From e9391981594f123464f559dde5a36088a8e1cc53 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Thu, 23 Aug 2018 09:16:33 +0200 Subject: [PATCH] fail2ban: add a variable to disable the ssh filter (default: False) --- CHANGELOG.md | 1 + fail2ban/README.md | 1 + fail2ban/defaults/main.yml | 2 ++ fail2ban/tasks/main.yml | 11 +++++++++++ 4 files changed, 15 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 1eba704f..2af080ad 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -17,6 +17,7 @@ The **patch** part changes incrementally at each release. * evocheck: detect installed packages even if "held" by APT (manual fix) * evocheck: the crontab is updated by the role (default: `True`) * evolinux-base: add mail related aliases +* fail2ban: add a variable to disable the ssh filter (default: `False`) * generate-ldif: detect installed packages even if "held" by APT * java: support for Oracle JRE * kibana: log messages go to /var/log/kibana/kibana.log diff --git a/fail2ban/README.md b/fail2ban/README.md index af94e38a..d13dbb25 100644 --- a/fail2ban/README.md +++ b/fail2ban/README.md @@ -13,5 +13,6 @@ Main variables are : * `general_alert_email`: email address to send various alert messages (default: `root@localhost`). * `fail2ban_alert_email`: email address for messages sent to root (default: `general_alert_email`). * `fail2ban_ignore_ips`: list of IPs to ignore (default: empty). +* `fail2ban_disable_ssh`: if true, the "sshd" filter is disabled, otherwise nothing is done, not even enabling the filter (default: `False`). The full list of variables (with default values) can be found in `defaults/main.yml`. diff --git a/fail2ban/defaults/main.yml b/fail2ban/defaults/main.yml index 4893e7ae..06cd9d51 100644 --- a/fail2ban/defaults/main.yml +++ b/fail2ban/defaults/main.yml @@ -7,3 +7,5 @@ fail2ban_additional_ignore_ips: [] fail2ban_wordpress: False fail2ban_roundcube: False + +fail2ban_disable_ssh: False diff --git a/fail2ban/tasks/main.yml b/fail2ban/tasks/main.yml index 48b769db..e9bd0482 100644 --- a/fail2ban/tasks/main.yml +++ b/fail2ban/tasks/main.yml @@ -28,6 +28,17 @@ tags: - fail2ban +- name: Disable SSH filter + ini_file: + dest: /etc/fail2ban/jail.local + section: sshd + option: enabled + value: false + notify: restart fail2ban + when: fail2ban_disable_ssh + tags: + - fail2ban + - name: custom filters are installed copy: src: "{{ item }}"