README.md 2.88 KB
Newer Older
Pietsch, Martin's avatar
Pietsch, Martin committed
1
2
## Description

3
This role configures fail2ban.
Pietsch, Martin's avatar
Pietsch, Martin committed
4
5
6

## Requirements

7
none
Pietsch, Martin's avatar
Pietsch, Martin committed
8
9
10

### Roles

11
Only Parent roles.
Pietsch, Martin's avatar
Pietsch, Martin committed
12
13
14

### Variables

15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
- `fail2ban_loglevel`: [default`INFO`: Sets the loglevel output (e.g. `1 = ERROR`, `2 = WARN`, `3 = INFO`, `4 = DEBUG`)
- `fail2ban_logtarget`: [default: `/var/log/fail2ban.log`]: Sets the log target. This could be a file, SYSLOG, STDERR or STDOUT
- `fail2ban_syslog_target`: [default: `/var/log/fail2ban.log`]:
- `fail2ban_syslog_facility`: [default: `1`]:
- `fail2ban_socket`: [default: `/var/run/fail2ban/fail2ban.sock`]: Sets the socket file, which is used to communicate with the daemon
- `fail2ban_pidfile`: [default: `/var/run/fail2ban/fail2ban.pid`]: Sets the pid file, which is used to to store the process ID of the daemon (Only works on `fail2ban >= 0.8.9`)

- `fail2ban_ignoreips`: [default: `[127.0.0.1/8]`]: Which IP address/CIDR mask/DNS host should be ignored from fail2ban's actions
- `fail2ban_bantime`: [default: `600`]: Sets the bantime
- `fail2ban_maxretry`: [default: `3`]: Maximum number of retries before the host is put into jail
- `fail2ban_findtime`: [default: `600`]: A host is banned if it has generated `fail2ban_maxretry` during the last `fail2ban_findtime`
- `fail2ban_backend`: [default: `auto`]: Specifies the backend used to get files modification
- `fail2ban_banaction`: [default: `iptables-multiport`]: Sets the global/default banaction
- `fail2ban_protocol`: [default: `tcp`]: Sets the default protocol
- `fail2ban_chain`: [default: `INPUT`]: Specifies the chain where jumps would need to be added in iptables-* actions
- `fail2ban_action`: [default: `%(action_)s`]: Default action.  **Note that variables (including the actions defined elsewhere in the config files) must be wrapped in python-style `%(` and `)s` so they are expanded**

- `fail2ban_services` [default see `defaults/main.yml`]: Service definitions
- `fail2ban_services.{n}.name` [required]: Service name (e.g. `sshd`, `ssh`)
- `fail2ban_services.{n}.enabled` [default: `true`]: Whether or not enabled
- `fail2ban_services.{n}.*` [optional]: Name of the option
- `fail2ban_services.{n}.*.*` [optional]: Value of the option
Pietsch, Martin's avatar
Pietsch, Martin committed
37
38
39
40
41

### Plugins

## Processes

42
43
1. install fail2ban
2. create configuration files from templates
Pietsch, Martin's avatar
Pietsch, Martin committed
44

45
## License
Pietsch, Martin's avatar
Pietsch, Martin committed
46

47
BSD-3-Clauses
Pietsch, Martin's avatar
Pietsch, Martin committed
48

49
## Author Information
Pietsch, Martin's avatar
Pietsch, Martin committed
50

51
- Michael Klix <michael.klix@tu-dresden.de>
Pietsch, Martin's avatar
Pietsch, Martin committed
52

53
54
Based on the provided SDM framework of
- Martin Pietsch <martin.pietsch@tu-dresden.de>
Pietsch, Martin's avatar
Pietsch, Martin committed
55

56
57
Mainly influenced by the implementation/example of
- Nicolas Bigot <https://github.com/nbigot/ansible-fail2ban>
Pietsch, Martin's avatar
Pietsch, Martin committed
58

59
60
61
62
## Literature
- https://fail2ban.org/wiki/index.php/Category:HTTP
- https://fedoraproject.org/wiki/Fail2ban_with_FirewallD
- https://computingforgeeks.com/install-and-use-firewalld-on-ubuntu-18-04-ubuntu-16-04
63
- https://www.digitalocean.com/community/tutorials/how-to-protect-an-nginx-server-with-fail2ban-on-ubuntu-14-04
64
- https://snippets.aktagon.com/snippets/554-how-to-secure-an-nginx-server-with-fail2ban