97be5c8a54
- Added Ansible playbooks for security hardening (UFW, Fail2Ban) - Implemented SSH key management and host synchronization tools - Created UFW hardening scripts and network security configurations - Added Cockpit-Traefik reverse proxy setup documentation 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
51 lines
1.3 KiB
YAML
51 lines
1.3 KiB
YAML
---
|
|
- name: Harden Pop!_OS with Fail2Ban
|
|
hosts: all
|
|
become: true
|
|
vars:
|
|
fail2ban_default_jail:
|
|
name: sshd
|
|
enabled: true
|
|
port: ssh
|
|
filter: sshd
|
|
logpath: /var/log/auth.log
|
|
maxretry: 5
|
|
bantime: 600
|
|
findtime: 600
|
|
|
|
tasks:
|
|
- name: Ensure Fail2Ban is installed
|
|
apt:
|
|
name: fail2ban
|
|
state: present
|
|
update_cache: yes
|
|
|
|
- name: Create jail.local with default sshd jail
|
|
copy:
|
|
dest: /etc/fail2ban/jail.local
|
|
owner: root
|
|
group: root
|
|
mode: '0644'
|
|
content: |
|
|
[DEFAULT]
|
|
banaction = iptables-multiport
|
|
backend = systemd
|
|
destemail = root@localhost
|
|
sender = root@<hostname>
|
|
action = %(action_mwl)s
|
|
|
|
[{{ fail2ban_default_jail.name }}]
|
|
enabled = {{ fail2ban_default_jail.enabled | lower }}
|
|
port = {{ fail2ban_default_jail.port }}
|
|
filter = {{ fail2ban_default_jail.filter }}
|
|
logpath = {{ fail2ban_default_jail.logpath }}
|
|
maxretry = {{ fail2ban_default_jail.maxretry }}
|
|
bantime = {{ fail2ban_default_jail.bantime }}
|
|
findtime = {{ fail2ban_default_jail.findtime }}
|
|
|
|
- name: Ensure fail2ban is enabled and running
|
|
systemd:
|
|
name: fail2ban
|
|
enabled: yes
|
|
state: started
|