imfreedom/email-ansible

Enable fail2ban
draft
2020-10-09, Richard Laager
50c119032b12
Enable fail2ban
- name: set password hashing rounds
replace:
path: /etc/pam.d/common-password
regexp: (pam_unix.so .*sha512)( rounds=[0-9]+)?
replace: '\1 rounds={{ common_sha512_crypt_rounds }}'
tags:
- pam
- name: set root password
user:
name: root
password: "{{ common_root_password_hash }}"
tags:
- user
- name: set root's .ssh/authorized_keys
authorized_key:
user: root
path: "/root/.ssh/authorized_keys"
key: "{{ common_root_ssh_keys }}"
exclusive: yes
tags:
- ssh
- ssh_key
- name: install ufw.conf
copy:
src: ufw.conf
dest: /etc/fail2ban/action.d/
notify:
- restart fail2ban
tags:
- fail2ban
- name: install fail2ban jail defaults
template:
src: defaults.conf.j2
dest: /etc/fail2ban/jail.d/defaults.conf
mode: 0644
notify:
- restart fail2ban
tags:
- fail2ban
- name: install fail2ban ssh jail
copy:
src: sshd.conf
dest: /etc/fail2ban/jail.d/
notify:
- restart fail2ban
tags:
- fail2ban
- name: enable fail2ban service
systemd:
name: fail2ban
enabled: yes
notify:
- restart fail2ban
tags:
- fail2ban