Ensure fail2ban and logrotate are available on all machines
This commit is contained in:
parent
b11dbfc829
commit
58879d2e1d
GPG key ID:
57AFB45680EDD477
8 changed files with 69 additions and 6 deletions
11
ansible/roles/base/files/fail2ban-logrotate
Normal file
11
ansible/roles/base/files/fail2ban-logrotate
Normal file
|
|
@ -0,0 +1,11 @@
|
||||||
|
/var/log/fail2ban.log {
|
||||||
|
weekly
|
||||||
|
rotate 7
|
||||||
|
missingok
|
||||||
|
compress
|
||||||
|
nodateext
|
||||||
|
notifempty
|
||||||
|
postrotate
|
||||||
|
/usr/bin/fail2ban-client flushlogs 1>/dev/null || true
|
||||||
|
endscript
|
||||||
|
}
|
||||||
7
ansible/roles/base/files/ssh-jail.conf
Normal file
7
ansible/roles/base/files/ssh-jail.conf
Normal file
|
|
@ -0,0 +1,7 @@
|
||||||
|
[sshd]
|
||||||
|
enabled = true
|
||||||
|
bantime = 600
|
||||||
|
findtime = 30
|
||||||
|
maxretry = 5
|
||||||
|
port = {{ ssh_port }},ssh
|
||||||
|
ignoreip = {{ wireguard.cidr }}
|
||||||
|
|
@ -1,6 +1,6 @@
|
||||||
# TCP port to bind to
|
# TCP port to bind to
|
||||||
# Change to a high/odd port if this server is exposed to the internet directly
|
# Change to a high/odd port if this server is exposed to the internet directly
|
||||||
Port 7743
|
Port {{ ssh_port }}
|
||||||
|
|
||||||
{% if expose_ssh %}
|
{% if expose_ssh %}
|
||||||
AllowUsers {{ user }}
|
AllowUsers {{ user }}
|
||||||
|
|
|
||||||
25
ansible/roles/base/tasks/fail2ban.yml
Normal file
25
ansible/roles/base/tasks/fail2ban.yml
Normal file
|
|
@ -0,0 +1,25 @@
|
||||||
|
- name: Install fail2ban
|
||||||
|
package:
|
||||||
|
name: fail2ban
|
||||||
|
become: true
|
||||||
|
|
||||||
|
- name: Enable fail2ban
|
||||||
|
service:
|
||||||
|
name: fail2ban
|
||||||
|
enabled: true
|
||||||
|
become: true
|
||||||
|
|
||||||
|
- name: fail2ban SSH jail
|
||||||
|
template:
|
||||||
|
src: files/ssh-jail.conf
|
||||||
|
dest: /etc/fail2ban/jail.d/ssh.conf
|
||||||
|
mode: "0600"
|
||||||
|
become: true
|
||||||
|
register: fail2ban_jail
|
||||||
|
|
||||||
|
- name: Restart fail2ban
|
||||||
|
service:
|
||||||
|
name: fail2ban
|
||||||
|
state: restarted
|
||||||
|
become: true
|
||||||
|
when: fail2ban_jail.changed
|
||||||
18
ansible/roles/base/tasks/logrotate.yml
Normal file
18
ansible/roles/base/tasks/logrotate.yml
Normal file
|
|
@ -0,0 +1,18 @@
|
||||||
|
- name: Install logrotate
|
||||||
|
package:
|
||||||
|
name: logrotate
|
||||||
|
become: true
|
||||||
|
|
||||||
|
- name: Enable logrotate timer
|
||||||
|
service:
|
||||||
|
name: logrotate.timer
|
||||||
|
become: true
|
||||||
|
when: ansible_os_family == 'Archlinux'
|
||||||
|
|
||||||
|
- name: logrotate fail2ban config
|
||||||
|
template:
|
||||||
|
src: files/fail2ban-logrotate
|
||||||
|
dest: /etc/logrotate.d/fail2ban
|
||||||
|
mode: "0600"
|
||||||
|
become: true
|
||||||
|
register: fail2ban_jail
|
||||||
|
|
@ -6,3 +6,9 @@
|
||||||
|
|
||||||
- name: SSH
|
- name: SSH
|
||||||
include: ssh.yml
|
include: ssh.yml
|
||||||
|
|
||||||
|
- name: fail2ban
|
||||||
|
include: fail2ban.yml
|
||||||
|
|
||||||
|
- name: logrotate
|
||||||
|
include: logrotate.yml
|
||||||
|
|
|
||||||
1
ansible/roles/base/vars/main.yml
Normal file
1
ansible/roles/base/vars/main.yml
Normal file
|
|
@ -0,0 +1 @@
|
||||||
|
ssh_port: 7743
|
||||||
|
|
@ -1,8 +1,3 @@
|
||||||
- name: Install fail2ban
|
|
||||||
package:
|
|
||||||
name: fail2ban
|
|
||||||
become: true
|
|
||||||
|
|
||||||
- name: fail2ban filter
|
- name: fail2ban filter
|
||||||
template:
|
template:
|
||||||
src: files/haproxy-fail2ban-filter.conf
|
src: files/haproxy-fail2ban-filter.conf
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue