Commit 4944e59c authored by Michael Klix's avatar Michael Klix
Browse files

Update README.md

parent 65343cfa
## Description
Description
===========
This role configures fail2ban.
## Requirements
Requirements
============
none
### Roles
Roles
-----
Only Parent roles.
### Variables
- `fail2ban_loglevel`: [default`INFO`: Sets the loglevel output (e.g. `1 = ERROR`, `2 = WARN`, `3 = INFO`, `4 = DEBUG`)
- `fail2ban_logtarget`: [default: `/var/log/fail2ban.log`]: Sets the log target. This could be a file, SYSLOG, STDERR or STDOUT
- `fail2ban_syslog_target`: [default: `/var/log/fail2ban.log`]:
- `fail2ban_syslog_facility`: [default: `1`]:
- `fail2ban_socket`: [default: `/var/run/fail2ban/fail2ban.sock`]: Sets the socket file, which is used to communicate with the daemon
- `fail2ban_pidfile`: [default: `/var/run/fail2ban/fail2ban.pid`]: Sets the pid file, which is used to to store the process ID of the daemon (Only works on `fail2ban >= 0.8.9`)
- `fail2ban_ignoreips`: [default: `[127.0.0.1/8]`]: Which IP address/CIDR mask/DNS host should be ignored from fail2ban's actions
- `fail2ban_bantime`: [default: `600`]: Sets the bantime
- `fail2ban_maxretry`: [default: `3`]: Maximum number of retries before the host is put into jail
- `fail2ban_findtime`: [default: `600`]: A host is banned if it has generated `fail2ban_maxretry` during the last `fail2ban_findtime`
- `fail2ban_backend`: [default: `auto`]: Specifies the backend used to get files modification
- `fail2ban_banaction`: [default: `iptables-multiport`]: Sets the global/default banaction
- `fail2ban_protocol`: [default: `tcp`]: Sets the default protocol
- `fail2ban_chain`: [default: `INPUT`]: Specifies the chain where jumps would need to be added in iptables-* actions
- `fail2ban_action`: [default: `%(action_)s`]: Default action. **Note that variables (including the actions defined elsewhere in the config files) must be wrapped in python-style `%(` and `)s` so they are expanded**
- `fail2ban_services` [default see `defaults/main.yml`]: Service definitions
- `fail2ban_services.{n}.name` [required]: Service name (e.g. `sshd`, `ssh`)
- `fail2ban_services.{n}.enabled` [default: `true`]: Whether or not enabled
- `fail2ban_services.{n}.*` [optional]: Name of the option
- `fail2ban_services.{n}.*.*` [optional]: Value of the option
### Plugins
## Processes
Variables
---------
* fail2ban_loglevel:
* description:
* sets the loglevel output
* default: `INFO`
* choices: [`1 = ERROR`, `2 = WARN`, `3 = INFO`, `4 = DEBUG`]
* fail2ban_logtarget:
* description:
* Sets the log target. This could be a file, SYSLOG, STDERR or STDOUT.
* default: `/var/log/fail2ban.log`
* fail2ban_syslog_target:
* description:
* Sets the syslog target instance.
* default: `/var/log/fail2ban.log`
* fail2ban_syslog_facility:
* description:
* tbd...
* default: `1`
* fail2ban_socket:
* description:
* Sets the socket file, which is used to communicate with the daemon.
* default: `/var/run/fail2ban/fail2ban.sock`
* fail2ban_pidfile:
* description:
* Sets the pid file, which is used to to store the process ID of the daemon (Only works on `fail2ban >= 0.8.9`).
* default: `/var/run/fail2ban/fail2ban.pid`
* fail2ban_ignoreips:
* description:
* Which IP address/CIDR mask/DNS host should be ignored from fail2ban's actions.
* default: `[127.0.0.1/8]`
* fail2ban_bantime:
* description:
* Sets the bantime in seconds.
* default: `600`
* fail2ban_maxretry:
* description:
* Maximum number of retries before the host is put into jail.
* default: `3`
* fail2ban_findtime:
* description:
* A host is banned if it has generated `fail2ban_maxretry` during the last `fail2ban_findtime` in seconds.
* default: `600`
* fail2ban_backend:
* description:
* Specifies the backend used to get files modification.
* default: `auto`
* choices: tbd...
* fail2ban_banaction:
* description:
* Sets the global/default banaction.
* default: `iptables-multiport`
* fail2ban_protocol:
* description:
* Sets the default protocol.
* default: `tcp`
* choices: tbd...
* fail2ban_chain:
* description:
* Specifies the chain where jumps would need to be added in iptables-* actions.
* default: `INPUT`
* fail2ban_action:
* description:
* Default action. **Note that variables (including the actions defined elsewhere in the config files) must be wrapped in python-style `%(` and `)s` so they are expanded**.
* default: `%(action_)s`
* fail2ban_services:
* description:
* Service definitions.
* default see `defaults/main.yml`
* fail2ban_services.{n}.name [required]:
* description:
* Service name.
* default: undefined
* example: `sshd`, `ssh`
* fail2ban_services.{n}.enabled:
* description:
* Whether or not enabled.
* default: `true`
* choices: `true`, `false`
* fail2ban_services.{n}.* [optional]:
* description:
* Name of the option
* fail2ban_services.{n}.*.* [optional]:
* description:
* Value of the option
Processes
=========
1. install fail2ban
2. create configuration files from templates
## License
License
=======
BSD-3-Clauses
## Author Information
Contributors
============
- Michael Klix <michael.klix@tu-dresden.de>
* Michael Klix (michael.klix@tu-dresden.de)
Based on the provided SDM framework of
- Martin Pietsch <martin.pietsch@tu-dresden.de>
* Martin Pietsch (martin.pietsch@tu-dresden.de)
Mainly influenced by the implementation/example of Nicolas Bigot <https://github.com/nbigot/ansible-fail2ban>.
Mainly influenced by the implementation/example of
- Nicolas Bigot <https://github.com/nbigot/ansible-fail2ban>
Literature
==========
## Literature
- https://fail2ban.org/wiki/index.php/Category:HTTP
- https://fedoraproject.org/wiki/Fail2ban_with_FirewallD
- https://computingforgeeks.com/install-and-use-firewalld-on-ubuntu-18-04-ubuntu-16-04
- https://www.digitalocean.com/community/tutorials/how-to-protect-an-nginx-server-with-fail2ban-on-ubuntu-14-04
- https://snippets.aktagon.com/snippets/554-how-to-secure-an-nginx-server-with-fail2ban
* https://fail2ban.org/wiki/index.php/Category:HTTP
* https://fedoraproject.org/wiki/Fail2ban_with_FirewallD
* https://computingforgeeks.com/install-and-use-firewalld-on-ubuntu-18-04-ubuntu-16-04
* https://www.digitalocean.com/community/tutorials/how-to-protect-an-nginx-server-with-fail2ban-on-ubuntu-14-04
* https://snippets.aktagon.com/snippets/554-how-to-secure-an-nginx-server-with-fail2ban
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment