Install and configure Fail2Ban

README.md

+- GitHub: https://github.com/fail2ban/fail2ban
+- Homepage: http://www.fail2ban.org/wiki/index.php/Main_Page

defaults/main.yml

+fail2ban_version: '0.9.6'

handlers/main.yml

+---
+# file: roles/fail2ban/handlers/main.yml
+
+- name: "Include Fail2Ban to Boot-List"
+  command: update-rc.d fail2ban defaults
+
+- name: "Restart Fail2Ban"
+  service:
+    name: 'fail2ban'
+    state: 'restarted'

tasks/configure.yml

+---
+# file: roles/fail2ban/tasks/configure.yml
+
+- name: "Configure Fail2Ban"
+  template:
+    src: 'fail2ban_{{ item }}'
+    dest: '/etc/fail2ban/{{ item }}'
+    owner: 'root'
+    group: 'root'
+    mode: '644'
+  with_items:
+    - 'jail.local'
+    - 'paths-overrides.local'
+  notify:
+    - "Restart Fail2Ban"

tasks/install.yml

+---
+# file: roles/fail2ban/tasks/install.yml
+
+- name: "Download Archive"
+  shell: wget 'https://github.com/fail2ban/fail2ban/archive/{{ fail2ban_version }}.tar.gz' -O '/tmp/fail2ban.tar.gz'
+# TODO: Enable when all hosts are on 16.04
+#  get_url:
+#    url: 'https://github.com/fail2ban/fail2ban/archive/{{ fail2ban_version }}.tar.gz'
+#    dest: '/tmp/fail2ban.tar.gz'
+#    force: yes
+#    owner: 'root'
+#    group: 'root'
+#    mode: '0664'
+#    validate_certs: yes
+
+- name: "Extract archive"
+  unarchive:
+    src: '/tmp/fail2ban.tar.gz'
+    dest: '/tmp'
+    remote_src: yes
+
+- name: "Install"
+  shell: 'python setup.py install'
+  args:
+    chdir: '/tmp/fail2ban-{{ fail2ban_version }}'
+
+- name: "Copy Startup Script"
+  copy:
+    src: '/tmp/fail2ban-{{ fail2ban_version }}/files/debian-initd'
+    dest: '/etc/init.d/fail2ban'
+    remote_src: yes
+  notify:
+    - "Include Fail2Ban to Boot-List"
+    - "Restart Fail2Ban"

tasks/main.yml

+---
+# file: roles/fail2ban/tasks/main.yml
+
+- name: "Common Fail2Ban"
+  set_fact: role_fail2ban_started=true
+  tags: always
+
+- block:
+
+  - include: install.yml
+
+  - include: configure.yml
+
+  - name: 'Remember that this role had been run'
+    set_fact: role_fail2ban_completed=true
+    tags: always
+
+  when: '"fail2ban" not in excluded_roles and role_fail2ban_completed is not defined'

templates/fail2ban_jail.local

+{% if inventory_hostname in groups['webserver'] %}
+[apache-auth]
+enabled = true
+logpath = %(apache_error_log)s
+          %(apache_jail_error_log)s
+
+[apache-badbots]
+enabled = true
+logpath = %(apache_access_log)s
+          %(apache_jail_access_log)s
+
+[apache-noscript]
+enabled = true
+logpath = %(apache_error_log)s
+          %(apache_jail_error_log)s
+
+[apache-overflows]
+enabled = true
+logpath = %(apache_error_log)s
+          %(apache_jail_error_log)s
+
+[apache-nohome]
+enabled = true
+logpath = %(apache_error_log)s
+          %(apache_jail_error_log)s
+
+[apache-botsearch]
+enabled = true
+logpath = %(apache_error_log)s
+          %(apache_jail_error_log)s
+
+[apache-fakegooglebot]
+enabled = true
+logpath = %(apache_access_log)s
+          %(apache_jail_access_log)s
+
+[apache-modsecurity]
+enabled = true
+logpath = %(apache_error_log)s
+          %(apache_jail_error_log)s
+
+[apache-shellshock]
+enabled = true
+logpath = %(apache_error_log)s
+          %(apache_jail_error_log)s
+
+[php-url-fopen]
+enabled = true
+logpath = %(apache_access_log)s
+          %(apache_jail_access_log)s
+{% endif %}
+{% if inventory_hostname in groups['webserver-drupal'] %}
+
+[drupal-auth]
+enabled = true
+{% endif %}

templates/fail2ban_paths-overrides.local

+[DEFAULT]
+
+apache_error_log = /var/log/apache2/*error.log
+
+apache_jail_error_log = /jails/*/var/log/apache2/*error.log
+
+apache_access_log = /var/log/apache2/*access.log
+
+apache_jail_access_log = /jails/*/var/log/apache2/*access.log