From 0605f70f2e5d3a84add07c153c0d666c883163e1 Mon Sep 17 00:00:00 2001
From: Alan Orth <alan.orth@gmail.com>
Date: Sat, 26 Oct 2019 16:36:07 +0200
Subject: [PATCH] roles/common: Add support for fail2ban

This is active banning of IPs that are brute forcing login attempts
to SSH, versus the passive banning of 10,000 abusive IPs from the
abuseipdb.com blacklist. For now I am banning IPs that fail to log
in successfully more than twelve times in a one-hour period, but
these settings might change, and I can override them at the group
and host level if needed.

Currently this works for CentOS 7, Ubuntu 16.04, and Ubuntu 18.04,
with minor differences in the systemd configuration due to older
versions on some distributions.

You can see the status of the jail like this:

    # fail2ban-client status sshd
    Status for the jail: sshd
    |- Filter
    |  |- Currently failed: 0
    |  |- Total failed:     0
    |  `- Journal matches:  _SYSTEMD_UNIT=sshd.service + _COMM=sshd
    `- Actions
       |- Currently banned: 1
       |- Total banned:     1
       `- Banned IP list:   106.13.112.20

You can unban IPs like this:

    # fail2ban-client set sshd unbanip 106.13.112.20
---
 roles/common/defaults/main.yml                | 11 ++++++++++
 roles/common/handlers/main.yml                |  6 +++++
 roles/common/tasks/fail2ban.yml               | 20 +++++++++++++++++
 roles/common/tasks/firewall_Debian.yml        | 16 ++++++++++----
 roles/common/tasks/firewall_Ubuntu.yml        | 16 ++++++++++----
 .../etc/fail2ban/jail.d/sshd.local.j2         | 11 ++++++++++
 .../fail2ban.service.d/override.conf.j2       | 22 +++++++++++++++++++
 7 files changed, 94 insertions(+), 8 deletions(-)
 create mode 100644 roles/common/defaults/main.yml
 create mode 100644 roles/common/tasks/fail2ban.yml
 create mode 100644 roles/common/templates/etc/fail2ban/jail.d/sshd.local.j2
 create mode 100644 roles/common/templates/etc/systemd/system/fail2ban.service.d/override.conf.j2

diff --git a/roles/common/defaults/main.yml b/roles/common/defaults/main.yml
new file mode 100644
index 0000000..59ba41b
--- /dev/null
+++ b/roles/common/defaults/main.yml
@@ -0,0 +1,11 @@
+---
+#file - roles/common/defaults/main.yml
+
+fail2ban_maxretry: 6
+# 1 hour in seconds
+fail2ban_findtime: 3600
+# 2 weeks in seconds
+fail2ban_bantime: 1209600
+fail2ban_ignoreip: 127.0.0.1/8,172.26.0.0/16,192.168.5.0/24
+
+# vim: set ts=2 sw=2:
diff --git a/roles/common/handlers/main.yml b/roles/common/handlers/main.yml
index c9b14fa..4519ed9 100644
--- a/roles/common/handlers/main.yml
+++ b/roles/common/handlers/main.yml
@@ -15,3 +15,9 @@
 
 - name: restart firewalld
   systemd: name=firewalld state=restarted
+
+- name: restart fail2ban
+  systemd: name=fail2ban state=restarted
+
+- name: reload systemd
+  systemd: daemon_reload=yes
diff --git a/roles/common/tasks/fail2ban.yml b/roles/common/tasks/fail2ban.yml
new file mode 100644
index 0000000..3bd8857
--- /dev/null
+++ b/roles/common/tasks/fail2ban.yml
@@ -0,0 +1,20 @@
+---
+
+- name: Configure fail2ban sshd filter
+  template: src=etc/fail2ban/jail.d/sshd.local.j2 dest=/etc/fail2ban/jail.d/sshd.local owner=root mode=0644
+  notify: restart fail2ban
+
+- name: Create fail2ban service override directory
+  file: path=/etc/systemd/system/fail2ban.service.d state=directory owner=root mode=0755
+
+# See Arch Linux's example: https://wiki.archlinux.org/index.php/Fail2ban
+- name: Configure fail2ban service override
+  template: src=etc/systemd/system/fail2ban.service.d/override.conf.j2 dest=/etc/systemd/system/fail2ban.service.d/override.conf owner=root mode=0644
+  notify:
+    - reload systemd
+    - restart fail2ban
+
+- name: Enable fail2ban service
+  systemd: name=fail2ban enabled=yes
+
+# vim: set sw=2 ts=2:
diff --git a/roles/common/tasks/firewall_Debian.yml b/roles/common/tasks/firewall_Debian.yml
index b9473d7..b0c85ec 100644
--- a/roles/common/tasks/firewall_Debian.yml
+++ b/roles/common/tasks/firewall_Debian.yml
@@ -1,12 +1,17 @@
 ---
 
