ansible/cluster.yml

@@ -12,3 +12,4 @@
     - { name: 'ssl_cert', tags: 'ssl_cert', when: enable_ssl_certs }
     - { name: 'rsyslog_config', tags: 'rsyslog_config', when: enable_rsyslog_config }
     - { name: 'rewrite_map', tags: 'rewrite_map', when: enable_rewrite_map }
+    - { name: 'fail2ban', tags: 'fail2ban', when: enable_fail2ban }

ansible/group_vars/all

@@ -50,7 +50,6 @@
 # ssh proxy
   enable_ssh_proxy_config: false
   sshpiper_dest_dir: "/opt/sshpiper"
-  fail2ban_cidr_list: "127.0.0.1/8"
 
 # rsyslog
   enable_rsyslog_config: false
@@ -75,3 +74,10 @@
 
 # account app
   account_app_port: 8000
+
+# fail2ban
+  enable_fail2ban: true
+  maxretry: 1
+  findtime: 600
+  bantime: 1200
+  fail2ban_white_list: "127.0.0.1/8"

ansible/roles/fail2ban/tasks/main.yml

+---
+
+- name: Install fail2ban
+  ansible.builtin.package:
+    name: "{{ item }}"
+    state: present
+  loop:
+    - fail2ban
+    - fail2ban-firewalld
+
+- name: Configure fail2ban
+  ansible.builtin.template:
+    src: "{{ item.src }}"
+    dest: "{{ item.dest }}"
+    backup: true
+  loop:
+    - { src: 'jail.local.j2', dest: '/etc/fail2ban/jail.local' }
+    - { src: 'sshpiperd_filter.local.j2', dest: '/etc/fail2ban/filter.d/sshpiperd.local' }
+    - { src: 'sshpiperd_jail.local.j2', dest: '/etc/fail2ban/jail.d/sshpiperd.local' }
+
+- name: Activate the firewalld support for fail2ban
+  ansible.builtin.command:
+    cmd: mv /etc/fail2ban/jail.d/00-firewalld.conf /etc/fail2ban/jail.d/00-firewalld.local
+
+- name: Configure firewalld to allow ssh and sshpiper traffic
+  ansible.posix.firewalld:
+    port: "{{ item }}"
+    zone: public
+    state: enabled
+    permanent: true
+  loop:
+    - 2222/tcp
+    - 22/tcp
+
+- name: Enable and start firewalld
+  ansible.builtin.service:
+    name: firewalld
+    enabled: true
+    state: restarted
+
+- name: Enable and start fail2ban
+  ansible.builtin.service:
+    name: fail2ban
+    enabled: true
+    state: restarted
+

ansible/roles/ssh_proxy_config/templates/jail.local.j2 → ansible/roles/fail2ban/templates/jail.local.j2

 [DEFAULT]
 banaction = firewalld
-bantime  = 1200
-ignoreip = {{ fail2ban_cidr_list }}
+bantime  = {{ bantime }}
+ignoreip = {{ fail2ban_white_list }}
 
 [sshd]
 enabled = true

ansible/roles/fail2ban/templates/sshpiperd_filter.local.j2

+# Refer to https://github.com/fail2ban/fail2ban/wiki/Developing-Regex-in-Fail2ban for developing regex using fail2ban
+#
+[INCLUDES]
+before = common.conf
+
+[DEFAULT]
+_daemon = sshpiperd
+__iso_datetime = "\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}(?:[+-]\d{2}:\d{2}|Z)"
+__pref = time=%(__iso_datetime)s level=(?:debug|error)
+
+[Definition]
+# Define the prefix regex for the log lines
+prefregex = ^<F-MLFID>%(__prefix_line)s%(__pref)s</F-MLFID>\s+<F-CONTENT>.+</F-CONTENT>$
+
+# Failregex to match the specific failure log lines (prefregex is automatically included)
+failregex = ^msg="connection from .*failtoban: ip <HOST> too auth many failures"$
+
+ignoreregex =
+
+mode = normal
+
+maxlines = 1

ansible/roles/fail2ban/templates/sshpiperd_jail.local.j2

+# This configuration will block the remote host after {{maxretry}} failed SSH login attempts.
+[sshpiperd]
+enabled  = true
+filter   = sshpiperd
+logpath  = /var/log/messages
+port     = 22
+maxretry = {{ maxretry }}
+backend  = auto
+findtime = {{ findtime }}

ansible/roles/ssh_proxy_config/tasks/main.yml

@@ -10,45 +10,3 @@
     name: sshpiperd
     enabled: true
     state: restarted
-
-- name: Install firewalld
-  ansible.builtin.package:
-    name: firewalld
-    state: present
-
-- name: Configure firewalld
-  ansible.posix.firewalld:
-    port: 2222/tcp
-    zone: public
-    state: enabled
-    permanent: true
-
-- name: Enable and start firewalld
-  ansible.builtin.service:
-    name: firewalld
-    enabled: true
-    state: restarted
-
-- name: Install fail2ban
-  ansible.builtin.package:
-    name: "{{ item }}"
-    state: present
-  loop:
-    - fail2ban
-    - fail2ban-firewalld
-
-- name: Configure fail2ban
-  ansible.builtin.template:
-    src: jail.local.j2
-    dest: "/etc/fail2ban/jail.local"
-    backup: true
-
-- name: Activate the firewall support
-  ansible.builtin.command:
-    cmd: mv /etc/fail2ban/jail.d/00-firewalld.conf /etc/fail2ban/jail.d/00-firewalld.local
-
-- name: Enable and start fail2ban
-  ansible.builtin.service:
-    name: fail2ban
-    enabled: true
-    state: restarted