From 324f4814c0781cc89f8664fd705b6bcfcec80807 Mon Sep 17 00:00:00 2001
From: fred <2160318-free_zed@users.noreply.gitlab.com>
Date: Tue, 12 Apr 2022 01:54:19 +0200
Subject: [PATCH] =?UTF-8?q?=E2=9C=A8=20Start=20firewalling=20rules?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 inventory.sample              |  1 +
 tasks/firewall.yml            | 65 +++++++++++++++++++++++++++++++++++
 tasks/templates/jail.local.j2 | 12 +++++++
 3 files changed, 78 insertions(+)
 create mode 100644 tasks/firewall.yml
 create mode 100644 tasks/templates/jail.local.j2

diff --git a/inventory.sample b/inventory.sample
index 1190cb6..5d6803e 100644
--- a/inventory.sample
+++ b/inventory.sample
@@ -17,6 +17,7 @@ localhost
 
 [server:vars]
 timezone="UTC"
+gateway="<GATEWAY_IP>"
 
 [workstation:vars]
 timezone="Europe/Paris"
diff --git a/tasks/firewall.yml b/tasks/firewall.yml
new file mode 100644
index 0000000..3493d37
--- /dev/null
+++ b/tasks/firewall.yml
@@ -0,0 +1,65 @@
+---
+- hosts: "{{ host_list }}"
+  remote_user: root
+
+  tasks:
+    - name: FIREWALL | install packages
+      ansible.builtin.apt:
+        cache_valid_time: 3600
+        force_apt_get: yes
+        pkg:
+            - fail2ban
+            - ufw
+        state: present
+        update_cache: true
+
+    - name: UFW | reset before setting
+      community.general.ufw:
+        state: reset
+
+    - name: UFW | deny everything IN
+      community.general.ufw:
+        direction: incoming
+        policy: deny
+
+    - name: UFW | allow everything OUT
+      community.general.ufw:
+        direction: outgoing
+        policy: allow
+
+    - name: UFW | limit tcp port 22 IN
+      community.general.ufw:
+        direction: in
+        log: yes
+        port: '22'
+        proto: tcp
+        rule: limit
+
+    - name: UFW | allow tcp port 80 IN
+      when: inventory_hostname in groups.web
+      community.general.ufw:
+        direction: in
+        rule: allow
+        port: '80'
+        proto: tcp
+
+    - name: UFW | enable & set logging
+      community.general.ufw:
+        logging: full
+        state: enabled
+
+    - name: FAIL2BAN | ensure deamon is running
+      service:
+        name: fail2ban
+        state: started
+        enabled: true
+
+    - name: FAIL2BAN | set local config
+      template:
+        src: templates/jail.local.j2
+        dest: /etc/fail2ban/jail.local
+
+    - name: FAIL2BAN | restart service
+      service:
+        name: fail2ban
+        state: restarted
diff --git a/tasks/templates/jail.local.j2 b/tasks/templates/jail.local.j2
new file mode 100644
index 0000000..fde1f94
--- /dev/null
+++ b/tasks/templates/jail.local.j2
@@ -0,0 +1,12 @@
+[DEFAULT]
+banaction = ufw
+bantime   = 3600
+maxretry  = 3
+ignoreip  = 127.0.0.1 {{gateway}} {% for host in groups['all'] %}{{hostvars[host]['ansible_host']|ansible.netcommon.ipaddr('public')}} {% endfor %}
+
+
+[ssh]
+enabled  = true
+filter = sshd
+logpath = /var/log/auth.log
+findtime = 300
-- 
GitLab