Add fail2ban configuration

README.md

@@ -1,7 +1,11 @@
 Nginx
 =====
 
-Role to install Nginx.
+A role to install and configure Nginx.
+
+## Dependencies
+
+Run this role after you have installed fail2ban.
 
 ## Variables
 

files/fail2ban/filter.d/nginx-req-limit.conf

@@ -0,0 +1,15 @@
+# Managed by Ansible
+
+# Fail2Ban configuration file
+#
+# supports: ngx_http_limit_req_module module
+
+[Definition]
+
+failregex = limiting requests, excess:.* by zone.*client: <HOST>
+
+# Option: ignoreregex
+# Notes.: regex to ignore. If this regex matches, the line is ignored.
+# Values: TEXT
+#
+ignoreregex =

files/fail2ban/jail.d/nginx-req-limit.conf

@@ -0,0 +1,11 @@
+# Managed by Ansible
+
+[nginx-req-limit]
+
+enabled = true
+filter = nginx-req-limit
+action = iptables-multiport[name=ReqLimit, port="http,https", protocol=tcp]
+logpath = /var/log/nginx/*error.log
+findtime = 600
+bantime = 7200
+maxretry = 10

handlers/main.yaml

@@ -1,14 +1,19 @@
 - name: restart munin-node
-  service:
+  ansible.builtin.service:
     name: munin-node
     state: restarted
 
 - name: reload nginx
-  service:
+  ansible.builtin.service:
     name: nginx
     state: reloaded
 
 - name: reload monit
-  service:
+  ansible.builtin.service:
     name: monit
     state: reloaded
+
+- name: reload fail2ban
+  ansible.builtin.service:
+    name: fail2ban
+    state: reloaded

tasks/fail2ban.yml

@@ -0,0 +1,11 @@
+---
+- name: "Fail2ban | Copy configuration"
+  ansible.builtin.copy:
+    src: "fail2ban/{{ item }}"
+    dest: "/etc/fail2ban/{{ item }}"
+    mode: 0644
+  notify: reload fail2ban
+  loop:
+    - "filter.d/nginx-req-limit.conf"
+    - "jail.d/nginx-req-limit.conf"
+  

tasks/main.yaml

@@ -10,3 +10,8 @@
 - name: "Enable monitoring"
   ansible.builtin.import_tasks: monitoring.yml
   tags: monitoring
+
+- name: "Configure fail2ban"
+  ansible.builtin.import_tasks: fail2ban.yml
+  tags: fail2ban
+