forked from evolix/ansible-roles
Jérémy Lecour
012dabf657
If the final variable is combined in the defaults file, it's component can be overridden, but the final variable can't be overriden.
56 lines
1.3 KiB
Django/Jinja
56 lines
1.3 KiB
Django/Jinja
# EvoLinux Fail2Ban config.
|
|
|
|
[DEFAULT]
|
|
|
|
# "ignoreip" can be an IP address, a CIDR mask or a DNS host
|
|
ignoreip = {{ ['127.0.0.1/8'] union(fail2ban_ignore_ips) | unique | join(' ') }}
|
|
|
|
bantime = 600
|
|
maxretry = 3
|
|
|
|
# "backend" specifies the backend used to get files modification. Available
|
|
# options are "gamin", "polling" and "auto".
|
|
# yoh: For some reason Debian shipped python-gamin didn't work as expected
|
|
# This issue left ToDo, so polling is default backend for now
|
|
backend = auto
|
|
|
|
destemail = {{ fail2ban_alert_email or general_alert_email | mandatory }}
|
|
|
|
# ACTIONS
|
|
|
|
banaction = iptables-multiport
|
|
mta = sendmail
|
|
protocol = tcp
|
|
chain = INPUT
|
|
action_mwl = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
|
|
%(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"]
|
|
|
|
action = %(action_mwl)s
|
|
|
|
{% if fail2ban_wordpress %}
|
|
[wordpress-hard]
|
|
enabled = true
|
|
port = http,https
|
|
filter = wordpress-hard
|
|
logpath = /var/log/auth.log
|
|
maxretry = 1
|
|
findtime = 300
|
|
|
|
[wordpress-soft]
|
|
enabled = true
|
|
port = http,https
|
|
filter = wordpress-soft
|
|
logpath = /var/log/auth.log
|
|
maxretry = 5
|
|
findtime = 300
|
|
{% endif %}
|
|
|
|
{% if fail2ban_roundcube %}
|
|
[roundcube]
|
|
enabled = true
|
|
port = http,https
|
|
filter = roundcube
|
|
logpath = /var/lib/roundcube/logs/errors
|
|
maxretry = 5
|
|
{% endif %}
|