Ensure fail2ban and logrotate are available on all machines

This commit is contained in:
Jake Howard 2020-12-27 22:39:33 +00:00
parent b11dbfc829
commit 58879d2e1d
Signed by: jake
GPG key ID: 57AFB45680EDD477
8 changed files with 69 additions and 6 deletions

View file

@ -0,0 +1,11 @@
/var/log/fail2ban.log {
weekly
rotate 7
missingok
compress
nodateext
notifempty
postrotate
/usr/bin/fail2ban-client flushlogs 1>/dev/null || true
endscript
}

View file

@ -0,0 +1,7 @@
[sshd]
enabled = true
bantime = 600
findtime = 30
maxretry = 5
port = {{ ssh_port }},ssh
ignoreip = {{ wireguard.cidr }}

View file

@ -1,6 +1,6 @@
# TCP port to bind to # TCP port to bind to
# Change to a high/odd port if this server is exposed to the internet directly # Change to a high/odd port if this server is exposed to the internet directly
Port 7743 Port {{ ssh_port }}
{% if expose_ssh %} {% if expose_ssh %}
AllowUsers {{ user }} AllowUsers {{ user }}

View file

@ -0,0 +1,25 @@
- name: Install fail2ban
package:
name: fail2ban
become: true
- name: Enable fail2ban
service:
name: fail2ban
enabled: true
become: true
- name: fail2ban SSH jail
template:
src: files/ssh-jail.conf
dest: /etc/fail2ban/jail.d/ssh.conf
mode: "0600"
become: true
register: fail2ban_jail
- name: Restart fail2ban
service:
name: fail2ban
state: restarted
become: true
when: fail2ban_jail.changed

View file

@ -0,0 +1,18 @@
- name: Install logrotate
package:
name: logrotate
become: true
- name: Enable logrotate timer
service:
name: logrotate.timer
become: true
when: ansible_os_family == 'Archlinux'
- name: logrotate fail2ban config
template:
src: files/fail2ban-logrotate
dest: /etc/logrotate.d/fail2ban
mode: "0600"
become: true
register: fail2ban_jail

View file

@ -6,3 +6,9 @@
- name: SSH - name: SSH
include: ssh.yml include: ssh.yml
- name: fail2ban
include: fail2ban.yml
- name: logrotate
include: logrotate.yml

View file

@ -0,0 +1 @@
ssh_port: 7743

View file

@ -1,8 +1,3 @@
- name: Install fail2ban
package:
name: fail2ban
become: true
- name: fail2ban filter - name: fail2ban filter
template: template:
src: files/haproxy-fail2ban-filter.conf src: files/haproxy-fail2ban-filter.conf