Subscribe
By Vitalij Neverkevic in Tech

How to automate fail2ban with Ansible Part 2

In Part 1, we showed how to use Ansible to automate the configuration of the fail2ban service on a Linux system. We started by writing a custom Ansible module that allows users to easily configure the fail2ban service. We then wrote a set of playbooks that use this module to install, start, and enable the fail2ban service, as well as configure it with a set of default values. In Part 2 we are going to focus on the concept of Ansible Roles.

Creating Ansible Role for fail2ban

Here is an example of how the playbooks we have created so far could be organized as an ansible role. To create an ansible role using the ansible-galaxy CLI, you can use the following command:

ansible-galaxy init fail2ban

This will create a new directory called fail2ban with the following structure:

fail2ban
├── defaults
│   └── main.yml
├── files
├── handlers
│   └── main.yml
├── meta
│   └── main.yml
├── README.md
├── tasks
│   └── main.yml
│   └── install.yml
│   └── configure.yml
├── templates
├── tests
│   ├── inventory
│   └── test.yml
└── vars
    └── main.yml

The tasks/install.yml file would contain the playbook for installing and starting the fail2ban service:

---
- hosts: all
  become: true
  tasks:
    - name: Install fail2ban
      package:
        name: fail2ban
        state: present
      when: ansible_os_family == 'RedHat'
      become: true

    - name: Install fail2ban
      apt:
        name: fail2ban
        state: present
      when: ansible_os_family == 'Debian'
      become: true

    - name: Start fail2ban service
      service:
        name: fail2ban
        state: started
      become: true

    - name: Enable fail2ban service
      service:
        name: fail2ban
        enabled: true
      become: true

The tasks/configure.yml file would contain the playbook for configuring the fail2ban service using the fail2ban ansible module:

---
- hosts: all
  become: true
  tasks:
    - name: Configure fail2ban
      fail2ban:
        ignoreip: 127.0.0.1/8
        bantime: 10m
        findtime: 10m
        maxretry: 3
        backend: auto
        usedns: warn
        destemail: root@localhost
        sendername: Fail2Ban
        banaction: iptables-multiport
        mta: sendmail
        protocol: tcp
        chain: INPUT
      become: true

    - name: Configure fail2ban ssh section
      fail2ban:
        ssh_enabled: true
        ssh_port: ssh
        ssh_filter: sshd
        ssh_logpath: /var/log/auth.log
        ssh_maxretry: 6
      become: true

The defaults/main.yml file would contain default values for the variables used in the playbooks:

---
# Default values for the fail2ban ansible module
fail2ban_ignoreip: 127.0.0.1/8
fail2ban_bantime: 10m
fail2ban_findtime: 10m
fail2ban_maxretry: 3
fail2ban_backend: auto
fail2ban_usedns: warn
fail2ban_destemail: root@localhost
fail2ban_sendername: Fail2Ban
fail2ban_banaction: iptables-multiport
fail2ban_mta: sendmail
fail2ban_protocol: tcp
fail2ban_chain: INPUT

# Default values for the ssh section of the fail2ban ansible module
fail2ban_ssh_enabled: true
fail2ban_ssh_port: ssh
fail2ban_ssh_filter: sshd
fail2ban_ssh_logpath: /var/log/auth.log
fail2ban_ssh_maxretry: 6

These default values can be overridden by values specified in the vars/main.yml file or by passing variables to the ansible-playbook command using the -e flag.

The handlers/main.yml file would contain any handlers that should be triggered by the playbooks. For example, if you wanted to restart the fail2ban service after it has been configured, you could add the following handler to the handlers/main.yml file:

---
- name: Restart fail2ban service
  service:
    name: fail2ban
    state: restarted
  become: true

This handler would be triggered by adding the following line to the tasks/configure.yml file:

- name: Restart fail2ban service
  service:
    name: fail2ban
    state: restarted
  become: true
  listen: Restart fail2ban service

The meta/main.yml file would contain metadata about the role, such as its name, description, and dependencies on other roles.

---
name: fail2ban
description: Configures the fail2ban service on a Linux system.
dependencies: []

The templates directory would contain any templates that are used by the playbooks. For example, if you wanted to configure the fail2ban service using a configuration file template, you could add the template to the templates directory and reference it in the tasks/configure.yml file using the template module.

Finally, the files directory would contain any files that need to be copied to the target system as part of the role.

Summary

We organized these playbooks into an Ansible Role, which makes it easy for others to reuse and share our work. We also showed how to create and publish this role as an Ansible Collection on Ansible Galaxy, making it even easier for others to discover and use our work.

Index

Part 1 | Part 2 | Part 3 | Part 4

Subscribe to Vitalij Neverkevic Blog

Don’t miss out on the latest issues. Sign up now to get access to the library of members-only issues.
jamie@example.com
Subscribe