Install fail2ban

2020-03-13 23:08:26 +00:00 · 2020-03-13 23:08:26 +00:00 · 708250005a
commit 708250005a
parent 92af315e69
4 changed files with 44 additions and 0 deletions
--- a/ansible/roles/gateway/files/haproxy-fail2ban-filter.conf
+++ b/ansible/roles/gateway/files/haproxy-fail2ban-filter.conf
@ -0,0 +1,4 @@
+[Definition]
+
+failregex = ^.*haproxy\[[0-9]+\]: <HOST>:.*$
+ignoreregex =
--- a/ansible/roles/gateway/files/haproxy-fail2ban-jail.conf
+++ b/ansible/roles/gateway/files/haproxy-fail2ban-jail.conf
@ -0,0 +1,8 @@
+[haproxy]
+enabled  = true
+bantime  = 600
+findtime = 120
+maxretry = 10
+filter   = haproxy-basic
+logpath  = /var/log/haproxy.log
+port     = http,https
--- a/ansible/roles/gateway/tasks/fail2ban.yml
+++ b/ansible/roles/gateway/tasks/fail2ban.yml
@ -0,0 +1,29 @@
+- name: Install fail2ban
+  apt:
+    name: fail2ban
+  become: true
+  become_user: root
+
+- name: fail2ban filter
+  template:
+    src: files/haproxy-fail2ban-filter.conf
+    dest: /etc/fail2ban/filter.d/haproxy-basic.conf
+  become: true
+  become_user: root
+  register: fail2ban_filter
+
+- name: fail2ban jail
+  template:
+    src: files/haproxy-fail2ban-jail.conf
+    dest: /etc/fail2ban/jail.d/haproxy.conf
+  become: true
+  become_user: root
+  register: fail2ban_jail
+
+- name: Restart fail2ban
+  service:
+    name: haproxy
+    state: restarted
+  become: true
+  become_user: root
+  when: fail2ban_filter.changed or fail2ban_jail.changed
--- a/ansible/roles/gateway/tasks/main.yml
+++ b/ansible/roles/gateway/tasks/main.yml
@ -3,3 +3,6 @@

 - name: Configure wireguard
  include: wireguard.yml
+
+- name: Configure fail2ban
+  include: fail2ban.yml