#cloud-config
package_update: true
package_upgrade: true

packages:
  - fail2ban
  - iptables-persistent

write_files:
  - path: /etc/fail2ban/jail.local
    content: |
      [DEFAULT]
      bantime = 3600
      findtime = 600
      maxretry = 5
      
      [sshd]
      enabled = true
      port = ssh
      logpath = /var/log/auth.log
      maxretry = 3
      
      [nginx-http-auth]
      enabled = true
      
      [nginx-limit-req]
      enabled = true
      
      [apache]
      enabled = true
      
      [apache-badbots]
      enabled = true

runcmd:
  - systemctl enable fail2ban
  - systemctl start fail2ban
  - fail2ban-client status