From 6db0500e1b92b7674dbd1709e75484c13db14f6b Mon Sep 17 00:00:00 2001 From: Jake Howard Date: Fri, 21 Jan 2022 22:11:49 +0000 Subject: [PATCH] Provision remote f2b key with ansible --- ansible/roles/fail2ban_ssh/files/f2b_key.pub | 10 ++++++++ ansible/roles/fail2ban_ssh/tasks/main.yml | 7 ++++++ .../roles/traefik/files/fail2ban/f2b_key.key | 25 +++++++++++++++++++ .../traefik/files/fail2ban/remote-action.conf | 4 +-- ansible/roles/traefik/tasks/fail2ban.yml | 9 +++++++ 5 files changed, 53 insertions(+), 2 deletions(-) create mode 100644 ansible/roles/fail2ban_ssh/files/f2b_key.pub create mode 100644 ansible/roles/traefik/files/fail2ban/f2b_key.key diff --git a/ansible/roles/fail2ban_ssh/files/f2b_key.pub b/ansible/roles/fail2ban_ssh/files/f2b_key.pub new file mode 100644 index 0000000..faf3950 --- /dev/null +++ b/ansible/roles/fail2ban_ssh/files/f2b_key.pub @@ -0,0 +1,10 @@ +$ANSIBLE_VAULT;1.1;AES256 +65656562376262323162613131353164623832616263313530383838623161333739393037363362 +3332616430663862363566613532396230643636376537620a356261383430643566323264343437 +39333034643632316130303136326433613333383738386531353530633539616661626664626430 +3230666237616165650a326536313835643135626135316437356363623562343538383132306539 +38366339356565393336396133616261363232356139623164623738633138363963353637353734 +33333334313864376131653535653132626366306630393764353464636331316564616230396663 +31363463643765386538643761666265383166353765633233323934663235316331346465653234 +31396139633936363738383766356135656434343338623137663436626436663866366663363534 +3364 diff --git a/ansible/roles/fail2ban_ssh/tasks/main.yml b/ansible/roles/fail2ban_ssh/tasks/main.yml index 5da9cc7..e8e9226 100644 --- a/ansible/roles/fail2ban_ssh/tasks/main.yml +++ b/ansible/roles/fail2ban_ssh/tasks/main.yml @@ -25,3 +25,10 @@ mode: 0755 become: true register: sshd_config + +- name: Set up authorized keys + ansible.posix.authorized_key: + user: "{{ f2b_user }}" + state: present + key: "{{ lookup('file', 'files/f2b_key.pub') }}" + become: true diff --git a/ansible/roles/traefik/files/fail2ban/f2b_key.key b/ansible/roles/traefik/files/fail2ban/f2b_key.key new file mode 100644 index 0000000..bb4a5d4 --- /dev/null +++ b/ansible/roles/traefik/files/fail2ban/f2b_key.key @@ -0,0 +1,25 @@ +$ANSIBLE_VAULT;1.1;AES256 +62333161626439326166306363343866616336646134376134326265386134343338313164653334 +3131633561363730376161323034643836333738303361320a613764383135373933636537333331 +32633335663462653361643538656533313633666666303830363533616263663135323635613235 +3738396530363130370a323338663966353333373862353964636333343436613932303765373035 +61353363633836613830346631323565326338616331353665653333383065376565626164306266 +32346133643635626632326133333933656333346336336232613536386661366537383439646632 +35323838633266633263646563323834363066336432663665616433303632646234326266653036 +35666532383261663430303764383833396336393031316361633563336538663931333736633161 +33333230343731663038626362353163663363396134303431393061333136393664643535393662 +65333561623335656635393364666135343462646237316138393637356261303634383830636462 +63336231643030643636643431616434643765373037393832613563323132383864383365316365 +35663930373938653163363436373236313162353661646531333461643463663336383332633431 +63633938306533343561646663393165353633306131336135633762306666326465306335343665 +34323261623531646566626561643465333737323562646137366235363339663163656566383266 +39326637373739623338653633633237396362633062303033366530383334353032643434623339 +38633563396432326430386638333837343733633364336536626563363932646636343333326333 +63326566663265346537633134653636636436323738396530326332656165396635316634653133 +31373137636233323563343433383837633132636434303134313431343364313735316633343732 +62663537616663356133636337373630616134363262333332303965393463643833343561386639 +62316136363661653430336566323539643239346539353535346539646138366462346634336165 +37343737656564333365346538656661343165623037613030356233626534306533303738646363 +35396566303561366333363265373733636138336533336534393262643831613836326639623633 +62313830626264323965303933393466643433373136353232383262323963613432313139303062 +34373236363635623337 diff --git a/ansible/roles/traefik/files/fail2ban/remote-action.conf b/ansible/roles/traefik/files/fail2ban/remote-action.conf index 4a8ffe0..58a99fc 100644 --- a/ansible/roles/traefik/files/fail2ban/remote-action.conf +++ b/ansible/roles/traefik/files/fail2ban/remote-action.conf @@ -1,6 +1,6 @@ [Definition] -actionban = ssh -p 7743 f2b@{{ nebula.clients.casey.ip }} -i /root/.ssh/f2b/id_ed25519 set traefik banip -actionunban = ssh -p 7743 f2b@{{ nebula.clients.casey.ip }} -i /root/.ssh/f2b/id_ed25519 set traefik unbanip +actionban = ssh -p 7743 f2b@{{ nebula.clients.casey.ip }} -i /etc/fail2ban/f2b_key.key set traefik banip +actionunban = ssh -p 7743 f2b@{{ nebula.clients.casey.ip }} -i /etc/fail2ban/f2b_key.key set traefik unbanip actioncheck = actionstart = actionstop = diff --git a/ansible/roles/traefik/tasks/fail2ban.yml b/ansible/roles/traefik/tasks/fail2ban.yml index a576346..3a6b375 100644 --- a/ansible/roles/traefik/tasks/fail2ban.yml +++ b/ansible/roles/traefik/tasks/fail2ban.yml @@ -21,3 +21,12 @@ mode: 0644 become: true notify: restart fail2ban + +- name: Create SSH key + copy: + src: files/fail2ban/f2b_key.key + dest: /etc/fail2ban/f2b_key.key + owner: root + group: root + mode: "0600" + become: true