From 09110e73dfe65c4c687435058efeb8c7b7b375b8 Mon Sep 17 00:00:00 2001
From: Kevin Heyer <kevin.heyer@skull-it.de>
Date: Sat, 14 Jun 2025 14:43:53 +0200
Subject: [PATCH] add fail2ban role

---
 .../server_install_fail2ban/defaults/main.yml |  5 ++++
 .../server_install_fail2ban/handlers/main.yml |  5 ++++
 roles/server_install_fail2ban/meta/main.yml   |  0
 roles/server_install_fail2ban/tasks/main.yml  | 23 +++++++++++++++++++
 .../templates/jail.local.j2                   | 15 ++++++++++++
 roles/server_install_fail2ban/vars/main.yml   |  0
 6 files changed, 48 insertions(+)
 create mode 100644 roles/server_install_fail2ban/defaults/main.yml
 create mode 100644 roles/server_install_fail2ban/handlers/main.yml
 create mode 100644 roles/server_install_fail2ban/meta/main.yml
 create mode 100644 roles/server_install_fail2ban/tasks/main.yml
 create mode 100644 roles/server_install_fail2ban/templates/jail.local.j2
 create mode 100644 roles/server_install_fail2ban/vars/main.yml

diff --git a/roles/server_install_fail2ban/defaults/main.yml b/roles/server_install_fail2ban/defaults/main.yml
new file mode 100644
index 0000000..84f45e2
--- /dev/null
+++ b/roles/server_install_fail2ban/defaults/main.yml
@@ -0,0 +1,5 @@
+---
+fail2ban_ssh_enabled: true
+fail2ban_ssh_maxretry: 5
+fail2ban_ssh_bantime: 1h
+fail2ban_ssh_findtime: 1h
diff --git a/roles/server_install_fail2ban/handlers/main.yml b/roles/server_install_fail2ban/handlers/main.yml
new file mode 100644
index 0000000..c86a3ee
--- /dev/null
+++ b/roles/server_install_fail2ban/handlers/main.yml
@@ -0,0 +1,5 @@
+---
+- name: Restart fail2ban
+  ansible.builtin.service:
+    name: fail2ban
+    state: restarted
diff --git a/roles/server_install_fail2ban/meta/main.yml b/roles/server_install_fail2ban/meta/main.yml
new file mode 100644
index 0000000..e69de29
diff --git a/roles/server_install_fail2ban/tasks/main.yml b/roles/server_install_fail2ban/tasks/main.yml
new file mode 100644
index 0000000..77d0ebf
--- /dev/null
+++ b/roles/server_install_fail2ban/tasks/main.yml
@@ -0,0 +1,23 @@
+---
+- name: Update apt package index
+  ansible.builtin.apt:
+    update_cache: true
+    cache_valid_time: 3600
+
+- name: Install Fail2Ban
+  ansible.builtin.apt:
+    name: fail2ban
+    state: present
+
+- name: Ensure Fail2Ban service is enabled and running
+  ansible.builtin.service:
+    name: fail2ban
+    enabled: true
+    state: started
+
+- name: Configure Fail2Ban for SSH
+  ansible.builtin.template:
+    src: jail.local.j2
+    dest: /etc/fail2ban/jail.local
+    mode: '0644'
+  notify: Restart fail2ban
diff --git a/roles/server_install_fail2ban/templates/jail.local.j2 b/roles/server_install_fail2ban/templates/jail.local.j2
new file mode 100644
index 0000000..866c49e
--- /dev/null
+++ b/roles/server_install_fail2ban/templates/jail.local.j2
@@ -0,0 +1,15 @@
+[DEFAULT]
+# Ignore local IP addresses
+ignoreip = 127.0.0.1/8 ::1
+
+# Ban settings
+bantime = {{ fail2ban_ssh_bantime }}
+findtime = {{ fail2ban_ssh_findtime }}
+maxretry = {{ fail2ban_ssh_maxretry }}
+
+[sshd]
+enabled = {{ fail2ban_ssh_enabled | lower }}
+port = ssh
+filter = sshd
+logpath = %(sshd_log)s
+maxretry = {{ fail2ban_ssh_maxretry }}
\ No newline at end of file
diff --git a/roles/server_install_fail2ban/vars/main.yml b/roles/server_install_fail2ban/vars/main.yml
new file mode 100644
index 0000000..e69de29