From 85e03238449f6f3aef3dd070d7f3e2586917ea80 Mon Sep 17 00:00:00 2001
From: Aurelien Rebourg <aurelien.rebourg@gmail.com>
Date: Wed, 24 May 2023 05:06:07 +0200
Subject: [PATCH] add fail2ban

---
 .../files/fail2ban/filter.d/http.conf         |  9 ++++
 .../files/fail2ban/filter.d/scan-port.conf    |  5 +++
 roles/securing/files/fail2ban/jail.local      | 41 +++++++++++++++++++
 roles/securing/tasks/fail2ban.yml             | 19 +++++++++
 roles/securing/tasks/firewall.yml             |  6 +++
 5 files changed, 80 insertions(+)
 create mode 100644 roles/securing/files/fail2ban/filter.d/http.conf
 create mode 100644 roles/securing/files/fail2ban/filter.d/scan-port.conf
 create mode 100644 roles/securing/files/fail2ban/jail.local

diff --git a/roles/securing/files/fail2ban/filter.d/http.conf b/roles/securing/files/fail2ban/filter.d/http.conf
new file mode 100644
index 0000000..5e4a1a4
--- /dev/null
+++ b/roles/securing/files/fail2ban/filter.d/http.conf
@@ -0,0 +1,9 @@
+[Definition]
+# match these lines to find a login fail
+failregex = ^<HOST> .*\"(?!POST|GET|PUT).* [^\"]+\"
+# matches this example line:
+# 202.120.209.38 - - [16/Dec/2015:11:27:32 +1000] "POST /index.php HTTP/1.0" 302 270 "-" "-"
+#
+# don't ignore anything
+ignoreregex =
+
diff --git a/roles/securing/files/fail2ban/filter.d/scan-port.conf b/roles/securing/files/fail2ban/filter.d/scan-port.conf
new file mode 100644
index 0000000..6d557c2
--- /dev/null
+++ b/roles/securing/files/fail2ban/filter.d/scan-port.conf
@@ -0,0 +1,5 @@
+[Definition]
+failregex = Dropped ipv4: .* SRC=<HOST>
+# don't ignore anything
+ignoreregex =
+
diff --git a/roles/securing/files/fail2ban/jail.local b/roles/securing/files/fail2ban/jail.local
new file mode 100644
index 0000000..608f02e
--- /dev/null
+++ b/roles/securing/files/fail2ban/jail.local
@@ -0,0 +1,41 @@
+[sshd]
+enabled = true
+port = ssh
+filter = sshd
+logpath = /var/log/auth.log
+maxretry = 3
+bantime = 300
+
+
+#
+# JAILS
+#
+
+#
+# Deny port scan
+#
+
+[scan-port]
+enabled = true
+filter = scan-port
+logpath = /var/log/scan.log # or path to your Apache log files
+bantime = 300
+maxretry = 1
+
+#
+# Deny non conventionnal requests
+#
+
+[apache-postflood]
+enabled = true
+# block these ports
+port=http,https
+# filter in /etc/fail2ban/filter.d/http.conf
+filter = http
+logpath = /var/log/apache/*_access_log # or path to your Apache log files
+findtime = 3600
+bantime = 300
+maxretry = 3
+
+
+
diff --git a/roles/securing/tasks/fail2ban.yml b/roles/securing/tasks/fail2ban.yml
index e69de29..bd09e4a 100644
--- a/roles/securing/tasks/fail2ban.yml
+++ b/roles/securing/tasks/fail2ban.yml
@@ -0,0 +1,19 @@
+---
+
+- name: Install fail2ban
+  package:
+    name: fail2ban
+    state: present
+
+- name: Add fail2ban configuration
+  copy:
+    src: files/fail2ban/
+    dest: /etc/fail2ban/
+    directory_mode: yes
+
+- name: Enable fail2ban
+  service:
+    name: fail2ban
+    enabled: yes
+    state: started
+
diff --git a/roles/securing/tasks/firewall.yml b/roles/securing/tasks/firewall.yml
index 33443c8..01eef12 100644
--- a/roles/securing/tasks/firewall.yml
+++ b/roles/securing/tasks/firewall.yml
@@ -17,3 +17,9 @@
     mode: "0644"
   notify:
     nftables_reload
+
+- name: Enable nftables service
+  ansible.builtin.service:
+    name: nftables
+    enabled: true
+    state: started