From 5832dc592761147a607a3ba35af8715c9adb0527 Mon Sep 17 00:00:00 2001
From: heqnx <root@heqnx.com>
Date: Mon, 23 Jun 2025 10:24:15 +0300
Subject: added sshd fail2ban

---
 files/fail2ban/jail.d/sshd.local |  9 +++++++++
 tasks/harden.yaml                | 22 ++++++++++++++++++++++
 vars/main.yaml                   |  3 +++
 3 files changed, 34 insertions(+)
 create mode 100644 files/fail2ban/jail.d/sshd.local

diff --git a/files/fail2ban/jail.d/sshd.local b/files/fail2ban/jail.d/sshd.local
new file mode 100644
index 0000000..534b62e
--- /dev/null
+++ b/files/fail2ban/jail.d/sshd.local
@@ -0,0 +1,9 @@
+[sshd]
+enabled = true
+mode    = aggressive
+port    = ssh
+backend = systemd
+action = iptables-allports[name=sshd, protocol=all]
+bantime = 24h
+maxretry = 3
+findtime = 600
diff --git a/tasks/harden.yaml b/tasks/harden.yaml
index dfccce7..125b8d3 100644
--- a/tasks/harden.yaml
+++ b/tasks/harden.yaml
@@ -120,12 +120,34 @@
 - name: update grub
   command: update-grub
 
+- name: create sshd fail2ban jail 
+  copy:
+    src: fail2ban/jail.d/sshd.local
+    dest: "{{ fail2ban_jail_dir }}/sshd.local"
+    owner: root
+    group: root
+    mode: '0644'
+
+- name: copy fail2ban jail configuration
+  copy:
+    src: /etc/fail2ban/jail.conf
+    dest: /etc/fail2ban/jail.local
+    remote_src: true
+    mode: '0644'
+
 - name: allow ssh port and enable ufw
   ufw:
     rule: allow
     port: 22
     proto: tcp
 
+- name: restart fail2ban
+  systemd:
+    name: fail2ban
+    state: restarted
+    enabled: true
+  when: ansible_service_mgr == 'systemd'
+
 - name: enable ufw
   ufw:
     state: enabled
diff --git a/vars/main.yaml b/vars/main.yaml
index afd0dc8..568e185 100644
--- a/vars/main.yaml
+++ b/vars/main.yaml
@@ -1,6 +1,9 @@
+fail2ban_jail_dir: /etc/fail2ban/jail.d
+
 apt_packages:
   - curl
   - ca-certificates
+  - fail2ban
   - iptables
   - proxmox-default-kernel
   - ufw
-- 
cgit v1.2.3