Add firewall and fail2ban

akafred · Mar 1, 2016 · 427ffe0 · 427ffe0
1 parent c2ea611
commit 427ffe0
Show file tree

Hide file tree

Showing 6 changed files with 43 additions and 9 deletions.
diff --git a/README.asciidoc b/README.asciidoc
@@ -68,6 +68,12 @@ My VPS did not have all the required packages to run Ansible most of the ansible
 
 To fix this I started with link:provision/roles/ansible-prereqs[a role for getting the prereq's in place].
 
+==== Firewall using Uncomplicated Firewall (ufw) and fail2ban
+
+I use https://wiki.debian.org/Uncomplicated%20Firewall%20(ufw)[ufw] for my firewall as it is a bit easier to use than iptables directly; ansible also has https://docs.ansible.com/ansible/ufw_module.html[a module for it]. The role has link:provision/roles/firewalled/tasks/main.yml[a simple set of tasks].
+
+Also, to limit the chance of brute-forcing password-based SSH-users I added fail2ban. Thankfully someone has already created https://galaxy.ansible.com/nickjj/fail2ban/[a role for fail2ban] (pulled from https://galaxy.ansible.com/[Ansible Galaxy]), all I did was put it in my link:provision/base-setup.yml[base-setup], add some host-specific variables and press play.
+
 === Ansible command helpers
 
 To repeatedly use some arguments when invoking ansible is a bit tedious so I have made a couple of helper scripts: 
@@ -84,3 +90,4 @@ A first step in making my server a bit more secure is to upgrade packages. To ch
 To upgrade I use link:provision/upgrade.yml[a very short Ansible playbook], to run the playbook I can do:
 
 `./play -i dev upgrade.yml`
+
diff --git a/provision/base-setup.yml b/provision/base-setup.yml
@@ -4,3 +4,5 @@
   gather_facts: no
   roles:
     - ansible-prereqs
+    - firewalled
+    - { role: nickjj.fail2ban, become: true, tags: fail2ban }
diff --git a/provision/dev b/provision/dev
@@ -1,2 +1,2 @@
 [core]
-devmain ansible_host=localhost ansible_user=vagrant ansible_ssh_port=2262 ansible_become=true
+devmain ansible_host=localhost ansible_user=vagrant ansible_ssh_port=2262 ansible_become=true fail2ban_ignoreip="127.0.0.0/8 10.0.0.0/24 192.168.0.0/16" fail2ban_bantime=300
diff --git a/provision/prod b/provision/prod
@@ -1,8 +1,12 @@
 $ANSIBLE_VAULT;1.1;AES256
-37313162373737313130393038333833653462383262616266656362326232373837613864653538
-6563376235656563353864343166633538643062326439610a333733303362636631333336343032
-64383838353366643037653563643435663065613532363634653136343933373165333963386432
-3562616332323661350a656435353339366639616130613964643739626565653331656361636238
-39343065656362613931663831366466656430316234653665353130646363616131323332363965
-30333162663561386562393533396361363034626537623136653664646131383938313764363962
-363933393339663733653466316337336562
+32653934363336366166333630376366316530643735636664646537346639303931623031343932
+3532663536316530613962313565323236316161623334640a656232373533653364366363303831
+34343564373539353964333430666535326262373635306536643361316362383566666539623434
+3262623533613136370a373033363139373864343063646133336131613439343965636464333333
+36393031623061393232343261373830353963303762303262616264353539626662343932613864
+32353834396432356336353735376261313461333964363562303266666661326532653033303562
+65646265306332333234323863653663353637653961333061316337343662363030313831303266
+32653163643565363364636133306536373833316234396263353763336264343435636566333739
+63393962653030653530356635323166373839623533653563313036643462363465366662383030
+37633435393064616137633264393464623365393838623166633563363236373534343733343534
+336166623462343161613236316635633532
diff --git a/provision/roles/firewalled/tasks/main.yml b/provision/roles/firewalled/tasks/main.yml
@@ -0,0 +1,21 @@
+
+- name: ufw - install uncomplicated firewall
+  apt: name=ufw state=present
+
+- name: ufw - enable firewall with logging
+  ufw: state=enabled logging=on
+
+- name: ufw - default allow outgoing
+  ufw: policy=allow direction=outgoing
+
+- name: ufw - default deny incoming
+  ufw: policy=deny direction=incoming logging=on
+
+- name: ufw - allow ssh
+  ufw: rule=limit port=ssh proto=tcp
+
+- name: ufw - allow ssh 2
+  ufw: rule=limit port=2252 proto=tcp
+
+- name: ufw - allow ssh 3
+  ufw: rule=limit port=2262 proto=tcp
diff --git a/provision/staging b/provision/staging
@@ -1,2 +1,2 @@
 [core]
-localmain ansible_host=localhost ansible_user=vagrant ansible_ssh_port=2252 ansible_become=true
+localmain ansible_host=localhost ansible_user=vagrant ansible_ssh_port=2252 ansible_become=true fail2ban_ignoreip="127.0.0.0/8 10.0.0.0/24 192.168.0.0/16" fail2ban_bantime=864000