Install aggressive Fail2ban jail for SSH

Create initial log files for fail2ban
Add Fail2ban to Gitea and Bitwarden
2022-06-18 19:47:02 -04:00 · 2022-06-07 00:25:47 -04:00 · 2022-05-28 02:31:41 -04:00
10 changed files with 102 additions and 1 deletions
--- a/roles/base/handlers/main.yml
+++ b/roles/base/handlers/main.yml
@ -10,3 +10,9 @@
    name: wg-quick@wg0
    state: restarted
  listen: restart_wireguard
 - name: Restart Fail2ban
  service:
    name: fail2ban
    state: restarted
  listen: restart_fail2ban
--- a/roles/base/tasks/firewall.yml
+++ b/roles/base/tasks/firewall.yml
@ -3,6 +3,11 @@
    name: ufw
    state: present
 - name: Install Fail2ban
  apt:
    name: fail2ban
    state: present
 - name: Deny incoming traffic by default
  ufw:
    default: deny
@ -18,6 +23,17 @@
    name: ssh
    rule: limit
 - name: Remove Fail2ban defaults-debian.conf
  file:
    path: /etc/fail2ban/jail.d/defaults-debian.conf
    state: absent
 - name: Install OpenSSH's Fail2ban jail
  template:
    src: fail2ban-ssh.conf.j2
    dest: /etc/fail2ban/jail.d/sshd.conf
  notify: restart_fail2ban
 - name: Enable firewall
  ufw:
    state: enabled
--- a/roles/base/templates/fail2ban-ssh.conf.j2
+++ b/roles/base/templates/fail2ban-ssh.conf.j2
@ -0,0 +1,3 @@
 [sshd]
 mode = aggressive
 enabled = true
--- a/roles/bitwarden/defaults/main.yml
+++ b/roles/bitwarden/defaults/main.yml
@ -1,5 +1,7 @@
 bitwarden_name: bitwarden
 bitwarden_root: "/var/lib/{{ bitwarden_name }}"
 bitwarden_logs_identity: "{{ bitwarden_root }}/bwdata/logs/identity/Identity"
 bitwarden_logs_identity_date: "{{ ansible_date_time.year }}{{ ansible_date_time.month }}{{ ansible_date_time.day }}"
 bitwarden_database: "{{ bitwarden_name }}"
 bitwarden_realips: "172.16.0.0/12"
 bitwarden_standalone: false
--- a/roles/bitwarden/tasks/main.yml
+++ b/roles/bitwarden/tasks/main.yml
@ -78,6 +78,24 @@
  register: bitwarden_systemd
  notify: rebuild_bitwarden
 - name: Create Bitwarden's initial logging directory
  file:
    path: "{{ bitwarden_logs_identity }}"
    state: directory
  register: bitwarden_logs
 - name: Create Bitwarden's initial log file
  file:
    path: "{{ bitwarden_logs_identity }}/{{ bitwarden_logs_identity_date }}.txt"
    state: touch
  when: bitwarden_logs.changed
 - name: Install Bitwarden's Fail2ban jail
  template:
    src: fail2ban-jail.conf.j2
    dest: /etc/fail2ban/jail.d/bitwarden.conf
  notify: restart_fail2ban
 - name: Reload systemd manager configuration
  systemd:
    daemon_reload: true
--- a/roles/bitwarden/templates/fail2ban-jail.conf.j2
+++ b/roles/bitwarden/templates/fail2ban-jail.conf.j2
@ -0,0 +1,9 @@
 # {{ ansible_managed }}
 [bitwarden]
 enabled = true
 filter = bitwarden
 logpath = {{ bitwarden_root }}/bwdata/logs/identity/Identity/*
 maxretry = 10
 findtime = 3600
 bantime = 900
 action = iptables-allports
--- a/roles/gitea/tasks/main.yml
+++ b/roles/gitea/tasks/main.yml
@ -81,6 +81,28 @@
    dest: "{{ gitea_root }}/.env"
  notify: restart_gitea
 - name: Create Gitea's logging directory
  file:
    name: /var/log/gitea
    state: directory
 - name: Create Gitea's initial log file
  file:
    name: /var/log/gitea/gitea.log
    state: touch
 - name: Install Gitea's Fail2ban filter
  template:
    src: fail2ban-filter.conf.j2
    dest: /etc/fail2ban/filter.d/gitea.conf
  notify: restart_fail2ban
 - name: Install Gitea's Fail2ban jail
  template:
    src: fail2ban-jail.conf.j2
    dest: /etc/fail2ban/jail.d/gitea.conf
  notify: restart_fail2ban
 - name: Start and enable Gitea service
  service:
    name: "{{ docker_compose_service }}@{{ gitea_name }}"
--- a/roles/gitea/templates/docker-compose.yml.j2
+++ b/roles/gitea/templates/docker-compose.yml.j2
@ -12,6 +12,7 @@ services:
    environment:
      - USER_UID={{ getent_passwd.git[1] }}
      - USER_GID={{ getent_group.git[1] }}
      - GITEA__log__MODE=file
      - GITEA__server__ROOT_URL=${gitea_rooturl}
      - GITEA__server__DOMAIN=${gitea_domain}
      - GITEA__server__SSH_DOMAIN=${gitea_domain}
@ -20,12 +21,14 @@ services:
      - GITEA__database__NAME=${gitea_dbname}
      - GITEA__database__USER=${gitea_dbuser}
      - GITEA__database__PASSWD=${gitea_dbpass}
      - GITEA__security__INSTALL_LOCK=true
      - GITEA__security__REVERSE_PROXY_LIMIT=${gitea_proxy_limit}
      - GITEA__security__REVERSE_PROXY_TRUSTED_PROXIES=${gitea_trusted_proxies}
      - GITEA__service__DISABLE_REGISTRATION=${gitea_disable_registration}
    volumes:
      - {{ gitea_volume }}:/data
-      - /home/git/.ssh/:/data/git/.ssh
+      - /home/git/.ssh:/data/git/.ssh
      - /var/log/gitea:/data/gitea/log
      - /etc/timezone:/etc/timezone:ro
      - /etc/localtime:/etc/localtime:ro
--- a/roles/gitea/templates/fail2ban-filter.conf.j2
+++ b/roles/gitea/templates/fail2ban-filter.conf.j2
@ -0,0 +1,4 @@
 # {{ ansible_managed }}
 [Definition]
 failregex =  .*(Failed authentication attempt|invalid credentials|Attempted access of unknown user).* from <HOST>
 ignoreregex =
--- a/roles/gitea/templates/fail2ban-jail.conf.j2
+++ b/roles/gitea/templates/fail2ban-jail.conf.j2
@ -0,0 +1,18 @@
 # {{ ansible_managed }}
 [gitea]
 enabled = true
 filter = gitea
 logpath = /var/log/gitea/gitea.log
 maxretry = 10
 findtime = 3600
 bantime = 900
 action = iptables-allports
 [gitea-docker]
 enabled = true
 filter = gitea
 logpath = /var/log/gitea/gitea.log
 maxretry = 10
 findtime = 3600
 bantime = 900
 action = iptables-allports[chain="FORWARD"]
Author	SHA1	Message	Date
Kris Lamoureux	82df91305a	Install aggressive Fail2ban jail for SSH	2022-06-18 19:47:02 -04:00
Kris Lamoureux	dd9f84d498	Create initial log files for fail2ban	2022-06-07 00:25:47 -04:00
Kris Lamoureux	b52ccabd22	Add Fail2ban to Gitea and Bitwarden	2022-05-28 02:31:41 -04:00