From 58879d2e1d9567dda31dc363738453b51755b2cd Mon Sep 17 00:00:00 2001 From: Jake Howard Date: Sun, 27 Dec 2020 22:39:33 +0000 Subject: [PATCH] Ensure fail2ban and logrotate are available on all machines --- ansible/roles/base/files/fail2ban-logrotate | 11 +++++++++ ansible/roles/base/files/ssh-jail.conf | 7 ++++++ ansible/roles/base/files/sshd_config | 2 +- ansible/roles/base/tasks/fail2ban.yml | 25 +++++++++++++++++++++ ansible/roles/base/tasks/logrotate.yml | 18 +++++++++++++++ ansible/roles/base/tasks/main.yml | 6 +++++ ansible/roles/base/vars/main.yml | 1 + ansible/roles/gateway/tasks/fail2ban.yml | 5 ----- 8 files changed, 69 insertions(+), 6 deletions(-) create mode 100644 ansible/roles/base/files/fail2ban-logrotate create mode 100644 ansible/roles/base/files/ssh-jail.conf create mode 100644 ansible/roles/base/tasks/fail2ban.yml create mode 100644 ansible/roles/base/tasks/logrotate.yml create mode 100644 ansible/roles/base/vars/main.yml diff --git a/ansible/roles/base/files/fail2ban-logrotate b/ansible/roles/base/files/fail2ban-logrotate new file mode 100644 index 0000000..ad9bfcc --- /dev/null +++ b/ansible/roles/base/files/fail2ban-logrotate @@ -0,0 +1,11 @@ +/var/log/fail2ban.log { + weekly + rotate 7 + missingok + compress + nodateext + notifempty + postrotate + /usr/bin/fail2ban-client flushlogs 1>/dev/null || true + endscript +} diff --git a/ansible/roles/base/files/ssh-jail.conf b/ansible/roles/base/files/ssh-jail.conf new file mode 100644 index 0000000..f64b9a2 --- /dev/null +++ b/ansible/roles/base/files/ssh-jail.conf @@ -0,0 +1,7 @@ +[sshd] +enabled = true +bantime = 600 +findtime = 30 +maxretry = 5 +port = {{ ssh_port }},ssh +ignoreip = {{ wireguard.cidr }} diff --git a/ansible/roles/base/files/sshd_config b/ansible/roles/base/files/sshd_config index 1f79539..9b33b71 100644 --- a/ansible/roles/base/files/sshd_config +++ b/ansible/roles/base/files/sshd_config @@ -1,6 +1,6 @@ # TCP port to bind to # Change to a high/odd port if this server is exposed to the internet directly -Port 7743 +Port {{ ssh_port }} {% if expose_ssh %} AllowUsers {{ user }} diff --git a/ansible/roles/base/tasks/fail2ban.yml b/ansible/roles/base/tasks/fail2ban.yml new file mode 100644 index 0000000..0d89ee3 --- /dev/null +++ b/ansible/roles/base/tasks/fail2ban.yml @@ -0,0 +1,25 @@ +- name: Install fail2ban + package: + name: fail2ban + become: true + +- name: Enable fail2ban + service: + name: fail2ban + enabled: true + become: true + +- name: fail2ban SSH jail + template: + src: files/ssh-jail.conf + dest: /etc/fail2ban/jail.d/ssh.conf + mode: "0600" + become: true + register: fail2ban_jail + +- name: Restart fail2ban + service: + name: fail2ban + state: restarted + become: true + when: fail2ban_jail.changed diff --git a/ansible/roles/base/tasks/logrotate.yml b/ansible/roles/base/tasks/logrotate.yml new file mode 100644 index 0000000..66f4e55 --- /dev/null +++ b/ansible/roles/base/tasks/logrotate.yml @@ -0,0 +1,18 @@ +- name: Install logrotate + package: + name: logrotate + become: true + +- name: Enable logrotate timer + service: + name: logrotate.timer + become: true + when: ansible_os_family == 'Archlinux' + +- name: logrotate fail2ban config + template: + src: files/fail2ban-logrotate + dest: /etc/logrotate.d/fail2ban + mode: "0600" + become: true + register: fail2ban_jail diff --git a/ansible/roles/base/tasks/main.yml b/ansible/roles/base/tasks/main.yml index 1aceee3..5eae83b 100644 --- a/ansible/roles/base/tasks/main.yml +++ b/ansible/roles/base/tasks/main.yml @@ -6,3 +6,9 @@ - name: SSH include: ssh.yml + +- name: fail2ban + include: fail2ban.yml + +- name: logrotate + include: logrotate.yml diff --git a/ansible/roles/base/vars/main.yml b/ansible/roles/base/vars/main.yml new file mode 100644 index 0000000..df90549 --- /dev/null +++ b/ansible/roles/base/vars/main.yml @@ -0,0 +1 @@ +ssh_port: 7743 diff --git a/ansible/roles/gateway/tasks/fail2ban.yml b/ansible/roles/gateway/tasks/fail2ban.yml index 3608810..e9b1246 100644 --- a/ansible/roles/gateway/tasks/fail2ban.yml +++ b/ansible/roles/gateway/tasks/fail2ban.yml @@ -1,8 +1,3 @@ -- name: Install fail2ban - package: - name: fail2ban - become: true - - name: fail2ban filter template: src: files/haproxy-fail2ban-filter.conf