diff options
| -rw-r--r-- | files/fail2ban/jail.d/sshd.local | 9 | ||||
| -rw-r--r-- | tasks/harden.yaml | 22 | ||||
| -rw-r--r-- | vars/main.yaml | 3 |
3 files changed, 34 insertions, 0 deletions
diff --git a/files/fail2ban/jail.d/sshd.local b/files/fail2ban/jail.d/sshd.local new file mode 100644 index 0000000..534b62e --- /dev/null +++ b/files/fail2ban/jail.d/sshd.local @@ -0,0 +1,9 @@ +[sshd] +enabled = true +mode = aggressive +port = ssh +backend = systemd +action = iptables-allports[name=sshd, protocol=all] +bantime = 24h +maxretry = 3 +findtime = 600 diff --git a/tasks/harden.yaml b/tasks/harden.yaml index dfccce7..125b8d3 100644 --- a/tasks/harden.yaml +++ b/tasks/harden.yaml @@ -120,12 +120,34 @@ - name: update grub command: update-grub +- name: create sshd fail2ban jail + copy: + src: fail2ban/jail.d/sshd.local + dest: "{{ fail2ban_jail_dir }}/sshd.local" + owner: root + group: root + mode: '0644' + +- name: copy fail2ban jail configuration + copy: + src: /etc/fail2ban/jail.conf + dest: /etc/fail2ban/jail.local + remote_src: true + mode: '0644' + - name: allow ssh port and enable ufw ufw: rule: allow port: 22 proto: tcp +- name: restart fail2ban + systemd: + name: fail2ban + state: restarted + enabled: true + when: ansible_service_mgr == 'systemd' + - name: enable ufw ufw: state: enabled diff --git a/vars/main.yaml b/vars/main.yaml index afd0dc8..568e185 100644 --- a/vars/main.yaml +++ b/vars/main.yaml @@ -1,6 +1,9 @@ +fail2ban_jail_dir: /etc/fail2ban/jail.d + apt_packages: - curl - ca-certificates + - fail2ban - iptables - proxmox-default-kernel - ufw |