Commit 0d008e58 authored by Michael Klix's avatar Michael Klix
Browse files

working copy, runs but needs to be tweaked

parent 57be1825
......@@ -39,3 +39,4 @@ Mainly influenced by the implementation/example of
- https://fail2ban.org/wiki/index.php/Category:HTTP
- https://fedoraproject.org/wiki/Fail2ban_with_FirewallD
- https://computingforgeeks.com/install-and-use-firewalld-on-ubuntu-18-04-ubuntu-16-04
- https://www.digitalocean.com/community/tutorials/how-to-protect-an-nginx-server-with-fail2ban-on-ubuntu-14-04
......@@ -6,19 +6,16 @@ fail2ban_syslog_target: /var/log/fail2ban.log
fail2ban_syslog_facility: 1
fail2ban_socket: /var/run/fail2ban/fail2ban.sock
fail2ban_pidfile: /var/run/fail2ban/fail2ban.pid
fail2ban_sendername: 'Fail2ban'
fail2ban_ignoreips:
- 127.0.0.1/8
fail2ban_bantime: 600
fail2ban_maxretry: 3
fail2ban_findtime: 600
# tbd fail2ban_backend: auto
# tbd fail2ban_banaction: iptables-multiport
# tbd fail2ban_mta: sendmail
# tbd fail2ban_protocol: tcp
# tbd fail2ban_chain: INPUT
# tbd fail2ban_action: '%(action_)s'
# fail2ban_services:
# - name: sshd
# - name: httpd
# fail2ban_jaild_path: files/jail.d/
fail2ban_backend: auto
fail2ban_banaction: iptables-multiport
fail2ban_protocol: tcp
fail2ban_chain: INPUT
fail2ban_action: '%(action_)s'
fail2ban_services:
- name: sshd
- name: nginx-http-auth
---
- name: "call inherited configure tasks"
sdm.oor.call_tasks:
from: configure
from: main
super: true
- name: "configure fail2ban: update configuration file"
......@@ -12,7 +12,7 @@
group: "root"
mode: 0644
notify:
- "restart fail2ban"
- "restart services"
- name: "configure fail2ban: update jail file"
ansible.builtin.template:
......@@ -22,4 +22,11 @@
group: "root"
mode: 0644
notify:
- "restart fail2ban"
- "restart services"
# to be fixed: should not be necessary due to handler "restart services"
- name: "start and enable service"
ansible.builtin.service:
name: fail2ban
state: started
enabled: true
# example-source:
# https://github.com/nbigot/ansible-fail2ban/blob/master/templates/etc/fail2ban/jail.local.j2
# The DEFAULT allows a global definition of the options. They can be overridden
# in each jail afterwards.
[DEFAULT]
# "ignoreip" can be an IP address, a CIDR mask or a DNS host
ignoreip = {{ fail2ban_ignoreips | join(' ') }}
bantime = {{ fail2ban_bantime }}
maxretry = {{ fail2ban_maxretry }}
findtime = {{ fail2ban_findtime }}
# "backend" specifies the backend used to get files modification. Available
# options are "gamin", "polling" and "auto".
# yoh: For some reason Debian shipped python-gamin didn't work as expected
# This issue left ToDo, so polling is default backend for now
backend = {{ fail2ban_backend }}
#
# ACTIONS
#
# Default banning action (e.g. iptables, iptables-new,
# iptables-multiport, shorewall, etc) It is used to define
# action_* variables. Can be overridden globally or per
# section within jail.local file
banaction = {{ fail2ban_banaction }}
# Default protocol
protocol = {{ fail2ban_protocol }}
# Specify chain where jumps would need to be added in iptables-* actions
chain = {{ fail2ban_chain }}
#
# Action shortcuts. To be used to define action parameter
# The simplest action to take: ban only
action_ = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
# Choose default action. To change, just override value of 'action' with the
# interpolation to the chosen action shortcut (e.g. action_mw, action_mwl, etc) in jail.local
# globally (section [DEFAULT]) or per specific section
action = {{ fail2ban_action }}
#
# JAILS
#
# Next jails corresponds to the standard configuration in Fail2ban 0.6 which
# was shipped in Debian. Enable any defined here jail by including
#
# [SECTION_NAME]
# enabled = true
#
# in /etc/fail2ban/jail.local.
#
# Optionally you may override any other parameter (e.g. banaction,
# action, port, logpath, etc) in that section within jail.local
{% for service in fail2ban_services %}
[{{ service.name }}]
enabled = {{ service.enabled | default(true) | bool | to_json }}
logpath = {{ fail2ban_syslog_target }}
{% for option, value in service.items()|sort %}
{% if option not in ['name', 'enabled'] %}
{{ option }} = {{ value }}
{% endif %}
{% endfor %}
{% endfor %}
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment