working copy, runs but needs to be tweaked

0d008e58 · Michael Klix · 57be1825 · 0d008e58 · 0d008e58 · 0d008e58
Commit 0d008e58 authored Jul 02, 2021 by Michael Klix
--- a/README.md
+++ b/README.md
@@ -39,3 +39,4 @@ Mainly influenced by the implementation/example of
 - https://fail2ban.org/wiki/index.php/Category:HTTP
 - https://fedoraproject.org/wiki/Fail2ban_with_FirewallD
 - https://computingforgeeks.com/install-and-use-firewalld-on-ubuntu-18-04-ubuntu-16-04
+- https://www.digitalocean.com/community/tutorials/how-to-protect-an-nginx-server-with-fail2ban-on-ubuntu-14-04
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -6,19 +6,16 @@ fail2ban_syslog_target: /var/log/fail2ban.log
 fail2ban_syslog_facility: 1
 fail2ban_socket: /var/run/fail2ban/fail2ban.sock
 fail2ban_pidfile: /var/run/fail2ban/fail2ban.pid
-fail2ban_sendername: 'Fail2ban'
 fail2ban_ignoreips:
  - 127.0.0.1/8
 fail2ban_bantime: 600
 fail2ban_maxretry: 3
 fail2ban_findtime: 600
-# tbd fail2ban_backend: auto
-# tbd fail2ban_banaction: iptables-multiport
-# tbd fail2ban_mta: sendmail
-# tbd fail2ban_protocol: tcp
-# tbd fail2ban_chain: INPUT
-# tbd fail2ban_action: '%(action_)s'
-# fail2ban_services:
-#  - name: sshd
-#  - name: httpd
-# fail2ban_jaild_path: files/jail.d/
+fail2ban_backend: auto
+fail2ban_banaction: iptables-multiport
+fail2ban_protocol: tcp
+fail2ban_chain: INPUT
+fail2ban_action: '%(action_)s'
+fail2ban_services:
+  - name: sshd
+  - name: nginx-http-auth
--- a/tasks/main.yml
+++ b/tasks/main.yml
 ---
 - name: "call inherited configure tasks"
  sdm.oor.call_tasks:
-    from: configure
+    from: main
    super: true

 - name: "configure fail2ban: update configuration file"
@@ -12,7 +12,7 @@
    group: "root"
    mode: 0644
  notify:
-    - "restart fail2ban"
+    - "restart services"

 - name: "configure fail2ban: update jail file"
  ansible.builtin.template:
@@ -22,4 +22,11 @@
    group: "root"
    mode: 0644
  notify:
-    - "restart fail2ban"
+    - "restart services"
+
+# to be fixed: should not be necessary due to handler "restart services"
+- name: "start and enable service"
+  ansible.builtin.service:
+    name: fail2ban
+    state: started
+    enabled: true
--- a/templates/jail.local.j2
+++ b/templates/jail.local.j2
-# example-source:
-# https://github.com/nbigot/ansible-fail2ban/blob/master/templates/etc/fail2ban/jail.local.j2
+# The DEFAULT allows a global definition of the options. They can be overridden
+# in each jail afterwards.
+
+[DEFAULT]
+
+# "ignoreip" can be an IP address, a CIDR mask or a DNS host
+ignoreip = {{ fail2ban_ignoreips | join(' ') }}
+bantime  = {{ fail2ban_bantime }}
+maxretry = {{ fail2ban_maxretry }}
+findtime = {{ fail2ban_findtime }}
+
+# "backend" specifies the backend used to get files modification. Available
+# options are "gamin", "polling" and "auto".
+# yoh: For some reason Debian shipped python-gamin didn't work as expected
+#      This issue left ToDo, so polling is default backend for now
+backend = {{ fail2ban_backend }}
+
+#
+# ACTIONS
+#
+
+# Default banning action (e.g. iptables, iptables-new,
+# iptables-multiport, shorewall, etc) It is used to define
+# action_* variables. Can be overridden globally or per
+# section within jail.local file
+banaction = {{ fail2ban_banaction }}
+
+# Default protocol
+protocol = {{ fail2ban_protocol }}
+
+# Specify chain where jumps would need to be added in iptables-* actions
+chain = {{ fail2ban_chain }}
+
+#
+# Action shortcuts. To be used to define action parameter
+
+# The simplest action to take: ban only
+action_ = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
+
+# Choose default action.  To change, just override value of 'action' with the
+# interpolation to the chosen action shortcut (e.g.  action_mw, action_mwl, etc) in jail.local
+# globally (section [DEFAULT]) or per specific section
+action = {{ fail2ban_action }}
+
+#
+# JAILS
+#
+
+# Next jails corresponds to the standard configuration in Fail2ban 0.6 which
+# was shipped in Debian. Enable any defined here jail by including
+#
+# [SECTION_NAME]
+# enabled = true
+
+#
+# in /etc/fail2ban/jail.local.
+#
+# Optionally you may override any other parameter (e.g. banaction,
+# action, port, logpath, etc) in that section within jail.local
+
+
+{% for service in fail2ban_services %}
+[{{ service.name }}]
+enabled = {{ service.enabled | default(true) | bool | to_json }}
+logpath = {{ fail2ban_syslog_target }}
+{% for option, value in service.items()|sort %}
+{% if option not in ['name', 'enabled'] %}
+{{ option }} = {{ value }}
+{% endif %}
+{% endfor %}
+
+{% endfor %}