fail2ban: add a variable to update the list of ignored IP addresses
This commit is contained in:
parent
01ae7b0e31
commit
12c49ed93b
|
@ -18,6 +18,7 @@ The **patch** part changes incrementally at each release.
|
||||||
* evocheck: the crontab is updated by the role (default: `True`)
|
* evocheck: the crontab is updated by the role (default: `True`)
|
||||||
* evolinux-base: add mail related aliases
|
* evolinux-base: add mail related aliases
|
||||||
* fail2ban: add a variable to disable the ssh filter (default: `False`)
|
* fail2ban: add a variable to disable the ssh filter (default: `False`)
|
||||||
|
* fail2ban: add a variable to update the list of ignored IP addresses/blocs (default: `False`)
|
||||||
* generate-ldif: detect installed packages even if "held" by APT
|
* generate-ldif: detect installed packages even if "held" by APT
|
||||||
* java: support for Oracle JRE
|
* java: support for Oracle JRE
|
||||||
* kibana: log messages go to /var/log/kibana/kibana.log
|
* kibana: log messages go to /var/log/kibana/kibana.log
|
||||||
|
|
|
@ -12,7 +12,8 @@ Main variables are :
|
||||||
|
|
||||||
* `general_alert_email`: email address to send various alert messages (default: `root@localhost`).
|
* `general_alert_email`: email address to send various alert messages (default: `root@localhost`).
|
||||||
* `fail2ban_alert_email`: email address for messages sent to root (default: `general_alert_email`).
|
* `fail2ban_alert_email`: email address for messages sent to root (default: `general_alert_email`).
|
||||||
* `fail2ban_ignore_ips`: list of IPs to ignore (default: empty).
|
* `fail2ban_default_ignore_ips`: default list of IPs to ignore (default: empty).
|
||||||
|
* `fail2ban_additional_ignore_ips`: additional list of IPs to ignore (default: empty).
|
||||||
* `fail2ban_disable_ssh`: if true, the "sshd" filter is disabled, otherwise nothing is done, not even enabling the filter (default: `False`).
|
* `fail2ban_disable_ssh`: if true, the "sshd" filter is disabled, otherwise nothing is done, not even enabling the filter (default: `False`).
|
||||||
|
|
||||||
The full list of variables (with default values) can be found in `defaults/main.yml`.
|
The full list of variables (with default values) can be found in `defaults/main.yml`.
|
||||||
|
|
|
@ -2,8 +2,12 @@
|
||||||
general_alert_email: "root@localhost"
|
general_alert_email: "root@localhost"
|
||||||
fail2ban_alert_email: Null
|
fail2ban_alert_email: Null
|
||||||
|
|
||||||
|
# Note: there are 2 variable to allow various overrides, but they are merged.
|
||||||
|
# "127.0.0.1/8" is always added to the list, even if the following lists are empty.
|
||||||
fail2ban_default_ignore_ips: []
|
fail2ban_default_ignore_ips: []
|
||||||
fail2ban_additional_ignore_ips: []
|
fail2ban_additional_ignore_ips: []
|
||||||
|
# WARN: setting this to True will overwrite the list of ignored IP
|
||||||
|
fail2ban_force_update_ignore_ips: False
|
||||||
|
|
||||||
fail2ban_wordpress: False
|
fail2ban_wordpress: False
|
||||||
fail2ban_roundcube: False
|
fail2ban_roundcube: False
|
||||||
|
|
|
@ -28,6 +28,17 @@
|
||||||
tags:
|
tags:
|
||||||
- fail2ban
|
- fail2ban
|
||||||
|
|
||||||
|
- name: update ignoreips lists
|
||||||
|
ini_file:
|
||||||
|
dest: /etc/fail2ban/jail.local
|
||||||
|
section: "[DEFAULT]"
|
||||||
|
option: "ignoreips"
|
||||||
|
value: "{{ fail2ban_ignore_ips | join(' ') }}"
|
||||||
|
notify: restart fail2ban
|
||||||
|
when: fail2fail2ban_force_update_ignore_ips
|
||||||
|
tags:
|
||||||
|
- fail2ban
|
||||||
|
|
||||||
- name: Disable SSH filter
|
- name: Disable SSH filter
|
||||||
ini_file:
|
ini_file:
|
||||||
dest: /etc/fail2ban/jail.local
|
dest: /etc/fail2ban/jail.local
|
||||||
|
|
Loading…
Reference in a new issue