ansible-personal/roles/common/tasks/fail2ban.yml

---
- name: Install fail2ban
  when:
    - ansible_distribution_major_version is version('11', '>=')
  ansible.builtin.package:
    name:
      - fail2ban
      - python3-systemd
    state: present
    cache_valid_time: 3600

- name: Configure fail2ban sshd filter
  ansible.builtin.template:
    src: etc/fail2ban/jail.d/sshd.local.j2
    dest: /etc/fail2ban/jail.d/sshd.local
    owner: root
    mode: "0644"
  notify: restart fail2ban

- name: Configure fail2ban nginx filter
  when:
    - webserver is defined and webserver == 'nginx'
    - extra_fail2ban_filters is defined
    - "'nginx' in extra_fail2ban_filters"
  ansible.builtin.template:
    src: etc/fail2ban/jail.d/nginx.local.j2
    dest: /etc/fail2ban/jail.d/nginx.local
    owner: root
    mode: "0644"
  notify: restart fail2ban

- name: Create fail2ban service override directory
  ansible.builtin.file:
    path: /etc/systemd/system/fail2ban.service.d
    state: directory
    owner: root
    mode: "0755"

# See Arch Linux's example: https://wiki.archlinux.org/index.php/Fail2ban
- name: Configure fail2ban service override
  ansible.builtin.template:
    src: etc/systemd/system/fail2ban.service.d/override.conf.j2
    dest: /etc/systemd/system/fail2ban.service.d/override.conf
    owner: root
    mode: "0644"
  notify:
    - reload systemd
    - restart fail2ban

- name: Start and enable fail2ban service
  ansible.builtin.systemd:
    name: fail2ban
    state: started
    enabled: true

# vim: set sw=2 ts=2:
roles/common: Add support for fail2ban This is active banning of IPs that are brute forcing login attempts to SSH, versus the passive banning of 10,000 abusive IPs from the abuseipdb.com blacklist. For now I am banning IPs that fail to log in successfully more than twelve times in a one-hour period, but these settings might change, and I can override them at the group and host level if needed. Currently this works for CentOS 7, Ubuntu 16.04, and Ubuntu 18.04, with minor differences in the systemd configuration due to older versions on some distributions. You can see the status of the jail like this: # fail2ban-client status sshd Status for the jail: sshd \|- Filter \| \|- Currently failed: 0 \| \|- Total failed: 0 \| `- Journal matches: _SYSTEMD_UNIT=sshd.service + _COMM=sshd `- Actions \|- Currently banned: 1 \|- Total banned: 1 `- Banned IP list: 106.13.112.20 You can unban IPs like this: # fail2ban-client set sshd unbanip 106.13.112.20 2019-10-26 16:36:07 +02:00			`---`
roles/common: rework fail2ban tasks We can only run fail2ban when we have logs to monitor. When a host is running Caddy we don't have logs, so fail2ban doesn't have any- thing to monitor out of the box. For now I will restrict the task to hosts running nginx. 2023-08-23 20:59:28 +02:00			`- name: Install fail2ban`
			`when:`
			`- ansible_distribution_major_version is version('11', '>=')`
			`ansible.builtin.package:`
			`name:`
			`- fail2ban`
			`- python3-systemd`
			`state: present`
			`cache_valid_time: 3600`

