--- - name: Sécurité Simple - Réseau local libre, extérieur protégé hosts: all become: yes tasks: - name: "=== Installation ===" apt: name: - ufw - fail2ban state: present update_cache: yes - name: "=== FIREWALL ===" debug: msg: "Configuration du firewall..." - name: Règles par défaut UFW ufw: default: "{{ item.direction }}" direction: "{{ item.type }}" loop: - { direction: 'deny', type: 'incoming' } - { direction: 'allow', type: 'outgoing' } - name: SSH autorisé (pour ne pas se bloquer) ufw: rule: allow port: '22' proto: tcp - name: Tout le réseau local autorisé ufw: rule: allow from_ip: 192.168.123.0/24 - name: Activer UFW ufw: state: enabled - name: "=== FAIL2BAN ===" debug: msg: "Configuration de Fail2ban..." - name: Configuration Fail2ban simple copy: dest: /etc/fail2ban/jail.local content: | [DEFAULT] bantime = 3600 findtime = 600 maxretry = 5 [sshd] enabled = true port = ssh logpath = /var/log/auth.log maxretry = 3 mode: '0644' - name: Démarrer Fail2ban systemd: name: fail2ban state: restarted enabled: yes - name: "=== VÉRIFICATION ===" command: ufw status register: fw_status changed_when: false - name: Afficher config debug: var: fw_status.stdout_lines - name: "=== RÉSUMÉ ===" debug: msg: - "================================================" - "✓ FIREWALL" - " Depuis 192.168.123.0/24 → TOUS LES PORTS OK" - " Depuis Internet → BLOQUÉ" - "" - "✓ FAIL2BAN" - " 3 tentatives SSH ratées → Ban 1h" - "" - "✓ VOUS ÊTES PROTÉGÉ !" - "================================================"