From d67bd0fd585b1fe2401f3d616d895c2da5b099d1 Mon Sep 17 00:00:00 2001
From: Eesaan Atluri <atlurie@uab.edu>
Date: Wed, 4 Dec 2024 15:52:11 -0500
Subject: [PATCH] feat: Add tasks to install and config fail2ban

---
 ansible/group_vars/all                        |  1 +
 ansible/roles/ssh_proxy_config/tasks/main.yml | 41 +++++++++++++++++++
 .../ssh_proxy_config/templates/jail.local.j2  |  7 ++++
 3 files changed, 49 insertions(+)
 create mode 100644 ansible/roles/ssh_proxy_config/templates/jail.local.j2

diff --git a/ansible/group_vars/all b/ansible/group_vars/all
index 2e8fa6c..452daa7 100644
--- a/ansible/group_vars/all
+++ b/ansible/group_vars/all
@@ -46,3 +46,4 @@
 # ssh proxy
   enable_ssh_proxy_config: false
   sshpiper_dest_dir: "/opt/sshpiper"
+  fail2ban_cidr_list: "127.0.0.1/8"
diff --git a/ansible/roles/ssh_proxy_config/tasks/main.yml b/ansible/roles/ssh_proxy_config/tasks/main.yml
index d3ec3bd..fb51f9f 100644
--- a/ansible/roles/ssh_proxy_config/tasks/main.yml
+++ b/ansible/roles/ssh_proxy_config/tasks/main.yml
@@ -11,3 +11,44 @@
     enabled: true
     state: restarted
 
+- name: Install firewalld
+  ansible.builtin.package:
+    name: firewalld
+    state: present
+
+- name: Configure firewalld
+  ansible.posix.firewalld:
+    port: 2222/tcp
+    zone: public
+    state: enabled
+    permanent: true
+
+- name: Enable and start firewalld
+  ansible.builtin.service:
+    name: firewalld
+    enabled: true
+    state: restarted
+
+- name: Install fail2ban
+  ansible.builtin.package:
+    name: "{{ item }}"
+    state: present
+  loop:
+    - fail2ban
+    - fail2ban-firewalld
+
+- name: Configure fail2ban
+  ansible.builtin.template:
+    src: jail.local.j2
+    dest: "/etc/fail2ban/jail.local"
+    backup: true
+
+- name: Activate the firewall support
+  ansible.builtin.command:
+    cmd: mv /etc/fail2ban/jail.d/00-firewalld.conf /etc/fail2ban/jail.d/00-firewalld.local
+
+- name: Enable and start fail2ban
+  ansible.builtin.service:
+    name: fail2ban
+    enabled: true
+    state: restarted
diff --git a/ansible/roles/ssh_proxy_config/templates/jail.local.j2 b/ansible/roles/ssh_proxy_config/templates/jail.local.j2
new file mode 100644
index 0000000..d5898e6
--- /dev/null
+++ b/ansible/roles/ssh_proxy_config/templates/jail.local.j2
@@ -0,0 +1,7 @@
+[DEFAULT]
+banaction = firewalld
+bantime  = 1200
+ignoreip = {{ fail2ban_cidr_list }}
+
+[sshd]
+enabled = true
-- 
GitLab