Add fail2ban config

Author: QuLogic

files/fail2ban/jail.local

@@ -0,0 +1,10 @@
+[DEFAULT]
+
+# "bantime" is the number of seconds that a host is banned.
+bantime  = 1d
+
+# A host is banned if it has generated "maxretry" during the last "findtime"
+findtime  = 1h
+
+# "maxretry" is the number of failures before a host get banned.
+maxretry = 5

matplotlib.org.yml

@@ -91,6 +91,31 @@
             offline: true
             state: enabled
 
+    # fail2ban setup
+    # ##############
+    - name: Setup fail2ban
+      tags: fail2ban
+      block:
+        - name: Configure fail2ban
+          ansible.builtin.copy:
+            src: fail2ban/jail.local
+            dest: /etc/fail2ban/jail.local
+          notify:
+            - Restart fail2ban
+
+        - name: Configure SSH fail2ban
+          ansible.builtin.template:
+            src: fail2ban/sshd.local.j2
+            dest: /etc/fail2ban/jail.d/sshd.local
+          notify:
+            - Restart fail2ban
+
+        - name: Enable fail2ban service
+          ansible.builtin.systemd:
+            name: fail2ban.service
+            enabled: true
+            state: started
+
     # Prepare and clone Git repositories
     # ##################################
     - name: Setup Git repositories
@@ -277,6 +302,11 @@
       ansible.builtin.systemd:
         daemon_reload: true
 
+    - name: Restart fail2ban
+      ansible.builtin.systemd:
+        name: fail2ban
+        state: restarted
+
     - name: Restart Caddy
       ansible.builtin.systemd:
         name: caddy

templates/fail2ban/sshd.local.j2

@@ -0,0 +1,3 @@
+[sshd]
+enabled = true
+ignoreip = 127.0.0.1/8 10.0.0.1/8 {{ ansible_eth0.ipv4.address }} {{ ansible_eth1.ipv4.address }}