diff --git a/ansible/group_vars/all b/ansible/group_vars/all index 2e8fa6cc7a46824fefb6df6e46bd2d01767512e8..452daa732ef7a77b7544c664fb9f444cea19b68f 100644 --- a/ansible/group_vars/all +++ b/ansible/group_vars/all @@ -46,3 +46,4 @@ # ssh proxy enable_ssh_proxy_config: false sshpiper_dest_dir: "/opt/sshpiper" + fail2ban_cidr_list: "127.0.0.1/8" diff --git a/ansible/roles/ssh_proxy_config/tasks/main.yml b/ansible/roles/ssh_proxy_config/tasks/main.yml index d3ec3bd59c405a5d1e4c0c85cab45ec9d8c6b9ca..fb51f9fe65cedd2993af4199eff9e04f8c1c1b2a 100644 --- a/ansible/roles/ssh_proxy_config/tasks/main.yml +++ b/ansible/roles/ssh_proxy_config/tasks/main.yml @@ -11,3 +11,44 @@ enabled: true state: restarted +- name: Install firewalld + ansible.builtin.package: + name: firewalld + state: present + +- name: Configure firewalld + ansible.posix.firewalld: + port: 2222/tcp + zone: public + state: enabled + permanent: true + +- name: Enable and start firewalld + ansible.builtin.service: + name: firewalld + enabled: true + state: restarted + +- name: Install fail2ban + ansible.builtin.package: + name: "{{ item }}" + state: present + loop: + - fail2ban + - fail2ban-firewalld + +- name: Configure fail2ban + ansible.builtin.template: + src: jail.local.j2 + dest: "/etc/fail2ban/jail.local" + backup: true + +- name: Activate the firewall support + ansible.builtin.command: + cmd: mv /etc/fail2ban/jail.d/00-firewalld.conf /etc/fail2ban/jail.d/00-firewalld.local + +- name: Enable and start fail2ban + ansible.builtin.service: + name: fail2ban + enabled: true + state: restarted diff --git a/ansible/roles/ssh_proxy_config/templates/jail.local.j2 b/ansible/roles/ssh_proxy_config/templates/jail.local.j2 new file mode 100644 index 0000000000000000000000000000000000000000..d5898e63b7cbb1046ac28d59062b1ede7d148809 --- /dev/null +++ b/ansible/roles/ssh_proxy_config/templates/jail.local.j2 @@ -0,0 +1,7 @@ +[DEFAULT] +banaction = firewalld +bantime = 1200 +ignoreip = {{ fail2ban_cidr_list }} + +[sshd] +enabled = true