roles/common: Add support for fail2ban This is active banning of IPs that are brute forcing login attempts to SSH, versus the passive banning of 10,000 abusive IPs from the abuseipdb.com blacklist. For now I am banning IPs that fail to log in successfully more than twelve times in a one-hour period, but these settings might change, and I can override them at the group and host level if needed. Currently this works for CentOS 7, Ubuntu 16.04, and Ubuntu 18.04, with minor differences in the systemd configuration due to older versions on some distributions. You can see the status of the jail like this: # fail2ban-client status sshd Status for the jail: sshd \|- Filter \| \|- Currently failed: 0 \| \|- Total failed: 0 \| `- Journal matches: _SYSTEMD_UNIT=sshd.service + _COMM=sshd `- Actions \|- Currently banned: 1 \|- Total banned: 1 `- Banned IP list: 106.13.112.20 You can unban IPs like this: # fail2ban-client set sshd unbanip 106.13.112.20 2019-10-26 16:36:07 +02:00			`- name: Configure fail2ban sshd filter`
Remove Debian 10 support 2022-09-11 08:21:08 +02:00			`ansible.builtin.template:`
			`src: etc/fail2ban/jail.d/sshd.local.j2`
			`dest: /etc/fail2ban/jail.d/sshd.local`
			`owner: root`
roles/common: run ansible-lint --write 2023-08-23 20:33:22 +02:00			`mode: "0644"`
roles/common: Add support for fail2ban This is active banning of IPs that are brute forcing login attempts to SSH, versus the passive banning of 10,000 abusive IPs from the abuseipdb.com blacklist. For now I am banning IPs that fail to log in successfully more than twelve times in a one-hour period, but these settings might change, and I can override them at the group and host level if needed. Currently this works for CentOS 7, Ubuntu 16.04, and Ubuntu 18.04, with minor differences in the systemd configuration due to older versions on some distributions. You can see the status of the jail like this: # fail2ban-client status sshd Status for the jail: sshd \|- Filter \| \|- Currently failed: 0 \| \|- Total failed: 0 \| `- Journal matches: _SYSTEMD_UNIT=sshd.service + _COMM=sshd `- Actions \|- Currently banned: 1 \|- Total banned: 1 `- Banned IP list: 106.13.112.20 You can unban IPs like this: # fail2ban-client set sshd unbanip 106.13.112.20 2019-10-26 16:36:07 +02:00			`notify: restart fail2ban`

Add nginx filter for fail2ban Some hosts can use fail2ban's nginx-botsearch filter to ban anyone making requests to non-existent files like wp-login.php. There is no reason to request such files naively and anyone found doing so can be banned immediately. In theory I should report them to AbuseIPDB.com, but that will take a little more wiring up. 2021-08-01 08:56:43 +02:00			`- name: Configure fail2ban nginx filter`
roles: use longer format for when conditionals When the condition is an AND we can use this more succinct format. 2022-09-10 22:12:49 +02:00			`when:`
roles/common: rework fail2ban again Actually, we do want to run fail2ban on all hosts because the sshd monitoring via systemd is nice. At the very least it reduces spam from failed logins in our systemd journal. 2023-08-23 21:14:16 +02:00			`- webserver is defined and webserver == 'nginx'`
roles: use longer format for when conditionals When the condition is an AND we can use this more succinct format. 2022-09-10 22:12:49 +02:00			`- extra_fail2ban_filters is defined`
			`- "'nginx' in extra_fail2ban_filters"`
Remove Debian 10 support 2022-09-11 08:21:08 +02:00			`ansible.builtin.template:`
			`src: etc/fail2ban/jail.d/nginx.local.j2`
			`dest: /etc/fail2ban/jail.d/nginx.local`
			`owner: root`
roles/common: run ansible-lint --write 2023-08-23 20:33:22 +02:00			`mode: "0644"`
Add nginx filter for fail2ban Some hosts can use fail2ban's nginx-botsearch filter to ban anyone making requests to non-existent files like wp-login.php. There is no reason to request such files naively and anyone found doing so can be banned immediately. In theory I should report them to AbuseIPDB.com, but that will take a little more wiring up. 2021-08-01 08:56:43 +02:00			`notify: restart fail2ban`

roles/common: Add support for fail2ban This is active banning of IPs that are brute forcing login attempts to SSH, versus the passive banning of 10,000 abusive IPs from the abuseipdb.com blacklist. For now I am banning IPs that fail to log in successfully more than twelve times in a one-hour period, but these settings might change, and I can override them at the group and host level if needed. Currently this works for CentOS 7, Ubuntu 16.04, and Ubuntu 18.04, with minor differences in the systemd configuration due to older versions on some distributions. You can see the status of the jail like this: # fail2ban-client status sshd Status for the jail: sshd \|- Filter \| \|- Currently failed: 0 \| \|- Total failed: 0 \| `- Journal matches: _SYSTEMD_UNIT=sshd.service + _COMM=sshd `- Actions \|- Currently banned: 1 \|- Total banned: 1 `- Banned IP list: 106.13.112.20 You can unban IPs like this: # fail2ban-client set sshd unbanip 106.13.112.20 2019-10-26 16:36:07 +02:00			`- name: Create fail2ban service override directory`
Remove Debian 10 support 2022-09-11 08:21:08 +02:00			`ansible.builtin.file:`
			`path: /etc/systemd/system/fail2ban.service.d`
			`state: directory`
			`owner: root`
roles/common: run ansible-lint --write 2023-08-23 20:33:22 +02:00			`mode: "0755"`
roles/common: Add support for fail2ban This is active banning of IPs that are brute forcing login attempts to SSH, versus the passive banning of 10,000 abusive IPs from the abuseipdb.com blacklist. For now I am banning IPs that fail to log in successfully more than twelve times in a one-hour period, but these settings might change, and I can override them at the group and host level if needed. Currently this works for CentOS 7, Ubuntu 16.04, and Ubuntu 18.04, with minor differences in the systemd configuration due to older versions on some distributions. You can see the status of the jail like this: # fail2ban-client status sshd Status for the jail: sshd \|- Filter \| \|- Currently failed: 0 \| \|- Total failed: 0 \| `- Journal matches: _SYSTEMD_UNIT=sshd.service + _COMM=sshd `- Actions \|- Currently banned: 1 \|- Total banned: 1 `- Banned IP list: 106.13.112.20 You can unban IPs like this: # fail2ban-client set sshd unbanip 106.13.112.20 2019-10-26 16:36:07 +02:00
			`# See Arch Linux's example: https://wiki.archlinux.org/index.php/Fail2ban`
			`- name: Configure fail2ban service override`
Remove Debian 10 support 2022-09-11 08:21:08 +02:00			`ansible.builtin.template:`
			`src: etc/systemd/system/fail2ban.service.d/override.conf.j2`
			`dest: /etc/systemd/system/fail2ban.service.d/override.conf`
			`owner: root`
roles/common: run ansible-lint --write 2023-08-23 20:33:22 +02:00			`mode: "0644"`
roles/common: Add support for fail2ban This is active banning of IPs that are brute forcing login attempts to SSH, versus the passive banning of 10,000 abusive IPs from the abuseipdb.com blacklist. For now I am banning IPs that fail to log in successfully more than twelve times in a one-hour period, but these settings might change, and I can override them at the group and host level if needed. Currently this works for CentOS 7, Ubuntu 16.04, and Ubuntu 18.04, with minor differences in the systemd configuration due to older versions on some distributions. You can see the status of the jail like this: # fail2ban-client status sshd Status for the jail: sshd \|- Filter \| \|- Currently failed: 0 \| \|- Total failed: 0 \| `- Journal matches: _SYSTEMD_UNIT=sshd.service + _COMM=sshd `- Actions \|- Currently banned: 1 \|- Total banned: 1 `- Banned IP list: 106.13.112.20 You can unban IPs like this: # fail2ban-client set sshd unbanip 106.13.112.20 2019-10-26 16:36:07 +02:00			`notify:`
			`- reload systemd`
			`- restart fail2ban`

roles/common: Make sure fail2ban is started 2019-10-26 17:14:28 +02:00			`- name: Start and enable fail2ban service`
Remove Debian 10 support 2022-09-11 08:21:08 +02:00			`ansible.builtin.systemd:`
			`name: fail2ban`
			`state: started`
			`enabled: true`
roles/common: Add support for fail2ban This is active banning of IPs that are brute forcing login attempts to SSH, versus the passive banning of 10,000 abusive IPs from the abuseipdb.com blacklist. For now I am banning IPs that fail to log in successfully more than twelve times in a one-hour period, but these settings might change, and I can override them at the group and host level if needed. Currently this works for CentOS 7, Ubuntu 16.04, and Ubuntu 18.04, with minor differences in the systemd configuration due to older versions on some distributions. You can see the status of the jail like this: # fail2ban-client status sshd Status for the jail: sshd \|- Filter \| \|- Currently failed: 0 \| \|- Total failed: 0 \| `- Journal matches: _SYSTEMD_UNIT=sshd.service + _COMM=sshd `- Actions \|- Currently banned: 1 \|- Total banned: 1 `- Banned IP list: 106.13.112.20 You can unban IPs like this: # fail2ban-client set sshd unbanip 106.13.112.20 2019-10-26 16:36:07 +02:00
			`# vim: set sw=2 ts=2:`