Fail2ban: Multiple changes & improvements :

* Give the possibility to override jail.local (with fail2ban_override_jaillocal)
* If jail.local was overriden, add a warning
* Allow to tune some jail settings (maxretry, bantime, findtime) with ansible
* Allow to tune the default action with ansible
* Change default action to ban only (instead of ban + mail with whois report)
* Configure recidive jail (off by default) + extend dbpurgeage

CHANGELOG.md

@@ -14,6 +14,12 @@ The **patch** part changes is incremented if multiple releases happen the same m
 
 ### Changed
 
+* fail2ban: Give the possibility to override jail.local (with fail2ban_override_jaillocal)
+* fail2ban: If jail.local was overriden, add a warning
+* fail2ban: Allow to tune some jail settings (maxretry, bantime, findtime) with ansible
+* fail2ban: Allow to tune the default action with ansible
+* fail2ban: Change default action to ban only (instead of ban + mail with whois report)
+* fail2ban: Configure recidive jail (off by default) + extend dbpurgeage
 * redis: binding is possible on multiple interfaces (breaking change)
 
 ### Fixed

fail2ban/defaults/main.yml

@@ -6,10 +6,43 @@ fail2ban_alert_email: Null
 # "127.0.0.1/8" is always added to the list, even if the following lists are empty.
 fail2ban_default_ignore_ips: []
 fail2ban_additional_ignore_ips: []
+
 # WARN: setting this to True will overwrite the list of ignored IP
 fail2ban_force_update_ignore_ips: False
 
-fail2ban_wordpress: False
-fail2ban_roundcube: False
+fail2ban_override_jaillocal: False
+
+fail2ban_default_maxretry: 5
+fail2ban_default_bantime: 10m
+fail2ban_default_findtime: 10m
+
+# Default fail2ban action. Chose beetween :
+# - "action_" : (default) - ban only (following banaction)
+# - "action_mw" : ban & send an email with whois report
+# - "action_mwl" : ban & send an email with whois and log lines
+fail2ban_default_action: "action_"
+
+fail2ban_sshd: True
+fail2ban_sshd_maxretry: 10
+fail2ban_sshd_bantime: "{{ fail2ban_default_bantime }}"
+fail2ban_sshd_findtime: "{{ fail2ban_default_findtime }}"
 
-fail2ban_disable_ssh: False
+fail2ban_recidive: False
+fail2ban_recidive_maxretry: 3
+fail2ban_recidive_bantime: 1w
+fail2ban_recidive_findtime: 1d
+
+fail2ban_wordpress_hard: False
+fail2ban_wordpress_hard_maxretry: 1
+fail2ban_wordpress_hard_bantime: "{{ fail2ban_default_bantime }}"
+fail2ban_wordpress_hard_findtime: "{{ fail2ban_default_findtime }}"
+
+fail2ban_wordpress_soft: False
+fail2ban_wordpress_soft_maxretry: 5
+fail2ban_wordpress_soft_bantime: "{{ fail2ban_default_bantime }}"
+fail2ban_wordpress_soft_findtime: "{{ fail2ban_default_findtime }}"
+
+fail2ban_roundcube: False
+fail2ban_roundcube_maxretry: 5
+fail2ban_roundcube_bantime: "{{ fail2ban_default_bantime }}"
+fail2ban_roundcube_findtime: "{{ fail2ban_default_findtime }}"

fail2ban/tasks/main.yml

@@ -12,6 +12,7 @@
   loop:
     - "/etc/fail2ban"
     - "/etc/fail2ban/filter.d"
+    - "/etc/fail2ban/fail2ban.d"
   tags:
     - fail2ban
 
@@ -25,7 +26,7 @@
     src: jail.local.j2
     dest: /etc/fail2ban/jail.local
     mode: "0644"
-    force: no
+    force: "{{ fail2ban_override_jaillocal }}"
   notify: restart fail2ban
   tags:
     - fail2ban
@@ -36,17 +37,6 @@
   tags:
     - fail2ban
 
-- name: Disable SSH filter
-  ini_file:
-    dest: /etc/fail2ban/jail.local
-    section: sshd
-    option: enabled
-    value: false
-  notify: restart fail2ban
-  when: fail2ban_disable_ssh | bool
-  tags:
-    - fail2ban
-
 - name: custom filters are installed
   copy:
     src: "{{ item }}"
@@ -62,7 +52,7 @@
   tags:
     - fail2ban
 
-- name: package is installed
+- name: package fail2ban is installed
   apt:
     name: fail2ban
     state: present
@@ -100,3 +90,17 @@
   tags:
     - fail2ban
     - munin
+
+- name: "Extend dbpurgeage if recidive jail is enabled"
+  blockinfile:
+    dest: /etc/fail2ban/fail2ban.d/recidive_dbpurgeage
+    marker: "# ANSIBLE MANAGED"
+    block: |
+      [DEFAULT]
+      dbpurgeage = {{ fail2ban_recidive_bantime}}
+    insertafter: EOF
+    create: yes
+    mode: "0644"
+  notify: restart fail2ban
+  when:
+    - fail2ban_recidive

fail2ban/templates/jail.local.j2

@@ -1,61 +1,65 @@
 # EvoLinux Fail2Ban config.
 
+{% if fail2ban_override_jaillocal %}
+# WARNING : THIS FILE IS (PROBABLY) ANSIBLE MANAGED AS IT WAS OVERWRITTEN BY ANSIBLE
+{% endif %}
+
 [DEFAULT]
 
 # "ignoreip" can be an IP address, a CIDR mask or a DNS host
 ignoreip = {{ ['127.0.0.1/8'] | union(fail2ban_ignore_ips) | unique | join(' ') }}
 
-bantime  = 600
-maxretry = 3
-
-# "backend" specifies the backend used to get files modification. Available
-# options are "gamin", "polling" and "auto".
-# yoh: For some reason Debian shipped python-gamin didn't work as expected
-#      This issue left ToDo, so polling is default backend for now
-backend = auto
+bantime  = {{ fail2ban_default_bantime }}
+maxretry = {{ fail2ban_default_maxretry }}
 
 destemail = {{ fail2ban_alert_email or general_alert_email | mandatory }}
 
 # ACTIONS
-
 banaction = iptables-multiport
-mta = sendmail
-protocol = tcp
-chain = INPUT
-action_mwl = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
-               %(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"]
+action = %({{fail2ban_default_action}})s
 
-action = %(action_mwl)s
 
 [sshd]
+enabled = {{ fail2ban_sshd }}
 port    = ssh,2222,22222
-logpath = %(sshd_log)s
-backend = %(sshd_backend)s
-maxretry = 10
 
-{% if fail2ban_wordpress %}
+maxretry = {{ fail2ban_sshd_maxretry }}
+findtime = {{ fail2ban_sshd_findtime }}
+bantime = {{ fail2ban_sshd_bantime }}
+
+[recidive]
+enabled = {{ fail2ban_recidive }}
+
+maxretry = {{ fail2ban_recidive_maxretry }}
+findtime = {{ fail2ban_recidive_findtime }}
+bantime = {{ fail2ban_recidive_bantime }}
+
+
+# Evolix custom jails 
+
 [wordpress-hard]
-enabled = true
-port = http,https
+enabled = {{ fail2ban_wordpress_hard }}
+port = http, https
 filter = wordpress-hard
 logpath = /var/log/auth.log
-maxretry = 1
-findtime = 300
+maxretry = {{ fail2ban_wordpress_hard_maxretry }}
+findtime = {{ fail2ban_wordpress_hard_findtime }}
+bantime = {{ fail2ban_wordpress_hard_bantime }}
 
 [wordpress-soft]
-enabled = true
-port = http,https
+enabled = {{ fail2ban_wordpress_soft }}
+port = http, https
 filter = wordpress-soft
 logpath = /var/log/auth.log
-maxretry = 5
-findtime = 300
-{% endif %}
+maxretry = {{ fail2ban_wordpress_soft_maxretry }}
+findtime = {{ fail2ban_wordpress_soft_findtime }}
+bantime = {{ fail2ban_wordpress_soft_bantime }}
 
-{% if fail2ban_roundcube %}
 [roundcube]
-enabled  = true
-port     = http,https
+enabled  = {{ fail2ban_roundcube }}
+port     = http, https
 filter   = roundcube
 logpath  = /var/lib/roundcube/logs/errors
-maxretry = 5
-{% endif %}
+maxretry = {{ fail2ban_roundcube_maxretry }}
+findtime = {{ fail2ban_roundcube_findtime }}
+bantime = {{ fail2ban_roundcube_bantime }}