Fail2ban by default

roles/basesecurity/handlers/main.yml

@@ -0,0 +1,10 @@
+---
+- name: Restart sshd service
+  service:
+    name: sshd
+    state: restarted
+
+- name: Restart fail2ban service
+  service:
+    name: fail2ban
+    state: restarted

roles/basesecurity/tasks/main.yml

@@ -1,8 +1,8 @@
 ---
 - name: Configure sysctl
   template:
-    src: 'sysctl.d/local.conf.j2'
-    dest: '/etc/sysctl.d/local.conf'
+    src: sysctl.d/local.conf.j2
+    dest: /etc/sysctl.d/local.conf
     mode: 0644
 
 # Use this command to list setuid or setgid executables
@@ -23,3 +23,27 @@
     - /bin/mount  # Only root should mount
     - /bin/umount  # Only root should umount
   ignore_errors: true  # Sometimes file won't exist
+
+# Only SSH keys to log on root
+- name: Prohibit root SSH with password
+  lineinfile:
+    dest: /etc/ssh/sshd_config
+    regexp: '^PermitRootLogin'
+    insertafter: '^#PermitRootLogin'
+    line: 'PermitRootLogin prohibit-password'
+  notify: Restart sshd service
+
+# See banned client with `fail2ban-client status sshd`
+- name: Install fail2ban
+  apt:
+    name: fail2ban
+  register: apt_result
+  retries: 3
+  until: apt_result is succeeded
+
+- name: Configure fail2ban
+  template:
+    src: fail2ban/jail.d/local.conf.j2
+    dest: /etc/fail2ban/jail.d/local.conf
+    mode: 0644
+  notify: Restart fail2ban service

roles/basesecurity/templates/fail2ban/jail.d/local.conf.j2

@@ -0,0 +1,9 @@
+# {{ ansible_managed }}
+
+# Ban a host for 10mn
+# if it has failed 5 times during the last 10mn
+[sshd]
+enabled = true
+bantime  = 600
+findtime  = 600
+maxretry = 5