play_03_fail2ban.yml

---
# Dieses Playbook installiert fail2ban auf einem host.
# Ähnlich wie in Apache müssen die einzelnen Services im Anschluss nochmal abgesichert werden.


- name: Fail2Ban installieren
  vars_files:  # Verweis auf verschlüsselte Pws
    - vars
    - vault
  hosts:
    - ehprod
    - ehtest
    - twprod
    - twtest
    - chrono123
    - runbot
    - testchrono
  vars:
    fail2ban_banaction: iptables-multiport           # Ban Definition: add a rule to iptables
    fail2ban_action: '%(action_mwl)s'                # Ban + lookup WhoIs + send Logs and GeoIP Info via mail
    fail2ban_dbpurgeage: 86400                       # remove record of modified rules after 24 hours
    fail2ban_bantime: "{{ host_fail2ban_bantime }}"  # TODO Block for one hour
    fail2ban_maxretry: "{{ host_fail2ban_maxretry }}"# TODO Block after 12 retries
    fail2ban_findtime: "{{ host_fail2ban_findtime }}"# take into account if the monitored service logs in UTC time!
    fail2ban_ignoreips:                              # ignore logins from local ip
     - 127.0.0.1/8
    # Alert the admins configuration:
    fail2ban_mta: sendmail
    fail2ban_sendername: "Fail2ban_{{ domains[0].vhost }}"
    fail2ban_sender: "Fail2ban_{{ domains[0].vhost }}"
    fail2ban_destemail: info@ehanse.de
    #Copy custom fail2ban definitions:
    #fail2ban_filterd_path: [optional]: Path to directory containing filters to copy (note the trailing slash)
    #fail2ban_actiond_path: [optional]: Path to directory containing actions to copy (note the trailing slash)
    #fail2ban_jaild_path: [optional]: Path to directory containing jails to copy (note the trailing slash)
  roles:
   - ansible-fail2ban