2022-05-27 20:29:27 +00:00
|
|
|
- name: Install the Uncomplicated Firewall
|
2023-05-04 03:42:55 +00:00
|
|
|
ansible.builtin.apt:
|
2022-05-27 20:29:27 +00:00
|
|
|
name: ufw
|
|
|
|
state: present
|
|
|
|
|
2022-05-28 06:31:41 +00:00
|
|
|
- name: Install Fail2ban
|
2023-05-04 03:42:55 +00:00
|
|
|
ansible.builtin.apt:
|
2022-05-28 06:31:41 +00:00
|
|
|
name: fail2ban
|
|
|
|
state: present
|
|
|
|
|
2022-05-27 20:29:27 +00:00
|
|
|
- name: Deny incoming traffic by default
|
2023-05-04 03:42:55 +00:00
|
|
|
community.general.ufw:
|
2022-05-27 20:29:27 +00:00
|
|
|
default: deny
|
|
|
|
direction: incoming
|
|
|
|
|
|
|
|
- name: Allow outgoing traffic by default
|
2023-05-04 03:42:55 +00:00
|
|
|
community.general.ufw:
|
2022-05-27 20:29:27 +00:00
|
|
|
default: allow
|
|
|
|
direction: outgoing
|
|
|
|
|
|
|
|
- name: Allow OpenSSH with rate limiting
|
2023-05-04 03:42:55 +00:00
|
|
|
community.general.ufw:
|
2022-05-27 20:29:27 +00:00
|
|
|
name: ssh
|
|
|
|
rule: limit
|
|
|
|
|
2022-06-18 23:47:02 +00:00
|
|
|
- name: Remove Fail2ban defaults-debian.conf
|
2023-05-04 03:42:55 +00:00
|
|
|
ansible.builtin.file:
|
2022-06-18 23:47:02 +00:00
|
|
|
path: /etc/fail2ban/jail.d/defaults-debian.conf
|
|
|
|
state: absent
|
|
|
|
|
|
|
|
- name: Install OpenSSH's Fail2ban jail
|
2023-05-04 03:42:55 +00:00
|
|
|
ansible.builtin.template:
|
2022-06-18 23:47:02 +00:00
|
|
|
src: fail2ban-ssh.conf.j2
|
|
|
|
dest: /etc/fail2ban/jail.d/sshd.conf
|
2023-05-04 05:20:22 +00:00
|
|
|
mode: 0640
|
2022-06-18 23:47:02 +00:00
|
|
|
notify: restart_fail2ban
|
|
|
|
|
2022-06-29 03:43:58 +00:00
|
|
|
- name: Install Fail2ban IP allow list
|
2023-05-04 03:42:55 +00:00
|
|
|
ansible.builtin.template:
|
2022-06-29 03:43:58 +00:00
|
|
|
src: fail2ban-allowlist.conf.j2
|
|
|
|
dest: /etc/fail2ban/jail.d/allowlist.conf
|
2023-05-04 05:20:22 +00:00
|
|
|
mode: 0640
|
2022-06-29 03:43:58 +00:00
|
|
|
when: fail2ban_ignoreip is defined
|
|
|
|
notify: restart_fail2ban
|
|
|
|
|
2022-05-27 20:29:27 +00:00
|
|
|
- name: Enable firewall
|
2023-05-04 03:42:55 +00:00
|
|
|
community.general.ufw:
|
2022-05-27 20:29:27 +00:00
|
|
|
state: enabled
|