 - block:
+  - name: Set Debian firewall packages
+    set_fact:
+      debian_firewall_packages:
+        - firewalld
+        - tidy
+        - fail2ban
+        - python3-systemd # for fail2ban systemd backend
+
   - name: Install firewalld and deps
     when: ansible_distribution_major_version is version_compare('8', '>=')
-    apt: pkg={{ item }} state=present
-    loop:
-      - firewalld
-      - tidy
+    apt: pkg={{ debian_firewall_packages }} state=present
 
   - name: Use nftables backend in firewalld
     when: ansible_distribution_major_version is version_compare('10', '>=')
@@ -47,6 +52,9 @@
       - abusers-ipv6.xml
     notify:
       - restart firewalld
+
+  - include_tasks: fail2ban.yml
+    when: ansible_distribution_major_version is version_compare('9', '>=')
   tags: firewall
 
 # vim: set sw=2 ts=2:
diff --git a/roles/common/tasks/firewall_Ubuntu.yml b/roles/common/tasks/firewall_Ubuntu.yml
index 0fecb46..34d5da2 100644
--- a/roles/common/tasks/firewall_Ubuntu.yml
+++ b/roles/common/tasks/firewall_Ubuntu.yml
@@ -1,12 +1,17 @@
 ---
 
 - block:
+  - name: Set Ubuntu firewall packages
+    set_fact:
+      ubuntu_firewall_packages:
+        - firewalld
+        - tidy
+        - fail2ban
+        - python3-systemd # for fail2ban systemd backend
+
   - name: Install firewalld and deps
     when: ansible_distribution_version is version_compare('15.04', '>=')
-    apt: pkg={{ item }} state=present
-    loop:
-      - firewalld
-      - tidy
+    apt: pkg={{ ubuntu_firewall_packages }} state=present
 
   - name: Copy firewalld public zone file
     when: ansible_distribution_version is version_compare('15.04', '>=')
@@ -26,6 +31,9 @@
       - abusers-ipv6.xml
     notify:
       - restart firewalld
+
+  - include_tasks: fail2ban.yml
+    when: ansible_distribution_version is version_compare('15.04', '>=')
   tags: firewall
 
 # vim: set sw=2 ts=2:
diff --git a/roles/common/templates/etc/fail2ban/jail.d/sshd.local.j2 b/roles/common/templates/etc/fail2ban/jail.d/sshd.local.j2
new file mode 100644
index 0000000..14e1e26
--- /dev/null
+++ b/roles/common/templates/etc/fail2ban/jail.d/sshd.local.j2
@@ -0,0 +1,11 @@
+[sshd]
+enabled   = true
+# See: /etc/fail2ban/filter.d/sshd.conf
+filter    = sshd
+# Integrate with firewalld and ipsets
+banaction = firewallcmd-ipset
+backend   = systemd
+maxretry  = {{ fail2ban_maxretry }}
+findtime  = {{ fail2ban_findtime }}
+bantime   = {{ fail2ban_bantime }}
+ignoreip  = {{ fail2ban_ignoreip }}
diff --git a/roles/common/templates/etc/systemd/system/fail2ban.service.d/override.conf.j2 b/roles/common/templates/etc/systemd/system/fail2ban.service.d/override.conf.j2
new file mode 100644
index 0000000..ff5e5ef
--- /dev/null
+++ b/roles/common/templates/etc/systemd/system/fail2ban.service.d/override.conf.j2
@@ -0,0 +1,22 @@
+[Service]
+PrivateDevices=yes
+PrivateTmp=yes
+ProtectHome=read-only
+{% if ansible_distribution == 'Ubuntu' and ansible_distribution_major_version is version_compare('18','==') %}
+ProtectSystem=strict
+{% else %}
+{# Older systemd versions don't have ProtectSystem=strict #}
+ProtectSystem=full
+{% endif %}
+NoNewPrivileges=yes
+{% if ansible_distribution == 'Ubuntu' and ansible_distribution_major_version is version_compare('18','==') %}
+ReadWritePaths=-/var/run/fail2ban
+ReadWritePaths=-/var/lib/fail2ban
+ReadWritePaths=-/var/log/fail2ban.log
+{% else %}
+{# Older systemd versions don't have ReadWritePaths #}
+ReadWriteDirectories=-/var/run/fail2ban
+ReadWriteDirectories=-/var/lib/fail2ban
+ReadWriteDirectories=-/var/log
+{% endif %}
+CapabilityBoundingSet=CAP_AUDIT_READ CAP_DAC_READ_SEARCH CAP_NET_ADMIN CAP_NET_RAW