Fail2ban: Multiple changes & improvements :
continuous-integration/drone/push Build is passing Details

* Give the possibility to override jail.local (with fail2ban_override_jaillocal)
* If jail.local was overriden, add a warning
* Allow to tune some jail settings (maxretry, bantime, findtime) with ansible
* Allow to tune the default action with ansible
* Change default action to ban only (instead of ban + mail with whois report)
* Configure recidive jail (off by default) + extend dbpurgeage
This commit is contained in:
Ludovic Poujol 2022-06-08 17:55:58 +02:00
parent bcaacdf57f
commit 1e19418fb0
4 changed files with 96 additions and 49 deletions

View File

@ -14,6 +14,12 @@ The **patch** part changes is incremented if multiple releases happen the same m
### Changed
* fail2ban: Give the possibility to override jail.local (with fail2ban_override_jaillocal)
* fail2ban: If jail.local was overriden, add a warning
* fail2ban: Allow to tune some jail settings (maxretry, bantime, findtime) with ansible
* fail2ban: Allow to tune the default action with ansible
* fail2ban: Change default action to ban only (instead of ban + mail with whois report)
* fail2ban: Configure recidive jail (off by default) + extend dbpurgeage
* redis: binding is possible on multiple interfaces (breaking change)
### Fixed

View File

@ -6,10 +6,43 @@ fail2ban_alert_email: Null
# "127.0.0.1/8" is always added to the list, even if the following lists are empty.
fail2ban_default_ignore_ips: []
fail2ban_additional_ignore_ips: []
# WARN: setting this to True will overwrite the list of ignored IP
fail2ban_force_update_ignore_ips: False
fail2ban_wordpress: False
fail2ban_roundcube: False
fail2ban_override_jaillocal: False
fail2ban_disable_ssh: False
fail2ban_default_maxretry: 5
fail2ban_default_bantime: 10m
fail2ban_default_findtime: 10m
# Default fail2ban action. Chose beetween :
# - "action_" : (default) - ban only (following banaction)
# - "action_mw" : ban & send an email with whois report
# - "action_mwl" : ban & send an email with whois and log lines
fail2ban_default_action: "action_"
fail2ban_sshd: True
fail2ban_sshd_maxretry: 10
fail2ban_sshd_bantime: "{{ fail2ban_default_bantime }}"
fail2ban_sshd_findtime: "{{ fail2ban_default_findtime }}"
fail2ban_recidive: False
fail2ban_recidive_maxretry: 3
fail2ban_recidive_bantime: 1w
fail2ban_recidive_findtime: 1d
fail2ban_wordpress_hard: False
fail2ban_wordpress_hard_maxretry: 1
fail2ban_wordpress_hard_bantime: "{{ fail2ban_default_bantime }}"
fail2ban_wordpress_hard_findtime: "{{ fail2ban_default_findtime }}"
fail2ban_wordpress_soft: False
fail2ban_wordpress_soft_maxretry: 5
fail2ban_wordpress_soft_bantime: "{{ fail2ban_default_bantime }}"
fail2ban_wordpress_soft_findtime: "{{ fail2ban_default_findtime }}"
fail2ban_roundcube: False
fail2ban_roundcube_maxretry: 5
fail2ban_roundcube_bantime: "{{ fail2ban_default_bantime }}"
fail2ban_roundcube_findtime: "{{ fail2ban_default_findtime }}"

