Nicolas Baudoin · Nicolas Baudoin · bb4865be · 9f086668 · bb4865be
--- a/tasks/config_fail2ban.yml 0 → 100644

+ 44

− 0
+++ b/tasks/config_fail2ban.yml 0 → 100644

+ 44

− 0
+---
+# The unban script will allow fail2ban to delete rules from nftables by finding their handles
+- name: Create an unban script for Fail2Ban to work with nftables
+  template:
+    src: nftables_unban.j2
+    dest: /usr/local/bin/nftables_unban
+    mode: '0755'
+
+# The date script will generate the correct path for the log
+- name: Create date script for Fail2Ban logpath
+  template:
+    src: current_date_logpath.j2
+    dest: /usr/local/bin/current_date_logpath
+    mode: '0755'
+
+- name: Ensure the custom sshd line is present in fail2ban filter configuration for sshd
+  ansible.builtin.lineinfile:
+    path: /etc/fail2ban/filter.d/sshd.conf
+    insertafter: '^\[iI\]\(?:llegal|nvalid\) user <F-USER>.*?</F-USER> from <HOST>%\(__suff\)s$'
+    line: '[iI](?:llegal|nvalid) user <F-USER>.*?</F-USER> from <HOST>%(__suff)s$'
+    state: present
+
+# Updating fail2ban to be able to work with the way our nftables work
+- name: Deploy custom nftables action for Fail2Ban
+  template:
+    src: nftables-allports.conf.j2
+    dest: /etc/fail2ban/action.d/nftables-allports.conf
+
+- name: Ensure fail2ban jail configuration is correct
+  template:
+    src: fail2ban_jail.j2
+    dest: /etc/fail2ban/jail.d/jail.local
+    owner: root
+    group: root
+    mode: '0644'
+  notify: Reload fail2ban
+
+# Necessary for changing the log file to be analyzed everytime at midnight
+- name: Add cron job to update the logpath at midnight and reload Fail2Ban
+  cron:
+    name: "Update logpath and reload fail2ban at midnight"
+    minute: "0"
+    hour: "0"
+    job: "/usr/local/bin/current_date_logpath && systemctl reload fail2ban"