From 82df91305a5e586292a066ff2a3813d71bc2ce73 Mon Sep 17 00:00:00 2001
From: Kris Lamoureux <kris@lamoureux.io>
Date: Sat, 18 Jun 2022 19:47:02 -0400
Subject: [PATCH] Install aggressive Fail2ban jail for SSH

---
 roles/base/tasks/firewall.yml             | 11 +++++++++++
 roles/base/templates/fail2ban-ssh.conf.j2 |  3 +++
 2 files changed, 14 insertions(+)
 create mode 100644 roles/base/templates/fail2ban-ssh.conf.j2

diff --git a/roles/base/tasks/firewall.yml b/roles/base/tasks/firewall.yml
index e21fb51..1d51846 100644
--- a/roles/base/tasks/firewall.yml
+++ b/roles/base/tasks/firewall.yml
@@ -23,6 +23,17 @@
     name: ssh
     rule: limit
 
+- name: Remove Fail2ban defaults-debian.conf
+  file:
+    path: /etc/fail2ban/jail.d/defaults-debian.conf
+    state: absent
+
+- name: Install OpenSSH's Fail2ban jail
+  template:
+    src: fail2ban-ssh.conf.j2
+    dest: /etc/fail2ban/jail.d/sshd.conf
+  notify: restart_fail2ban
+
 - name: Enable firewall
   ufw:
     state: enabled
diff --git a/roles/base/templates/fail2ban-ssh.conf.j2 b/roles/base/templates/fail2ban-ssh.conf.j2
new file mode 100644
index 0000000..8b7a8c1
--- /dev/null
+++ b/roles/base/templates/fail2ban-ssh.conf.j2
@@ -0,0 +1,3 @@
+[sshd]
+mode = aggressive
+enabled = true