bodsch.fail2ban

Ansible Role: `fail2ban`

This Ansible Role installs and sets up fail2ban 2.x on Debian/Ubuntu, ArchLinux, and ArtixLinux. It may also work on other systems that use openrc.

Further updates for this Ansible role have moved to the collection bodsch.core. This repository will not be maintained anymore.

Requirements & Dependencies

None

Supported Operating Systems

Tested on:

ArchLinux
Debian-based systems:
- Debian 10 / 11 / 12
- Ubuntu 20.04 / 22.04

RedHat-based systems are not officially supported! They might work but are not guaranteed.

Role Variables

You can find available variables below along with default values (refer to defaults/main.yaml):

fail2ban_ignoreips: Can be an IP address, CIDR mask, or DNS host.
fail2ban_conf
fail2ban_jail
fail2ban_path_definitions
fail2ban_jails

Example Playbook

See the molecule test and configuration.

fail2ban_ignoreips:
  - 127.0.0.1/8
  - 192.168.0.0/24

fail2ban_conf:
  default:
    loglevel: INFO
    logtarget: "/var/log/fail2ban.log"
    syslogsocket: auto
    socket: /run/fail2ban/fail2ban.sock
    pidfile: /run/fail2ban/fail2ban.pid
    dbfile: /var/lib/fail2ban/fail2ban.sqlite3
    dbpurgeage: 1d
    dbmaxmatches: 10
  definition: {}
  thread:
    stacksize: 0

fail2ban_jail:
  default:
    ignoreips: "{{ fail2ban_ignoreips }}"
    bantime: 600
    maxretry: 3
    findtime: 3200
    backend: auto
    usedns: warn
    logencoding: auto
    jails_enabled: false
  actions:
    destemail: root@localhost
    sender: root@localhost
    mta: sendmail
    protocol: tcp
    chain: INPUT
    banaction: iptables-multiport

fail2ban_jails:
  - name: ssh
    enabled: true
    port: ssh
    filter: sshd
    logpath: /var/log/authlog.log
    findtime: 3200
    bantime: 86400
    maxretry: 2
  - name: ssh-breakin
    enabled: true
    port: ssh
    filter: sshd-break-in
    logpath: /var/log/authlog.log
    maxretry: 2
  - name: ssh-ddos
    enabled: true
    port: ssh
    filter: sshd-ddos
    logpath: /var/log/authlog.log
    maxretry: 2