README.md 3.7 KB
Newer Older
Michael Klix's avatar
Michael Klix committed
1
2
Description
===========
Pietsch, Martin's avatar
Pietsch, Martin committed
3

4
This role configures fail2ban.
Pietsch, Martin's avatar
Pietsch, Martin committed
5

Michael Klix's avatar
Michael Klix committed
6
7
Requirements
============
Pietsch, Martin's avatar
Pietsch, Martin committed
8

Michael Klix's avatar
Michael Klix committed
9
10
Roles
-----
Pietsch, Martin's avatar
Pietsch, Martin committed
11

12
Only Parent roles.
Pietsch, Martin's avatar
Pietsch, Martin committed
13

Michael Klix's avatar
Michael Klix committed
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
Variables
---------

* fail2ban_loglevel:
    * description:
        * sets the loglevel output
    * default: `INFO`
    * choices: [`1 = ERROR`, `2 = WARN`, `3 = INFO`, `4 = DEBUG`]

* fail2ban_logtarget:
    * description:
        * Sets the log target. This could be a file, SYSLOG, STDERR or STDOUT.
    * default: `/var/log/fail2ban.log`

* fail2ban_syslog_target:
    * description:
        * Sets the syslog target instance.
    * default: `/var/log/fail2ban.log`

* fail2ban_syslog_facility:
    * description:
        * tbd...
    * default: `1`
    
* fail2ban_socket:
    * description:
        * Sets the socket file, which is used to communicate with the daemon.
    * default: `/var/run/fail2ban/fail2ban.sock`

* fail2ban_pidfile:
    * description:
        * Sets the pid file, which is used to to store the process ID of the daemon (Only works on `fail2ban >= 0.8.9`).
    * default: `/var/run/fail2ban/fail2ban.pid`

* fail2ban_ignoreips:
    * description:
        * Which IP address/CIDR mask/DNS host should be ignored from fail2ban's actions.
    * default: `[127.0.0.1/8]`

* fail2ban_bantime:
    * description:
        * Sets the bantime in seconds.
    * default: `600`

* fail2ban_maxretry:
    * description:
        * Maximum number of retries before the host is put into jail.
    * default: `3`

* fail2ban_findtime:
    * description:
        * A host is banned if it has generated `fail2ban_maxretry` during the last `fail2ban_findtime` in seconds.
    * default: `600`

* fail2ban_backend:
    * description:
        * Specifies the backend used to get files modification.
    * default: `auto`
    * choices: tbd...

* fail2ban_banaction:
    * description:
        * Sets the global/default banaction.
    * default: `iptables-multiport`

* fail2ban_protocol:
    * description:
        * Sets the default protocol.
    * default: `tcp`
    * choices: tbd...

* fail2ban_chain:
    * description:
        * Specifies the chain where jumps would need to be added in iptables-* actions.
    * default: `INPUT`

* fail2ban_action:
    * description:
        * Default action. **Note that variables (including the actions defined elsewhere in the config files) must be wrapped in python-style `%(` and `)s` so they are expanded**.
    * default: `%(action_)s`

* fail2ban_services:
    * description:
        * Service definitions.
    * default see `defaults/main.yml`

* fail2ban_services.{n}.name [required]:
    * description:
        * Service name.
    * default: undefined
    * example:  `sshd`, `ssh`

* fail2ban_services.{n}.enabled:
    * description:
        * Whether or not enabled.
    * default: `true`
    * choices: `true`, `false`

* fail2ban_services.{n}.* [optional]:
    * description:
        * Name of the option

* fail2ban_services.{n}.*.* [optional]:
    * description:
        * Value of the option

Processes
=========
Pietsch, Martin's avatar
Pietsch, Martin committed
122

123
124
1. install fail2ban
2. create configuration files from templates
Pietsch, Martin's avatar
Pietsch, Martin committed
125

Michael Klix's avatar
Michael Klix committed
126
127
License
=======
Pietsch, Martin's avatar
Pietsch, Martin committed
128

129
BSD-3-Clauses
Pietsch, Martin's avatar
Pietsch, Martin committed
130

Michael Klix's avatar
Michael Klix committed
131
132
Contributors
============
Pietsch, Martin's avatar
Pietsch, Martin committed
133

Michael Klix's avatar
Michael Klix committed
134
* Michael Klix (michael.klix@tu-dresden.de)
Pietsch, Martin's avatar
Pietsch, Martin committed
135

136
Based on the provided SDM framework of
Michael Klix's avatar
Michael Klix committed
137
138
139
* Martin Pietsch (martin.pietsch@tu-dresden.de)

Mainly influenced by the implementation/example of Nicolas Bigot <https://github.com/nbigot/ansible-fail2ban>.
Pietsch, Martin's avatar
Pietsch, Martin committed
140

Michael Klix's avatar
Michael Klix committed
141
142
Literature
==========
Pietsch, Martin's avatar
Pietsch, Martin committed
143

Michael Klix's avatar
Michael Klix committed
144
145
146
147
148
* https://fail2ban.org/wiki/index.php/Category:HTTP
* https://fedoraproject.org/wiki/Fail2ban_with_FirewallD
* https://computingforgeeks.com/install-and-use-firewalld-on-ubuntu-18-04-ubuntu-16-04
* https://www.digitalocean.com/community/tutorials/how-to-protect-an-nginx-server-with-fail2ban-on-ubuntu-14-04
* https://snippets.aktagon.com/snippets/554-how-to-secure-an-nginx-server-with-fail2ban