, action_mwl, etc) in jail.local globally (section
# [DEFAULT]) or per specific section.
action = %(action_mw)s

View File

@ -8,6 +8,8 @@ ssh_user:
# Machine variables
hostname:
domain:
subnet_address:
subnet_masklen:
# Postfix variables
postfix_smtp_server: