Fail2ban: Multiple changes & improvements :
continuous-integration/drone/push Build is passing
Details
continuous-integration/drone/push Build is passing
Details
* Give the possibility to override jail.local (with fail2ban_override_jaillocal) * If jail.local was overriden, add a warning * Allow to tune some jail settings (maxretry, bantime, findtime) with ansible * Allow to tune the default action with ansible * Change default action to ban only (instead of ban + mail with whois report) * Configure recidive jail (off by default) + extend dbpurgeagepull/157/head
parent
bcaacdf57f
commit
1e19418fb0
|
@ -14,6 +14,12 @@ The **patch** part changes is incremented if multiple releases happen the same m
|
|||
|
||||
### Changed
|
||||
|
||||
* fail2ban: Give the possibility to override jail.local (with fail2ban_override_jaillocal)
|
||||
* fail2ban: If jail.local was overriden, add a warning
|
||||
* fail2ban: Allow to tune some jail settings (maxretry, bantime, findtime) with ansible
|
||||
* fail2ban: Allow to tune the default action with ansible
|
||||
* fail2ban: Change default action to ban only (instead of ban + mail with whois report)
|
||||
* fail2ban: Configure recidive jail (off by default) + extend dbpurgeage
|
||||
* redis: binding is possible on multiple interfaces (breaking change)
|
||||
|
||||
### Fixed
|
||||
|
|
|
@ -6,10 +6,43 @@ fail2ban_alert_email: Null
|
|||
# "127.0.0.1/8" is always added to the list, even if the following lists are empty.
|
||||
fail2ban_default_ignore_ips: []
|
||||
fail2ban_additional_ignore_ips: []
|
||||
|
||||
# WARN: setting this to True will overwrite the list of ignored IP
|
||||
fail2ban_force_update_ignore_ips: False
|
||||
|
||||
fail2ban_wordpress: False
|
||||
fail2ban_roundcube: False
|
||||
fail2ban_override_jaillocal: False
|
||||
|
||||
fail2ban_disable_ssh: False
|
||||
fail2ban_default_maxretry: 5
|
||||
fail2ban_default_bantime: 10m
|
||||
fail2ban_default_findtime: 10m
|
||||
|
||||
# Default fail2ban action. Chose beetween :
|
||||
# - "action_" : (default) - ban only (following banaction)
|
||||
# - "action_mw" : ban & send an email with whois report
|
||||
# - "action_mwl" : ban & send an email with whois and log lines
|
||||
fail2ban_default_action: "action_"
|
||||
|
||||
fail2ban_sshd: True
|
||||
fail2ban_sshd_maxretry: 10
|
||||
fail2ban_sshd_bantime: "{{ fail2ban_default_bantime }}"
|
||||
fail2ban_sshd_findtime: "{{ fail2ban_default_findtime }}"
|
||||
|
||||
fail2ban_recidive: False
|
||||
fail2ban_recidive_maxretry: 3
|
||||
fail2ban_recidive_bantime: 1w
|
||||
fail2ban_recidive_findtime: 1d
|
||||
|
||||
fail2ban_wordpress_hard: False
|
||||
fail2ban_wordpress_hard_maxretry: 1
|
||||
fail2ban_wordpress_hard_bantime: "{{ fail2ban_default_bantime }}"
|
||||
fail2ban_wordpress_hard_findtime: "{{ fail2ban_default_findtime }}"
|
||||
|
||||
fail2ban_wordpress_soft: False
|
||||
fail2ban_wordpress_soft_maxretry: 5
|
||||
fail2ban_wordpress_soft_bantime: "{{ fail2ban_default_bantime }}"
|
||||
fail2ban_wordpress_soft_findtime: "{{ fail2ban_default_findtime }}"
|
||||
|
||||
fail2ban_roundcube: False
|
||||
fail2ban_roundcube_maxretry: 5
|
||||
fail2ban_roundcube_bantime: "{{ fail2ban_default_bantime }}"
|
||||
fail2ban_roundcube_findtime: "{{ fail2ban_default_findtime }}"
|
|
@ -12,6 +12,7 @@
|
|||
loop:
|
||||
- "/etc/fail2ban"
|
||||
- "/etc/fail2ban/filter.d"
|
||||
- "/etc/fail2ban/fail2ban.d"
|
||||
tags:
|
||||
- fail2ban
|
||||
|
||||
|
@ -25,7 +26,7 @@
|
|||
src: jail.local.j2
|
||||
dest: /etc/fail2ban/jail.local
|
||||
mode: "0644"
|
||||
force: no
|
||||
force: "{{ fail2ban_override_jaillocal }}"
|
||||
notify: restart fail2ban
|
||||
tags:
|
||||
- fail2ban
|
||||
|
@ -36,17 +37,6 @@
|
|||
tags:
|
||||
- fail2ban
|
||||
|
||||
- name: Disable SSH filter
|
||||
ini_file:
|
||||
dest: /etc/fail2ban/jail.local
|
||||
section: sshd
|
||||
option: enabled
|
||||
value: false
|
||||
notify: restart fail2ban
|
||||
when: fail2ban_disable_ssh | bool
|
||||
tags:
|
||||
- fail2ban
|
||||
|
||||
- name: custom filters are installed
|
||||
copy:
|
||||
src: "{{ item }}"
|
||||
|
@ -62,7 +52,7 @@
|
|||
tags:
|
||||
- fail2ban
|
||||
|
||||
- name: package is installed
|
||||
- name: package fail2ban is installed
|
||||
apt:
|
||||
name: fail2ban
|
||||
state: present
|
||||
|
@ -100,3 +90,17 @@
|
|||
tags:
|
||||
- fail2ban
|
||||
- munin
|
||||
|
||||
- name: "Extend dbpurgeage if recidive jail is enabled"
|
||||
blockinfile:
|
||||
dest: /etc/fail2ban/fail2ban.d/recidive_dbpurgeage
|
||||
marker: "# ANSIBLE MANAGED"
|
||||
block: |
|
||||
[DEFAULT]
|
||||
dbpurgeage = {{ fail2ban_recidive_bantime}}
|
||||
insertafter: EOF
|
||||
create: yes
|
||||
mode: "0644"
|
||||
notify: restart fail2ban
|
||||
when:
|
||||
- fail2ban_recidive
|
|
@ -1,61 +1,65 @@
|
|||
# EvoLinux Fail2Ban config.
|
||||
|
||||
{% if fail2ban_override_jaillocal %}
|
||||
# WARNING : THIS FILE IS (PROBABLY) ANSIBLE MANAGED AS IT WAS OVERWRITTEN BY ANSIBLE
|
||||
{% endif %}
|
||||
|
||||
[DEFAULT]
|
||||
|
||||
# "ignoreip" can be an IP address, a CIDR mask or a DNS host
|
||||
ignoreip = {{ ['127.0.0.1/8'] | union(fail2ban_ignore_ips) | unique | join(' ') }}
|
||||
|
||||
bantime = 600
|
||||
maxretry = 3
|
||||
|
||||
# "backend" specifies the backend used to get files modification. Available
|
||||
# options are "gamin", "polling" and "auto".
|
||||
# yoh: For some reason Debian shipped python-gamin didn't work as expected
|
||||
# This issue left ToDo, so polling is default backend for now
|
||||
backend = auto
|
||||
bantime = {{ fail2ban_default_bantime }}
|
||||
maxretry = {{ fail2ban_default_maxretry }}
|
||||
|
||||
destemail = {{ fail2ban_alert_email or general_alert_email | mandatory }}
|
||||
|
||||
# ACTIONS
|
||||
|
||||
banaction = iptables-multiport
|
||||
mta = sendmail
|
||||
protocol = tcp
|
||||
chain = INPUT
|
||||
action_mwl = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
|
||||
%(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"]
|
||||
action = %({{fail2ban_default_action}})s
|
||||
|
||||
action = %(action_mwl)s
|
||||
|
||||
[sshd]
|
||||
enabled = {{ fail2ban_sshd }}
|
||||
port = ssh,2222,22222
|
||||
logpath = %(sshd_log)s
|
||||
backend = %(sshd_backend)s
|
||||
maxretry = 10
|
||||
|
||||
{% if fail2ban_wordpress %}
|
||||
maxretry = {{ fail2ban_sshd_maxretry }}
|
||||
findtime = {{ fail2ban_sshd_findtime }}
|
||||
bantime = {{ fail2ban_sshd_bantime }}
|
||||
|
||||
[recidive]
|
||||
enabled = {{ fail2ban_recidive }}
|
||||
|
||||
maxretry = {{ fail2ban_recidive_maxretry }}
|
||||
findtime = {{ fail2ban_recidive_findtime }}
|
||||
bantime = {{ fail2ban_recidive_bantime }}
|
||||
|
||||
|
||||
# Evolix custom jails
|
||||
|
||||
[wordpress-hard]
|
||||
enabled = true
|
||||
port = http,https
|
||||
enabled = {{ fail2ban_wordpress_hard }}
|
||||
port = http, https
|
||||
filter = wordpress-hard
|
||||
logpath = /var/log/auth.log
|
||||
maxretry = 1
|
||||
findtime = 300
|
||||
maxretry = {{ fail2ban_wordpress_hard_maxretry }}
|
||||
findtime = {{ fail2ban_wordpress_hard_findtime }}
|
||||
bantime = {{ fail2ban_wordpress_hard_bantime }}
|
||||
|
||||
[wordpress-soft]
|
||||
enabled = true
|
||||
port = http,https
|
||||
enabled = {{ fail2ban_wordpress_soft }}
|
||||
port = http, https
|
||||
filter = wordpress-soft
|
||||
logpath = /var/log/auth.log
|
||||
maxretry = 5
|
||||
findtime = 300
|
||||
{% endif %}
|
||||
maxretry = {{ fail2ban_wordpress_soft_maxretry }}
|
||||
findtime = {{ fail2ban_wordpress_soft_findtime }}
|
||||
bantime = {{ fail2ban_wordpress_soft_bantime }}
|
||||
|
||||
{% if fail2ban_roundcube %}
|
||||
[roundcube]
|
||||
enabled = true
|
||||
port = http,https
|
||||
enabled = {{ fail2ban_roundcube }}
|
||||
port = http, https
|
||||
filter = roundcube
|
||||
logpath = /var/lib/roundcube/logs/errors
|
||||
maxretry = 5
|
||||
{% endif %}
|
||||
maxretry = {{ fail2ban_roundcube_maxretry }}
|
||||
findtime = {{ fail2ban_roundcube_findtime }}
|
||||
bantime = {{ fail2ban_roundcube_bantime }}
|
||||
|
|
Loading…
Reference in New Issue