04.08.25

roles/fail2ban/defaults/main.yml

@@ -0,0 +1,9 @@
+fail2ban_sshd_enabled: true
+fail2ban_nginx_enabled: true
+
+fail2ban_sshd_maxretry: 5
+fail2ban_sshd_bantime: 3600
+
+fail2ban_nginx_maxretry: 5
+fail2ban_nginx_bantime: 3600
+

roles/fail2ban/handlers/main.yml

@@ -0,0 +1,5 @@
+- name: Restart fail2ban
+  service:
+    name: fail2ban
+    state: restarted
+

roles/fail2ban/tasks/main.yml

@@ -0,0 +1,26 @@
+- name: Install fail2ban
+  apt:
+    name: fail2ban
+    state: present
+    update_cache: true
+
+- name: Configure jail.local
+  template:
+    src: jail.local.j2
+    dest: /etc/fail2ban/jail.local
+    mode: 0644
+  notify: Restart fail2ban
+
+- name: Configure nginx filter
+  template:
+    src: nginx.conf.j2
+    dest: /etc/fail2ban/filter.d/nginx-http-auth.conf
+    mode: 0644
+  when: fail2ban_nginx_enabled
+
+- name: Ensure fail2ban is running
+  service:
+    name: fail2ban
+    state: started
+    enabled: true
+

roles/fail2ban/templates/jail.local.j2

@@ -0,0 +1,14 @@
+[sshd]
+enabled = {{ 'true' if fail2ban_sshd_enabled else 'false' }}
+port = ssh
+logpath = %(sshd_log)s
+maxretry = {{ fail2ban_sshd_maxretry }}
+bantime = {{ fail2ban_sshd_bantime }}
+
+[nginx-http-auth]
+enabled = {{ 'true' if fail2ban_nginx_enabled else 'false' }}
+port = http,https
+logpath = /var/log/nginx/error.log
+maxretry = {{ fail2ban_nginx_maxretry }}
+bantime = {{ fail2ban_nginx_bantime }}
+

roles/fail2ban/templates/nginx.conf.j2

@@ -0,0 +1,4 @@
+[Definition]
+failregex = no user/password was provided for basic authentication.*client: <HOST>
+ignoreregex =
+