imfreedom/email-ansible

Enable fail2ban
draft
2020-10-09, Richard Laager
50c119032b12
Parents c9e735edc0de
Children aaf3100d3f19
Enable fail2ban
7 files changed, 117 insertions(+), 0 deletions(-)
  • +3 -0
    roles/common/files/sshd.conf
  • +50 -0
    roles/common/files/ufw.conf
  • +4 -0
    roles/common/handlers/main.yaml
  • +37 -0
    roles/common/tasks/common.yaml
  • +9 -0
    roles/common/tasks/main.yaml
  • +9 -0
    roles/common/tasks/software.yaml
  • +5 -0
    roles/common/templates/defaults.conf.j2
    • --- /dev/null Thu Jan 01 00:00:00 1970 +0000
    +++ b/roles/common/files/sshd.conf Fri Oct 09 04:32:07 2020 -0500
    @@ -0,0 +1,3 @@
    +[sshd]
    +enabled = true
    +action = ufw
    --- /dev/null Thu Jan 01 00:00:00 1970 +0000
    +++ b/roles/common/files/ufw.conf Fri Oct 09 04:32:07 2020 -0500
    @@ -0,0 +1,50 @@
    +# Fail2Ban action configuration file for ufw
    +#
    +# You are required to run "ufw enable" before this will have any effect.
    +#
    +# The insert position should be appropriate to block the required traffic.
    +# A number after an allow rule to the application won't be of much use.
    +
    +[Definition]
    +
    +actionstart =
    +
    +actionstop =
    +
    +actioncheck =
    +
    +# `ss -K` kills any (TCP) sockets in progress. This makes the ban take
    +# effect immediately, rather than only for new connections. See:
    +# https://github.com/fail2ban/fail2ban/pull/2578
    +#
    +# `conntrack -D` kills any connection tracking state. With the TCP sockets
    +# already killed, the practical effect of this is to break UDP "connections".
    +actionban = [ -n "<application>" ] && app="app <application>"
    + ufw prepend <blocktype> from <ip> to <destination> $app
    + ss -K dst <ip>
    + conntrack -D -s <ip> || true
    +
    +actionunban = [ -n "<application>" ] && app="app <application>"
    + ufw delete <blocktype> from <ip> to <destination> $app
    +
    +[Init]
    +# Option: insertpos
    +# Notes.: The position number in the firewall list to insert the block rule
    +insertpos = 1
    +
    +# Option: blocktype
    +# Notes.: reject or deny
    +blocktype = reject
    +
    +# Option: destination
    +# Notes.: The destination address to block in the ufw rule
    +destination = any
    +
    +# Option: application
    +# Notes.: application from sudo ufw app list
    +application =
    +
    +# DEV NOTES:
    +#
    +# Author: Guilhem Lettron
    +# Enhancements: Daniel Black
    --- /dev/null Thu Jan 01 00:00:00 1970 +0000
    +++ b/roles/common/handlers/main.yaml Fri Oct 09 04:32:07 2020 -0500
    @@ -0,0 +1,4 @@
    +- name: restart fail2ban
    + systemd:
    + name: fail2ban
    + state: restarted
    --- a/roles/common/tasks/common.yaml Fri Oct 09 01:08:35 2020 -0500
    +++ b/roles/common/tasks/common.yaml Fri Oct 09 04:32:07 2020 -0500
    @@ -22,3 +22,40 @@
    tags:
    - ssh
    - ssh_key
    +
    +- name: install ufw.conf
    + copy:
    + src: ufw.conf
    + dest: /etc/fail2ban/action.d/
    + notify:
    + - restart fail2ban
    + tags:
    + - fail2ban
    +
    +- name: install fail2ban jail defaults
    + template:
    + src: defaults.conf.j2
    + dest: /etc/fail2ban/jail.d/defaults.conf
    + mode: 0644
    + notify:
    + - restart fail2ban
    + tags:
    + - fail2ban
    +
    +- name: install fail2ban ssh jail
    + copy:
    + src: sshd.conf
    + dest: /etc/fail2ban/jail.d/
    + notify:
    + - restart fail2ban
    + tags:
    + - fail2ban
    +
    +- name: enable fail2ban service
    + systemd:
    + name: fail2ban
    + enabled: yes
    + notify:
    + - restart fail2ban
    + tags:
    + - fail2ban
    --- a/roles/common/tasks/main.yaml Fri Oct 09 01:08:35 2020 -0500
    +++ b/roles/common/tasks/main.yaml Fri Oct 09 04:32:07 2020 -0500
    @@ -1,3 +1,12 @@
    +- include_tasks: software.yaml
    + args:
    + apply:
    + tags:
    + - apt
    + - common
    + tags:
    + - always
    +
    - include_tasks: common.yaml
    args:
    apply:
    --- /dev/null Thu Jan 01 00:00:00 1970 +0000
    +++ b/roles/common/tasks/software.yaml Fri Oct 09 04:32:07 2020 -0500
    @@ -0,0 +1,9 @@
    +- name: install software
    + apt:
    + name: "{{ common_packages }}"
    + state: present
    + cache_valid_time: 3600
    + force_apt_get: yes
    + vars:
    + common_packages:
    + - fail2ban
    --- /dev/null Thu Jan 01 00:00:00 1970 +0000
    +++ b/roles/common/templates/defaults.conf.j2 Fri Oct 09 04:32:07 2020 -0500
    @@ -0,0 +1,5 @@
    +[DEFAULT]
    +ignoreip = 127.0.0.0/8 ::1/128
    +{%- for network in firewall_ssh_exempt_networks %}
    + {{ network }}
    +{%- endfor %}