diff --git a/machine.yml b/machine.yml index 66da015..c3403ec 100644 --- a/machine.yml +++ b/machine.yml @@ -145,6 +145,42 @@ mail_postfix_conf is changed or mail_postfix_credentials is changed + # ---------------------------------------------------------------------------------------------- + # Fail2Ban configuration. + # ---------------------------------------------------------------------------------------------- + + - name: Install fail2ban + apt: + name: fail2ban + + - name: Configure fail2ban + template: + src: ./root/etc/fail2ban/jail.local.j2 + dest: /etc/fail2ban/jail.local + mode: 0644 + register: fail2ban_conf + + - name: Configure fail2ban sshd jail + template: + src: ./root/etc/fail2ban/jail.d/sshd.local.j2 + dest: /etc/fail2ban/jail.d/sshd.local + mode: 0644 + register: fail2ban_sshd_jail + + - name: Enable/start fail2ban + service: + name: fail2ban + state: started + enabled: yes + + - name: Restart fail2ban + service: + name: fail2ban + state: restarted + when: + fail2ban_conf is changed or + fail2ban_sshd_jail is changed + # ---------------------------------------------------------------------------------------------- # SystemD mails. # ---------------------------------------------------------------------------------------------- diff --git a/root/etc/fail2ban/jail.d/sshd.local.j2 b/root/etc/fail2ban/jail.d/sshd.local.j2 new file mode 100644 index 0000000..9699bb8 --- /dev/null +++ b/root/etc/fail2ban/jail.d/sshd.local.j2 @@ -0,0 +1,5 @@ +[sshd] +enabled = true +port = {{ ansible_port }} +findtime = 1d +bantime = 2w diff --git a/root/etc/fail2ban/jail.local.j2 b/root/etc/fail2ban/jail.local.j2 new file mode 100644 index 0000000..1d19fa3 --- /dev/null +++ b/root/etc/fail2ban/jail.local.j2 @@ -0,0 +1,32 @@ +[DEFAULT] + +# "ignoreip" can be a list of IP addresses, CIDR masks or DNS hosts. Fail2ban +# will not ban a host which matches an address in this list. Several addresses +# can be defined using space (and/or comma) separator. +ignoreip = 127.0.0.1/8 ::1 {{ subnet_address }}/{{ subnet_masklen }} + +# "bantime" is the number of seconds that a host is banned. +bantime = 1d + +# Destination email address used solely for the interpolations in jail.{conf,local,d/*} +# configuration files. +destemail = root + +# Sender email address used solely for some actions +sender = fail2ban + +# Specify chain where jumps would need to be added in ban-actions expecting parameter chain. Chain +# variable needs to be overridden in jail.local, as the uppercase `chain = INPUT` declaration in +# jail.conf shadows proper lowercase declaration in nftables-common.conf. +chain = input + +# Default banning action (e.g. iptables, iptables-new, iptables-multiport, shorewall, etc) It is +# used to define action_* variables. Can be overridden globally or per section within jail.local +# file. Use nftables instead of iptables. +banaction = nftables[type=multiport] +banaction_allports = nftables[type=allports] + +# Choose default action. To change, just override value of 'action' with the interpolation to the +# chosen action shortcut (e.g. action_mw, action_mwl, etc) in jail.local globally (section +# [DEFAULT]) or per specific section. +action = %(action_mw)s diff --git a/secrets.def.yml b/secrets.def.yml index ebf97b2..619b4e8 100644 --- a/secrets.def.yml +++ b/secrets.def.yml @@ -8,6 +8,8 @@ ssh_user: # Machine variables hostname: domain: +subnet_address: +subnet_masklen: # Postfix variables postfix_smtp_server: