diff --git a/roles/common/defaults/main.yml b/roles/common/defaults/main.yml new file mode 100644 index 0000000..59ba41b --- /dev/null +++ b/roles/common/defaults/main.yml @@ -0,0 +1,11 @@ +--- +#file - roles/common/defaults/main.yml + +fail2ban_maxretry: 6 +# 1 hour in seconds +fail2ban_findtime: 3600 +# 2 weeks in seconds +fail2ban_bantime: 1209600 +fail2ban_ignoreip: 127.0.0.1/8,172.26.0.0/16,192.168.5.0/24 + +# vim: set ts=2 sw=2: diff --git a/roles/common/handlers/main.yml b/roles/common/handlers/main.yml index c9b14fa..4519ed9 100644 --- a/roles/common/handlers/main.yml +++ b/roles/common/handlers/main.yml @@ -15,3 +15,9 @@ - name: restart firewalld systemd: name=firewalld state=restarted + +- name: restart fail2ban + systemd: name=fail2ban state=restarted + +- name: reload systemd + systemd: daemon_reload=yes diff --git a/roles/common/tasks/fail2ban.yml b/roles/common/tasks/fail2ban.yml new file mode 100644 index 0000000..3bd8857 --- /dev/null +++ b/roles/common/tasks/fail2ban.yml @@ -0,0 +1,20 @@ +--- + +- name: Configure fail2ban sshd filter + template: src=etc/fail2ban/jail.d/sshd.local.j2 dest=/etc/fail2ban/jail.d/sshd.local owner=root mode=0644 + notify: restart fail2ban + +- name: Create fail2ban service override directory + file: path=/etc/systemd/system/fail2ban.service.d state=directory owner=root mode=0755 + +# See Arch Linux's example: https://wiki.archlinux.org/index.php/Fail2ban +- name: Configure fail2ban service override + template: src=etc/systemd/system/fail2ban.service.d/override.conf.j2 dest=/etc/systemd/system/fail2ban.service.d/override.conf owner=root mode=0644 + notify: + - reload systemd + - restart fail2ban + +- name: Enable fail2ban service + systemd: name=fail2ban enabled=yes + +# vim: set sw=2 ts=2: diff --git a/roles/common/tasks/firewall_Debian.yml b/roles/common/tasks/firewall_Debian.yml index b9473d7..b0c85ec 100644 --- a/roles/common/tasks/firewall_Debian.yml +++ b/roles/common/tasks/firewall_Debian.yml @@ -1,12 +1,17 @@ --- - block: + - name: Set Debian firewall packages + set_fact: + debian_firewall_packages: + - firewalld + - tidy + - fail2ban + - python3-systemd # for fail2ban systemd backend + - name: Install firewalld and deps when: ansible_distribution_major_version is version_compare('8', '>=') - apt: pkg={{ item }} state=present - loop: - - firewalld - - tidy + apt: pkg={{ debian_firewall_packages }} state=present - name: Use nftables backend in firewalld when: ansible_distribution_major_version is version_compare('10', '>=') @@ -47,6 +52,9 @@ - abusers-ipv6.xml notify: - restart firewalld + + - include_tasks: fail2ban.yml + when: ansible_distribution_major_version is version_compare('9', '>=') tags: firewall # vim: set sw=2 ts=2: diff --git a/roles/common/tasks/firewall_Ubuntu.yml b/roles/common/tasks/firewall_Ubuntu.yml index 0fecb46..34d5da2 100644 --- a/roles/common/tasks/firewall_Ubuntu.yml +++ b/roles/common/tasks/firewall_Ubuntu.yml @@ -1,12 +1,17 @@ --- - block: + - name: Set Ubuntu firewall packages + set_fact: + ubuntu_firewall_packages: + - firewalld + - tidy + - fail2ban + - python3-systemd # for fail2ban systemd backend + - name: Install firewalld and deps when: ansible_distribution_version is version_compare('15.04', '>=') - apt: pkg={{ item }} state=present - loop: - - firewalld - - tidy + apt: pkg={{ ubuntu_firewall_packages }} state=present - name: Copy firewalld public zone file when: ansible_distribution_version is version_compare('15.04', '>=') @@ -26,6 +31,9 @@ - abusers-ipv6.xml notify: - restart firewalld + + - include_tasks: fail2ban.yml + when: ansible_distribution_version is version_compare('15.04', '>=') tags: firewall # vim: set sw=2 ts=2: diff --git a/roles/common/templates/etc/fail2ban/jail.d/sshd.local.j2 b/roles/common/templates/etc/fail2ban/jail.d/sshd.local.j2 new file mode 100644 index 0000000..14e1e26 --- /dev/null +++ b/roles/common/templates/etc/fail2ban/jail.d/sshd.local.j2 @@ -0,0 +1,11 @@ +[sshd] +enabled = true +# See: /etc/fail2ban/filter.d/sshd.conf +filter = sshd +# Integrate with firewalld and ipsets +banaction = firewallcmd-ipset +backend = systemd +maxretry = {{ fail2ban_maxretry }} +findtime = {{ fail2ban_findtime }} +bantime = {{ fail2ban_bantime }} +ignoreip = {{ fail2ban_ignoreip }} diff --git a/roles/common/templates/etc/systemd/system/fail2ban.service.d/override.conf.j2 b/roles/common/templates/etc/systemd/system/fail2ban.service.d/override.conf.j2 new file mode 100644 index 0000000..ff5e5ef --- /dev/null +++ b/roles/common/templates/etc/systemd/system/fail2ban.service.d/override.conf.j2 @@ -0,0 +1,22 @@ +[Service] +PrivateDevices=yes +PrivateTmp=yes +ProtectHome=read-only +{% if ansible_distribution == 'Ubuntu' and ansible_distribution_major_version is version_compare('18','==') %} +ProtectSystem=strict +{% else %} +{# Older systemd versions don't have ProtectSystem=strict #} +ProtectSystem=full +{% endif %} +NoNewPrivileges=yes +{% if ansible_distribution == 'Ubuntu' and ansible_distribution_major_version is version_compare('18','==') %} +ReadWritePaths=-/var/run/fail2ban +ReadWritePaths=-/var/lib/fail2ban +ReadWritePaths=-/var/log/fail2ban.log +{% else %} +{# Older systemd versions don't have ReadWritePaths #} +ReadWriteDirectories=-/var/run/fail2ban +ReadWriteDirectories=-/var/lib/fail2ban +ReadWriteDirectories=-/var/log +{% endif %} +CapabilityBoundingSet=CAP_AUDIT_READ CAP_DAC_READ_SEARCH CAP_NET_ADMIN CAP_NET_RAW