From a87bf9e6a37461350871740f5defc434f5dcaf21 Mon Sep 17 00:00:00 2001
From: Tom Lin <tom91136@gmail.com>
Date: Thu, 7 Nov 2024 16:53:55 +0000
Subject: [PATCH] Add fail2ban for login nodes

---
 playbook-svc-login.yml                            | 15 +++++++++++++++
 ...date_motd.yml => playbook-task-update-motd.yml |  0
 templates/ssh.conf.fail2ban.j2                    |  5 +++++
 3 files changed, 20 insertions(+)
 rename playbook-task-update_motd.yml => playbook-task-update-motd.yml (100%)
 create mode 100644 templates/ssh.conf.fail2ban.j2

diff --git a/playbook-svc-login.yml b/playbook-svc-login.yml
index ae0db86..8dcf6e0 100644
--- a/playbook-svc-login.yml
+++ b/playbook-svc-login.yml
@@ -7,6 +7,21 @@
     - include_tasks: tasks/backup_or_restore_host_keys.yml
     - include_tasks: tasks/setup_unattended_security_updates.yml
 
+    - name: Setup fail2ban
+      ansible.builtin.dnf:
+        name: ["fail2ban"]
+
+    - name: Configure fail2ban_config
+      ansible.builtin.template:
+        src: "ssh.conf.fail2ban.j2"
+        dest: /etc/fail2ban/jail.d/ssh.conf
+
+    - name: Enable fail2ban service
+      ansible.builtin.systemd_service:
+        name: fail2ban
+        state: restarted
+        enabled: true
+
     - name: Setup missing Slurm dependencies
       ansible.builtin.dnf:
         name: ["/bin/mailx", "Lmod"]
diff --git a/playbook-task-update_motd.yml b/playbook-task-update-motd.yml
similarity index 100%
rename from playbook-task-update_motd.yml
rename to playbook-task-update-motd.yml
diff --git a/templates/ssh.conf.fail2ban.j2 b/templates/ssh.conf.fail2ban.j2
new file mode 100644
index 0000000..2c98645
--- /dev/null
+++ b/templates/ssh.conf.fail2ban.j2
@@ -0,0 +1,5 @@
+[sshd]
+enabled = true
+maxretry = 6
+bantime = 90m
+ignoreip = 127.0.0.1
\ No newline at end of file