View File

@ -12,6 +12,7 @@
loop:
- "/etc/fail2ban"
- "/etc/fail2ban/filter.d"
- "/etc/fail2ban/fail2ban.d"
tags:
- fail2ban
@ -25,7 +26,7 @@
src: jail.local.j2
dest: /etc/fail2ban/jail.local
mode: "0644"
force: no
force: "{{ fail2ban_override_jaillocal }}"
notify: restart fail2ban
tags:
- fail2ban
@ -36,17 +37,6 @@
tags:
- fail2ban
- name: Disable SSH filter
ini_file:
dest: /etc/fail2ban/jail.local
section: sshd
option: enabled
value: false
notify: restart fail2ban
when: fail2ban_disable_ssh | bool
tags:
- fail2ban
- name: custom filters are installed
copy:
src: "{{ item }}"
@ -62,7 +52,7 @@
tags:
- fail2ban
- name: package is installed
- name: package fail2ban is installed
apt:
name: fail2ban
state: present
@ -100,3 +90,17 @@
tags:
- fail2ban
- munin
- name: "Extend dbpurgeage if recidive jail is enabled"
blockinfile:
dest: /etc/fail2ban/fail2ban.d/recidive_dbpurgeage
marker: "# ANSIBLE MANAGED"
block: |
[DEFAULT]
dbpurgeage = {{ fail2ban_recidive_bantime}}
insertafter: EOF
create: yes
mode: "0644"
notify: restart fail2ban
when:
- fail2ban_recidive

View File

@ -1,61 +1,65 @@
# EvoLinux Fail2Ban config.
{% if fail2ban_override_jaillocal %}
# WARNING : THIS FILE IS (PROBABLY) ANSIBLE MANAGED AS IT WAS OVERWRITTEN BY ANSIBLE
{% endif %}
[DEFAULT]
# "ignoreip" can be an IP address, a CIDR mask or a DNS host
ignoreip = {{ ['127.0.0.1/8'] | union(fail2ban_ignore_ips) | unique | join(' ') }}
bantime = 600
maxretry = 3
# "backend" specifies the backend used to get files modification. Available
# options are "gamin", "polling" and "auto".
# yoh: For some reason Debian shipped python-gamin didn't work as expected
# This issue left ToDo, so polling is default backend for now
backend = auto
bantime = {{ fail2ban_default_bantime }}
maxretry = {{ fail2ban_default_maxretry }}
destemail = {{ fail2ban_alert_email or general_alert_email | mandatory }}
# ACTIONS
banaction = iptables-multiport
mta = sendmail
protocol = tcp
chain = INPUT
action_mwl = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
%(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"]
action = %({{fail2ban_default_action}})s
action = %(action_mwl)s
[sshd]
enabled = {{ fail2ban_sshd }}
port = ssh,2222,22222
logpath = %(sshd_log)s
backend = %(sshd_backend)s
maxretry = 10
{% if fail2ban_wordpress %}
maxretry = {{ fail2ban_sshd_maxretry }}
findtime = {{ fail2ban_sshd_findtime }}
bantime = {{ fail2ban_sshd_bantime }}
[recidive]
enabled = {{ fail2ban_recidive }}
maxretry = {{ fail2ban_recidive_maxretry }}
findtime = {{ fail2ban_recidive_findtime }}
bantime = {{ fail2ban_recidive_bantime }}
# Evolix custom jails
[wordpress-hard]
enabled = true
enabled = {{ fail2ban_wordpress_hard }}
port = http, https
filter = wordpress-hard
logpath = /var/log/auth.log
maxretry = 1
findtime = 300
maxretry = {{ fail2ban_wordpress_hard_maxretry }}
findtime = {{ fail2ban_wordpress_hard_findtime }}
bantime = {{ fail2ban_wordpress_hard_bantime }}
[wordpress-soft]
enabled = true
enabled = {{ fail2ban_wordpress_soft }}
port = http, https
filter = wordpress-soft
logpath = /var/log/auth.log
maxretry = 5
findtime = 300
{% endif %}
maxretry = {{ fail2ban_wordpress_soft_maxretry }}
findtime = {{ fail2ban_wordpress_soft_findtime }}
bantime = {{ fail2ban_wordpress_soft_bantime }}
{% if fail2ban_roundcube %}
[roundcube]
enabled = true
enabled = {{ fail2ban_roundcube }}
port = http, https
filter = roundcube
logpath = /var/lib/roundcube/logs/errors
maxretry = 5
{% endif %}
maxretry = {{ fail2ban_roundcube_maxretry }}
findtime = {{ fail2ban_roundcube_findtime }}
bantime = {{ fail2ban_roundcube_bantime }}