init

ansible/roles/harden/fail2ban/handlers/main.yml

@@ -0,0 +1,14 @@
+---
+- name: validate fail2ban config
+  listen: "validate and restart fail2ban"
+  become: true
+  ansible.builtin.command: fail2ban-client -t
+  register: f2b_validate
+  changed_when: false
+
+- name: restart fail2ban
+  listen: "validate and restart fail2ban"
+  become: true
+  ansible.builtin.systemd:
+    name: fail2ban
+    state: restarted

ansible/roles/harden/fail2ban/tasks/main.yml

@@ -0,0 +1,58 @@
+---
+- name: install fail2ban + deps
+  ansible.builtin.apt:
+    name:
+      - fail2ban
+      - python3
+      - python3-systemd
+      - nftables
+    state: present
+    update_cache: true
+  become: true
+
+- name: enable & start nftables
+  ansible.builtin.systemd:
+    name: nftables
+    enabled: true
+    state: started
+  become: true
+
+- name: ensure fail2ban directories exist
+  ansible.builtin.file:
+    path: "{{ item }}"
+    state: directory
+    owner: root
+    group: root
+    mode: "0755"
+  loop:
+    - /etc/fail2ban
+    - /etc/fail2ban/jail.d
+    - /etc/fail2ban/filter.d
+  become: true
+
+- name: deploy /etc/fail2ban/fail2ban.local
+  ansible.builtin.template:
+    src: fail2ban.local.j2
+    dest: /etc/fail2ban/fail2ban.local
+    owner: root
+    group: root
+    mode: "0644"
+  notify: validate and restart fail2ban
+  become: true
+
+- name: deploy /etc/fail2ban/jail.local
+  ansible.builtin.template:
+    src: jail.local.j2
+    dest: /etc/fail2ban/jail.local
+    owner: root
+    group: root
+    mode: "0644"
+  notify: validate and restart fail2ban
+  become: true
+
+- name: ensure fail2ban enabled and started
+  ansible.builtin.systemd:
+    name: fail2ban
+    enabled: true
+    state: started
+  become: true

ansible/roles/harden/fail2ban/templates/fail2ban.local.j2

@@ -0,0 +1,6 @@
+[Definition]
+loglevel   = INFO
+logtarget  = /var/log/fail2ban.log
+socket     = /run/fail2ban/fail2ban.sock
+pidfile    = /run/fail2ban/fail2ban.pid
+dbpurgeage = 86400

ansible/roles/harden/fail2ban/templates/jail.local.j2

@@ -0,0 +1,18 @@
+[DEFAULT]
+ignoreip = 127.0.0.1/8 ::1
+
+findtime = 600
+maxretry = 5
+bantime  = 1h
+
+backend   = systemd
+banaction = nftables[type=multiport]
+
+[sshd]
+enabled  = true
+port     = 25105
+filter   = sshd
+maxretry = 5
+findtime = 600
+bantime  = 1h
+mode     = aggressive