Newer
Older
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
# Configure Fail2Ban
# Configure SSH with same port as fail2ban
- name: Save ssh port
set_fact:
ansible_host_port: "{{ ansible_port }}"
- name: Change ssh port to 22
set_fact:
ansible_port: 22
- name: Install System Tools
apt:
pkg:
- fail2ban
state: latest
update_cache: yes
install_recommends: no
- name: sshd configuration file update
lineinfile:
path: /etc/ssh/sshd_config
regexp: "^{{ item.key }}"
line: "{{ item.key }} {{ item.value }}"
validate: /usr/sbin/sshd -T -f %s
with_items:
- {key: "PermitRootLogin", value: "no"}
- {key: "PasswordAuthentication", value: "no"}
- {key: "ClientAliveInterval", value: "300"}
- {key: "ClientAliveCountMax", value: "1"}
- {key: "AllowUsers", value: "{{ ansible_user }}"}
- {key: "Port", value: "{{ ansible_host_port }}"}
- {key: "MaxAuthTries", value: "2"}
- {key: "AllowTcpForwarding", value: "no"}
- {key: "X11Forwarding", value: "no"}
- {key: "AllowAgentForwarding", value: "no"}
- {key: "AuthorizedKeysFile", value: ".ssh/authorized_keys"}
- name: Enable service fail2ban
ansible.builtin.systemd:
name: fail2ban
enabled: yes
state: started
- name: copy fail2ban config
copy:
src: /etc/fail2ban/jail.conf
dest: /etc/fail2ban/jail.local
remote_src: true
- name: fail2ban configuration file update
lineinfile:
path: "/etc/fail2ban/jail.local"
firstmatch: true
regexp: "^port.*=.*ssh$"
line: "port = {{ ansible_host_port }}"
- name: fail2ban configuration file update
lineinfile:
path: "/etc/fail2ban/jail.local"
insertafter: |
^\[sshd\]
line: "enabled = true"
- name: Enable service fail2ban
ansible.builtin.systemd:
name: fail2ban
enabled: yes
state: restarted
- name: Restart SSHD
service:
name: sshd
state: restarted