add fail2ban

roles/securing/files/fail2ban/filter.d/http.conf

@@ -0,0 +1,9 @@
+[Definition]
+# match these lines to find a login fail
+failregex = ^<HOST> .*\"(?!POST|GET|PUT).* [^\"]+\"
+# matches this example line:
+# 202.120.209.38 - - [16/Dec/2015:11:27:32 +1000] "POST /index.php HTTP/1.0" 302 270 "-" "-"
+#
+# don't ignore anything
+ignoreregex =
+

roles/securing/files/fail2ban/filter.d/scan-port.conf

@@ -0,0 +1,5 @@
+[Definition]
+failregex = Dropped ipv4: .* SRC=<HOST>
+# don't ignore anything
+ignoreregex =
+

roles/securing/files/fail2ban/jail.local

@@ -0,0 +1,41 @@
+[sshd]
+enabled = true
+port = ssh
+filter = sshd
+logpath = /var/log/auth.log
+maxretry = 3
+bantime = 300
+
+
+#
+# JAILS
+#
+
+#
+# Deny port scan
+#
+
+[scan-port]
+enabled = true
+filter = scan-port
+logpath = /var/log/scan.log # or path to your Apache log files
+bantime = 300
+maxretry = 1
+
+#
+# Deny non conventionnal requests
+#
+
+[apache-postflood]
+enabled = true
+# block these ports
+port=http,https
+# filter in /etc/fail2ban/filter.d/http.conf
+filter = http
+logpath = /var/log/apache/*_access_log # or path to your Apache log files
+findtime = 3600
+bantime = 300
+maxretry = 3
+
+
+

roles/securing/tasks/fail2ban.yml

@@ -0,0 +1,19 @@
+---
+
+- name: Install fail2ban
+  package:
+    name: fail2ban
+    state: present
+
+- name: Add fail2ban configuration
+  copy:
+    src: files/fail2ban/
+    dest: /etc/fail2ban/
+    directory_mode: yes
+
+- name: Enable fail2ban
+  service:
+    name: fail2ban
+    enabled: yes
+    state: started
+

roles/securing/tasks/firewall.yml

@@ -17,3 +17,9 @@
     mode: "0644"
   notify:
     nftables_reload
+
+- name: Enable nftables service
+  ansible.builtin.service:
+    name: nftables
+    enabled: true
+    state: started