Skull-IT/iac_stack
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

add fail2ban role

Browse source
This commit is contained in:
Kevin Heyer 2025-06-14 14:43:53 +02:00
parent 04ce3e33a0
commit 09110e73df
6 changed files with 48 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
roles/server_install_fail2ban/defaults/main.yml Normal file
View file

@ -0,0 +1,5 @@
---
fail2ban_ssh_enabled: true
fail2ban_ssh_maxretry: 5
fail2ban_ssh_bantime: 1h
fail2ban_ssh_findtime: 1h

5
roles/server_install_fail2ban/handlers/main.yml Normal file
View file

@ -0,0 +1,5 @@
---
- name: Restart fail2ban
ansible.builtin.service:
name: fail2ban
state: restarted

0
roles/server_install_fail2ban/meta/main.yml Normal file
View file

23
roles/server_install_fail2ban/tasks/main.yml Normal file
View file

@ -0,0 +1,23 @@
---
- name: Update apt package index
ansible.builtin.apt:
update_cache: true
cache_valid_time: 3600
- name: Install Fail2Ban
ansible.builtin.apt:
name: fail2ban
state: present
- name: Ensure Fail2Ban service is enabled and running
ansible.builtin.service:
name: fail2ban
enabled: true
state: started
- name: Configure Fail2Ban for SSH
ansible.builtin.template:
src: jail.local.j2
dest: /etc/fail2ban/jail.local
mode: '0644'
notify: Restart fail2ban

15
roles/server_install_fail2ban/templates/jail.local.j2 Normal file
View file

@ -0,0 +1,15 @@
[DEFAULT]
# Ignore local IP addresses
ignoreip = 127.0.0.1/8 ::1
# Ban settings
bantime = {{ fail2ban_ssh_bantime }}
findtime = {{ fail2ban_ssh_findtime }}
maxretry = {{ fail2ban_ssh_maxretry }}
[sshd]
enabled = {{ fail2ban_ssh_enabled | lower }}
port = ssh
filter = sshd
logpath = %(sshd_log)s
maxretry = {{ fail2ban_ssh_maxretry }}

0
roles/server_install_fail2ban/vars/main.yml Normal file
View file