Configure fail2ban

README.md

@@ -76,6 +76,9 @@ necessary nonetheless.
     to export Docker container performance metrics.
   - [Promtail](https://grafana.com/docs/loki/latest/send-data/promtail/),
     to export system & Docker container logs to Loki.
+- [Fail2ban](https://github.com/fail2ban/fail2ban), a log-based intrusion
+  prevention system. Monitors logs for authentication failures and blocks
+  IPs that have too many failures.
 
 ### Planned
 

main.yml

@@ -26,9 +26,15 @@
     - role: setup_ssh
       tags:
         - setup
+        - ssh
+
+    - role: fail2ban
+      tags:
+        - fail2ban
 
     - role: setup_docker
       tags:
+        - setup
         - docker
 
     - role: dnsmasq

roles/fail2ban/handlers/main.yml

@@ -0,0 +1,5 @@
+---
+- name: Restart fail2ban.service
+  ansible.builtin.service:
+    name: fail2ban
+    state: restarted

roles/fail2ban/tasks/main.yml

@@ -0,0 +1,35 @@
+---
+- name: Install fail2ban
+  ansible.builtin.package:
+    name: fail2ban
+    state: present
+
+- name: Render fail2ban configuration files
+  ansible.builtin.template:
+    src: "{{ item }}"
+    dest: /etc/fail2ban/{{ item }}
+    owner: root
+    group: root
+    mode: 0644
+  loop:
+    - fail2ban.local
+    - jail.local
+  register: config_changed
+  notify: Restart fail2ban.service
+
+- name: Render fail2ban jail drop-ins
+  ansible.builtin.template:
+    src: "{{ item }}"
+    dest: /etc/fail2ban/jail.d/{{ item | basename }}
+    owner: root
+    group: root
+    mode: 0644
+  with_fileglob:
+    - templates/jail.d/*
+  notify: Restart fail2ban.service
+
+- name: Enable and start fail2ban
+  ansible.builtin.systemd:
+    name: fail2ban
+    enabled: yes
+    state: started

roles/fail2ban/templates/fail2ban.local

@@ -0,0 +1,5 @@
+[Definition]
+
+# Setting this here to prevent fail2ban from warning that this is unset every
+# time it starts up.
+allowipv6 = auto

roles/fail2ban/templates/jail.d/sshd.local

@@ -0,0 +1,10 @@
+[sshd]
+enabled = true
+
+# Flag public key mismatches. This can cause false positives: A legitimate user
+# could have >5 private keys, in which case SSH will try each sequentially until
+# one works, triggering a ban.
+filter = sshd[publickey='any']
+
+# Also ban access to our custom port
+port = 22,50519

roles/fail2ban/templates/jail.local

@@ -0,0 +1,21 @@
+[DEFAULT]
+
+# Use systemd-journal to find logs.
+backend = systemd
+
+# Ban hosts for 5 minutes on first fail.
+bantime = 5m
+
+# Randomly add up to 2 minutes to the ban time to prevent bots from timing
+# their attacks.
+bantime.rndtime = 120
+
+# Increase ban time for each subsequent fail.
+bantime.increment = true
+
+# Formula for calculating ban time.
+# This one doubles the ban time for each subsequent fail.
+bantime.formula = ban.Time * (1 << ban.Count)
+
+# Don't use hostnames for banning, but log as info.
+usedns = no