check new version

roles/01-server_hardening/templates/fail2ban-jail.local.j2

@@ -1,11 +1,30 @@
+# {{ ansible_managed }}
 [DEFAULT]
-bantime = {{ fail2ban_jail_ssh_bantime }}
-findtime = 600
-maxretry = {{ fail2ban_jail_ssh_maxretry }}
+ignoreip = 127.0.0.1/8 ::1
+bantime = {{ fail2ban_bantime }}
+findtime = {{ fail2ban_findtime }}
+maxretry = {{ fail2ban_maxretry }}
+backend = systemd
 
 [sshd]
-enabled = {{ fail2ban_jail_ssh_enabled | ternary('true', 'false') }}
-port = {{ fail2ban_jail_ssh_port }}
+enabled = true
+port = {{ ssh_port }}
 filter = sshd
 logpath = /var/log/auth.log
-maxretry = {{ fail2ban_jail_ssh_maxretry }}
+maxretry = {{ fail2ban_maxretry }}
+
+[sshd-ddos]
+enabled = true
+port = {{ ssh_port }}
+filter = sshd-ddos
+logpath = /var/log/auth.log
+maxretry = 10
+
+[minecraft]
+enabled = true
+port = {{ minecraft_port | default(25565) }}
+filter = minecraft
+logpath = {{ minecraft_server_dir | default('/opt/minecraft/server') }}/logs/latest.log
+maxretry = 10
+findtime = 600
+bantime = 3600

roles/01-server_hardening/templates/sshd_config.j2

@@ -1,25 +1,47 @@
-# SSH Configuration - Managed by Ansible
+# {{ ansible_managed }}
+# SSH Server Configuration
+
 Port {{ ssh_port }}
 Protocol 2
+HostKey /etc/ssh/ssh_host_rsa_key
+HostKey /etc/ssh/ssh_host_ed25519_key
+
+# Logging
+SyslogFacility AUTH
+LogLevel INFO
 
 # Authentication
-PermitRootLogin {{ ssh_permit_root_login | ternary('yes', 'no') }}
-PasswordAuthentication {{ ssh_password_authentication | ternary('yes', 'no') }}
-PubkeyAuthentication yes
-AuthorizedKeysFile .ssh/authorized_keys
+LoginGraceTime 120
+PermitRootLogin {{ ssh_permit_root_login }}
+StrictModes yes
 MaxAuthTries {{ ssh_max_auth_tries }}
+MaxSessions {{ ssh_max_sessions }}
 
-# Connection settings
-ClientAliveInterval {{ ssh_client_alive_interval }}
-ClientAliveCountMax {{ ssh_client_alive_count_max }}
-MaxSessions 10
-MaxStartups 10:30:60
+PubkeyAuthentication {{ ssh_pubkey_authentication }}
+AuthorizedKeysFile .ssh/authorized_keys
 
-# Security settings
+PasswordAuthentication {{ ssh_password_authentication }}
 PermitEmptyPasswords no
 ChallengeResponseAuthentication no
-UsePAM yes
+
+# Security
+IgnoreRhosts yes
+HostbasedAuthentication no
 X11Forwarding no
 PrintMotd no
+PrintLastLog yes
+TCPKeepAlive yes
+Compression delayed
+
+# Client alive
+ClientAliveInterval {{ ssh_client_alive_interval }}
+ClientAliveCountMax {{ ssh_client_alive_count_max }}
+
+# Allow only ansible user
+AllowUsers ansible
+
+# Disable unused features
+UsePAM yes
+Banner none
 AcceptEnv LANG LC_*
 Subsystem sftp /usr/lib/openssh/sftp-server

roles/01-server_hardening/templates/ufw-rules.j2

@@ -0,0 +1,16 @@
+# {{ ansible_managed }}
+# UFW Rules Configuration
+
+# Allow SSH
+-A ufw-user-input -p tcp --dport {{ ssh_port }} -j ACCEPT
+
+# Allow Minecraft
+-A ufw-user-input -p tcp --dport {{ minecraft_port | default(25565) }} -j ACCEPT
+
+# Allow RCON if enabled
+{% if enable_rcon | default(false) %}
+-A ufw-user-input -p tcp --dport {{ rcon_port | default(25575) }} -j ACCEPT
+{% endif %}
+
+# Drop everything else
+-A ufw-user-input -j DROP