Harden SSH, add fail2ban, remove redundant setup.sh

Disable password auth, restrict root login, limit auth retries. Add fail2ban with SSH jail (3 retries, 1hr ban). Remove setup.sh which predated Ansible and was no longer used. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-04-10 08:29:15 +10:00
parent 0d4050c58c
commit a9e063867a
2 changed files with 52 additions and 97 deletions
--- a/infra/ansible/playbook.yml
+++ b/infra/ansible/playbook.yml
@@ -86,6 +86,48 @@
        shell: /usr/sbin/nologin
        state: present

+    # ── SSH hardening ───────────────────────────────────────────────────────
+
+    - name: Harden SSH configuration
+      copy:
+        dest: /etc/ssh/sshd_config.d/hardening.conf
+        owner: root
+        group: root
+        mode: '0644'
+        content: |
+          PasswordAuthentication no
+          PermitRootLogin prohibit-password
+          MaxAuthTries 3
+      notify: Restart sshd
+
+    # ── Fail2ban ────────────────────────────────────────────────────────────
+
+    - name: Install fail2ban
+      apt:
+        name: fail2ban
+        state: present
+
+    - name: Configure fail2ban SSH jail
+      copy:
+        dest: /etc/fail2ban/jail.local
+        owner: root
+        group: root
+        mode: '0644'
+        content: |
+          [sshd]
+          enabled = true
+          port = ssh
+          maxretry = 3
+          bantime = 3600
+          findtime = 600
+      notify: Restart fail2ban
+
+    - name: Enable and start fail2ban
+      systemd:
+        name: fail2ban
+        enabled: true
+        state: started
+
    # ── UFW ─────────────────────────────────────────────────────────────────

    - name: Set UFW default incoming policy to deny
@@ -381,3 +423,13 @@
      systemd:
        name: goatcounter
        state: restarted
+
+    - name: Restart sshd
+      systemd:
+        name: ssh
+        state: restarted
+
+    - name: Restart fail2ban
+      systemd:
+        name: fail2ban
+        state: restarted